Access Kubelet API
Kubelet is the Kubernetes agent that is installed on each node. Kubelet is responsible for the proper execution of pods that are assigned to the node. Kubelet exposes a read-only API service that does not require authentication (TCP port 10255). Attackers with network access to the host (for example, via running code on a compromised container) can send API requests to the Kubelet API. Specifically querying https://[NODE IP]:10255/pods/ retrieves the running pods on the node. https://[NODE IP]:10255/spec/ retrieves information about the node itself, such as CPU and memory consumption.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| MS-M9009 | Require Strong Authentication to Services | Avoid using the unsecured port 10255 for the Kubelet API |
| MS-M9014 | Network Segmentation | Restrict access of pods to the Kubelet API using Network Policy, blocking pod traffic to the ports 10250 and 10255. |
| MS-M9003 | Adhere to least-privilege principle | Kubelet uses Kubernetes RBAC to authorize requests to its API, when Webhook is used as authorization mode. In this mode, Kubelet sends a SubjectAccessReview to the API server to check if the identity is authorized to perform the required action. Configure the Kubernetes RBAC such as only service accounts that should legitimacy communicate with Kubelet API have the relevant permissions. |
| MS-M9027 | Use NodeRestriction Admission Controller | Limit Kubelet permissions to pods and nodes |