Disable Anonymous Authentication to the Kubelet
An XCCDF Rule
Description
By default, anonymous access to the Kubelet server is enabled. This
configuration check ensures that anonymous requests to the Kubelet
server are disabled. Edit the Kubelet server configuration file
/etc/kubernetes/kubelet/kubelet-config.json
on the kubelet node(s)
and set the below parameter:
authentication: ... anonymous: enabled: false ...
Rationale
When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. OpenShift Operators should rely on authentication to authorize access and disallow anonymous requests.
- ID
- xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth
- Severity
- Medium
- Updated