Kubernetes DynamicKubeletConfig must not be enabled.

An XCCDF Rule

Description

<VulnDiscussion>Kubernetes allows a user to configure kubelets with dynamic configurations. When dynamic configuration is used, the kubelet will watch for changes to the configuration file. When changes are made, the kubelet will automatically restart. Allowing this capability bypasses access restrictions and authorizations. Using this capability, an attacker can lower the security posture of the kubelet, which includes allowing the ability to run arbitrary commands in any container running on that node.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-242399r918164_rule
Severity: Medium
References: CCI-000213
Updated: 8 months ago

This fix is only applicable to Kubernetes version 1.25 and older.

On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command:
grep -i feature-gates *

Edit the manifest files so that every manifest has a "--feature-gates" setting with "DynamicKubeletConfig=false".
On each Control Plane and Worker Node, run the command:
ps -ef | grep kubelet

Remove the "feature-gates" option if present.

Note the path to the config file (identified by --config).

Edit the config file: 
Add a "featureGates" setting if one does not yet exist. Add the feature gate "DynamicKubeletConfig=false".

Restart the kubelet service using the following command:
systemctl daemon-reload && systemctl restart kubelet

Kubernetes DynamicKubeletConfig must not be enabled.

Description

Remediation - Manual Procedure