3.2.4 Ensure that the --read-only-port argument is set to 0


Disable the read-only port.


The Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.


Removal of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.


If using a Kubelet config file, edit the file to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.


Based on your system, restart the kubelet service. For example:

systemctl daemon-reload
systemctl restart kubelet.service

Default Value:

See the GKE documentation for the default value.

See Also
