3.2.1 - Ensure that anonymous authentication is not enabled (automated)

Views:

Profile applicability: Level 1 - Worker Node

Disabling anonymous authentication to the Kubelet server enhances the security of Kubernetes worker nodes by ensuring that all requests require authentication, thus mitigating unauthorized access risks.

Impact

Anonymous requests will be rejected.

Audit

Audit method 1:

Important

Kubelets can be configured using either a configuration file or command line arguments. Command line arguments take precedence over the same parameters set in the configuration file. When auditing Kubelet configurations, ensure you check both command line arguments and configuration file entries.

SSH into each node and run the following command to view details of the active Kubelet process, including command line arguments:
```
ps -ef | grep kubelet
```
Identify the location of the configuration file from the output, specified by the --config argument. View the file using:
```
sudo less /path/to/kubelet-config.json
```

Verify that anonymous authentication is disabled:

Check for the command line argument:
```
--anonymous-auth=false
```

In the Kubelet configuration file, ensure the following setting is present:

        {
        "authentication": {
        "anonymous": {
        "enabled": false
        }
        }
        }

Audit method 2:

Review the running configuration of a Kubelet via the "/configz" endpoint of the Kubernetes API using kubectl:

Discover all nodes in your cluster:
```
kubectl get nodes
```
Initiate a proxy with kubectl on a local port (e.g., 8080):
```
kubectl proxy --port=8080
```

In a separate terminal, run the following command for each node:

export NODE_NAME=my-node-name
      curl http://localhost:8080/api/v1/nodes/${NODE_NAME}/proxy/configz

Verify that anonymous authentication is disabled by checking for the following in the API response:
```
      {
      "authentication": {
      "anonymous": {
      "enabled": false
      }
      }
      }
     
```

Remediation

Method 1:

SSH into each node.
If using a Kubelet configuration file, locate the file:
```
ps -ef | grep kubelet
```
View the configuration file using:
```
sudo less /path/to/kubelet-config.json
```

Disable anonymous authentication by setting the following parameter in the configuration file:

      {
      "authentication": {
      "anonymous": {
      "enabled": false
      }
      }
      }

Restart the kubelet service and check its status (example for systems using systemd):

systemctl daemon-reload
      systemctl restart kubelet.service
      systemctl status kubelet -l

Method 2:

If using command line arguments, edit the kubelet service file to include:
```
--anonymous-auth=false
```
For systems using systemd, edit the file located at /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf.

Restart the kubelet service and check its status (example for systems using systemd):

systemctl daemon-reload
      systemctl restart kubelet.service
      systemctl status kubelet -l