Vulnerabilities:

For further information about a vulnerability, search its ID in:

https://avd.aquasec.com/
Resolution Strategy:

1. Remediation
a. Disable --enable-debugging-handlers kubelet flag.

When kube-hunter reports a Kubernetes version disclosure vulnerability, it means that the
Kubernetes version information is being exposed, which can be leveraged by attackers to identify
potential vulnerabilities specific to that version.

Here's a detailed guide on how to address and resolve this issue:

Make several configuration changes. Here are the key steps:

- Modify API Server Flags:

Edit the Kubernetes API server configuration to limit the exposure of version
information.

- --anonymous-auth=false
- --profiling=false
- --request-timeout=1m

These flags help reduce the risk by disabling unauthenticated access and profiling, which
might expose version information.

- Use a Reverse Proxy:

Deploy a reverse proxy like NGINX or HAProxy in front of the API server to filter
out version information from responses.

server {
listen 443 ssl;
server_name k8s-api.example.com;

ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;

location / {
proxy_pass https://kubernetes.default.svc.cluster.local;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header Kubernetes-Version;
proxy_hide_header Server;
add_header X-Content-Type-Options nosniff;
}
}

Example NGINX configuration to remove version headers:

[ec2-user@dfs-mobiquity-cd-agent-aws-01 ~]$ curl -X GET
http://127.0.0.1:8001/api/v1/nodes/ansible_host/proxy/configz | jq .
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 241 100 241 0 0 21909 0 --:--:-- --:--:-- --:--:-- 24100
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "nodes \"ansible_host\" not found",
"reason": "NotFound",
"details": {
"name": "ansible_host",
"kind": "nodes"
},
"code": 404
}
[ec2-user@dfs-mobiquity-cd-agent-aws-01 ~]$ curl -X GET
http://127.0.0.1:8001/api/v1/nodes/master1/proxy/configz | jq .
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2596 0 2596 0 0 316k 0 --:--:-- --:--:-- --:--:-- 316k
{
"kubeletconfig": {
"enableServer": true,
"staticPodPath": "/etc/kubernetes/manifests",
"syncFrequency": "1m0s",
"fileCheckFrequency": "20s",
"httpCheckFrequency": "20s",
"address": "0.0.0.0",
"port": 10250,
"tlsCertFile": "/var/lib/kubelet/pki/kubelet.crt",
"tlsPrivateKeyFile": "/var/lib/kubelet/pki/kubelet.key",
"rotateCertificates": true,
"authentication": {
"x509": {
"clientCAFile": "/etc/kubernetes/ssl/ca.crt"
},
"webhook": {
"enabled": true,
"cacheTTL": "2m0s"
},
"anonymous": {
"enabled": false
}
},
"authorization": {
"mode": "Webhook",
 "webhook": {
"cacheAuthorizedTTL": "5m0s",
"cacheUnauthorizedTTL": "30s"
}
},
"registryPullQPS": 5,
"registryBurst": 10,
"eventRecordQPS": 5,
"eventBurst": 10,
"enableDebuggingHandlers": true,
"healthzPort": 10248,
"healthzBindAddress": "127.0.0.1",
"oomScoreAdj": -999,
"clusterDomain": "cluster.local",
"clusterDNS": [
"169.254.25.10"
],
"streamingConnectionIdleTimeout": "4h0m0s",
"nodeStatusUpdateFrequency": "10s",
"nodeStatusReportFrequency": "10s",
"nodeLeaseDurationSeconds": 40,
"imageMinimumGCAge": "2m0s",
"imageGCHighThresholdPercent": 85,
"imageGCLowThresholdPercent": 80,
"volumeStatsAggPeriod": "1m0s",
"kubeletCgroups": "/system.slice/kubelet.service",
"cgroupsPerQOS": true,
"cgroupDriver": "systemd",
"cpuManagerPolicy": "none",
"cpuManagerReconcilePeriod": "10s",
"memoryManagerPolicy": "None",
"topologyManagerPolicy": "none",
"topologyManagerScope": "container",
"runtimeRequestTimeout": "2m0s",
"hairpinMode": "promiscuous-bridge",
"maxPods": 110,
"podPidsLimit": -1,
"resolvConf": "/etc/resolv.conf",
"cpuCFSQuota": true,
"cpuCFSQuotaPeriod": "100ms",
"nodeStatusMaxImages": 50,
"maxOpenFiles": 1000000,
"contentType": "application/vnd.kubernetes.protobuf",
"kubeAPIQPS": 5,
"kubeAPIBurst": 10,
"serializeImagePulls": true,
"evictionHard": {
"imagefs.available": "15%",
"memory.available": "100Mi",
"nodefs.available": "10%",
"nodefs.inodesFree": "5%"
 },
"evictionPressureTransitionPeriod": "5m0s",
"enableControllerAttachDetach": true,
"protectKernelDefaults": true,
"makeIPTablesUtilChains": true,
"iptablesMasqueradeBit": 14,
"iptablesDropBit": 15,
"failSwapOn": true,
"memorySwap": {},
"containerLogMaxSize": "10Mi",
"containerLogMaxFiles": 5,
"configMapAndSecretChangeDetectionStrategy": "Watch",
"enforceNodeAllocatable": [
"pods"
],
"volumePluginDir": "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/",
"logging": {
"format": "text",
"flushFrequency": 5000000000,
"verbosity": 2,
"options": {
"json": {
"infoBufferSize": "0"
}
}
},
"enableSystemLogHandler": true,
"shutdownGracePeriod": "1m0s",
"shutdownGracePeriodCriticalPods": "20s",
"enableProfilingHandler": true,
"enableDebugFlagsHandler": true,
"seccompDefault": false,
"memoryThrottlingFactor": 0.8,
"registerNode": true,
"localStorageCapacityIsolation": true
}
}
[ec2-user@dfs-mobiquity-cd-agent-aws-01 ~]$