Kube-hunter hunts for security weaknesses in Kubernetes clusters

View the Project on GitHub aquasecurity/kube-hunter

Lookup Vulnerability
All vulnerabilies

KHV052 - Exposed Pods

Issue description

An attacker could view sensitive information about pods that are bound to a Node using the exposed /pods endpoint This can be done either by accessing the readonly port (default 10255), or from the secure kubelet port (10250)


Ensure kubelet is protected using --anonymous-auth=false kubelet flag. Allow only legitimate users using --client-ca-file or --authentication-token-webhook kubelet flags. This is usually done by the installer or cloud provider.

Disable the readonly port by using --read-only-port=0 kubelet flag.