H3-2021-0003
Unauthenticated Access to Sensitive Kubelet API Endpoints
| Category | SECURITY_MISCONFIGURATION |
| Base Score | 5.0 |
Description
The kubelet is configured to allow anonymous (unauthenticated) requests.
Impact
This may expose certain information and capabilities to an attacker with access to the kubelet API. Information exposed may include and is not limited to pods, privileged containers, versions, and cluster health status. NOTE: Some cloud/hosting providers require anonymous authentication for monitoring cluster health. Making changes can impact the providers services. Prior to following the recommended mitigations, confirm whether or not anonymous authentication is required and determine if role-based access controls have been configured to explicitly limit access to only the required endpoints.