Kube-hunter hunts for security weaknesses in Kubernetes clusters

View the Project on GitHub aquasecurity/kube-hunter

Lookup Vulnerability
All vulnerabilies

KHV046 - Exposed Kubelet Cmdline

Issue description

When the Kubelet is run in debug mode, a Pod running in the cluster is able to access the Kubelet’s debug/pprof/cmdline endpoint and examine how the kubelet was executed on the node, specifically the command line flags that were used, which tells the attacker about what capabilities the kubelet has which might be exploited.


Disable --enable-debugging-handlers kubelet flag.