Skip to content

k3s version v1.32.3+k3s1 default configuration kubelet exposes cluster container env risk #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
f1veT opened this issue Apr 24, 2025 · 0 comments
Open

k3s version v1.32.3+k3s1 default configuration kubelet exposes cluster container env risk #2

f1veT opened this issue Apr 24, 2025 · 0 comments

Comments

@f1veT
Copy link
Owner

f1veT commented Apr 24, 2025

Dear developer, hello. I have found the following issues with the default configuration while using the latest version of k3s online installation:

  1. The k3s server defaults to enabling anonymous access to the kubelet 10255 port, which was not the case in previous versions.

  2. The k3s agent will also default to enabling anonymous access to this service after joining the cluster.

This service will expose sensitive information in the pod online, such as passwords in env, tokens, and ak/sk.

This issue did not occur in previous version installations, and the official documentation (English, Chinese) did not indicate that the latest version requires manual setting of the kubelet service.

Solution:

  1. Specify the server & agent to add the parameter "--kubelet-arg '--read-only-port=0'" when starting.

  2. Do not enable this port service by default.

Image

Image
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@f1veT