github/kube-hunter
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-hunter.git synced 2026-05-24 01:55:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
bf7023d01c08086ec5cf2a836da3b451b4fcd2b2
kube-hunter/docs/_kb/KHV052.md
danielsagi bf7023d01c Added docs for exposed pods (#407) 
* added doc _kb for exposed pods

* correlated the new khv to the Exposed pods vulnerability

* fixed linting
2020-11-17 15:22:06 +02:00

948 B
Raw Blame History

vid, title, categories
vid title categories
KHV052 Exposed Pods
Information Disclosure

{{ page.vid }} - {{ page.title }}

Issue description

An attacker could view sensitive information about pods that are bound to a Node using the exposed /pods endpoint This can be done either by accessing the readonly port (default 10255), or from the secure kubelet port (10250)

Remediation

Ensure kubelet is protected using --anonymous-auth=false kubelet flag. Allow only legitimate users using --client-ca-file or --authentication-token-webhook kubelet flags. This is usually done by the installer or cloud provider.

Disable the readonly port by using --read-only-port=0 kubelet flag.

References

Reference in New Issue View Git Blame Copy Permalink