Overview
The controls one would apply to Kublets are fairly straight forward. Many of the controls are manually applied though. Newer Kubernetes versions will utilize a configuration file. Until then, one passes the arguments to the binary. One can resource exhaust a stack by holding open idle connections. Rotating the kubelets’ certificates is a great control to minimize exposure and ensure only authorized kubelets are active. While rotating, ensure to use strong cryptography. In Ring 5 or 4, one is STRONGLY encouraged to enable kubelet authentication AND authorization. Interacting anonymously with the kubelet REST API allows one to execute arbitrary pods and exec commands on the host node(s.). Webhook authorization mode is a great start by utilizing AlwaysAllow to allow the more secure Webhook mode to delegate authority to the Kubernetes API service(s.). It is worth mentioning by enabling NodeRestriction, the kubelets may only modify their own Node API object(s), and any Pod API objects that are associated to the node. Currently it is being debated to allow this to be a dynamic or static setting.
CIS Benchmark
4.2 Kubelet
4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)
4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)
4.2.4 Verify that the --read-only-port argument is set to 0 (Manual)
4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)
4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)
4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)
4.2.8 Ensure that the --hostname-override argument is not set (Manual)
4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)
4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)
4.2.11 Ensure that the --rotate-certificates argument is not set to false (Manual)
4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)
4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)