Skip to content

Disable Anonymous Authentication to the Kubelet

An XCCDF Rule

Description

By default, anonymous access to the Kubelet server is enabled. This configuration check ensures that anonymous requests to the Kubelet server are disabled. Edit the Kubelet server configuration file /etc/kubernetes/kubelet/kubelet-config.json on the kubelet node(s) and set the below parameter:

authentication:
  ...
  anonymous:
    enabled: false
  ...

Rationale

When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. OpenShift Operators should rely on authentication to authorize access and disallow anonymous requests.

ID
xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth
Severity
Medium
References
Updated