CNCF K3s Kubelet Read-Only Port Misconfiguration Vulnerability

A vulnerability exists in CNCF K3s versions 1.32 prior to 1.32.4-rc1+k3s1, where the Kubernetes kubelet configuration change inadvertently allows ReadOnlyPort to be set to 10255. This default behavior in K3s online installations can lead to unauthenticated access on this port, exposing sensitive information such as passwords and tokens.

Impact

Exposed kubelet ReadOnlyPort can lead to unauthorized access to sensitive information, including environment variables and credentials, according to the vulnerability reporter.

Reproduction

The vulnerability can be reproduced by installing K3s version 1.32.3+k3s1 with the default configuration. After the installation, the kubelet ReadOnlyPort will be set to 10255, allowing unauthenticated access to sensitive information.

Remediation

Users can manually set the kubelet Read-Only Port to 0 by adding the `--kubelet-arg='read-only-port=0'` parameter when starting K3s. This vulnerability has been addressed in K3s version 1.32.4-rc1+k3s1.