CKS Question #4: Real Exam Question with Answer & Explanation

Question

Fix all of the following violations that were found against the Kubelet:- Ensure the --anonymous-auth argument is set to false.

Explanation

This question tests your ability to harden the Kubelet by disabling anonymous authentication, preventing unauthenticated requests from reaching the Kubelet API. Allowing anonymous access to the Kubelet is a critical security misconfiguration.

Approach. To fix this violation, edit the Kubelet configuration file (typically /var/lib/kubelet/config.yaml) and set 'anonymous: enabled: false' under the 'authentication' block, then restart the Kubelet with 'systemctl restart kubelet'. Alternatively, if the Kubelet is started with command-line flags (e.g., in /etc/systemd/system/kubelet.service.d/10-kubeadm.conf), add or update the flag '--anonymous-auth=false' and run 'systemctl daemon-reload && systemctl restart kubelet'. After the change, unauthenticated requests to the Kubelet API (default port 10250) will receive a 401 Unauthorized response instead of being processed. You can verify the fix by running 'ps aux | grep kubelet' or inspecting 'kubectl get --raw /api/v1/nodes/<node>/proxy/configz' to confirm the setting is active.

Concept tested. Kubelet security hardening - specifically disabling anonymous authentication (--anonymous-auth=false) to ensure the Kubelet API requires valid credentials for all requests, in alignment with CIS Kubernetes Benchmark control 4.2.1.

Reference. CIS Kubernetes Benchmark v1.8 – Section 4.2.1 | Kubernetes Docs: Kubelet Authentication/Authorization (https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/)

No community discussion yet for this question.