Kube-hunter hunts for security weaknesses in Kubernetes clusters
View the Project on GitHub aquasecurity/kube-hunter
Lookup Vulnerability
KHV046 - Exposed Kubelet Cmdline
Issue description
When the Kubelet is run in debug mode, a Pod running in the cluster is able to access the Kubelet’s debug/pprof/cmdline endpoint and examine how the kubelet was executed on the node, specifically the command line flags that were used, which tells the attacker about what capabilities the kubelet has which might be exploited.
Remediation
Disable --enable-debugging-handlers kubelet flag.