k3s version v1.32.3+k3s1 default configuration kubelet exposes cluster container env risk

[f1veT]

Dear developer, hello. I have found the following issues with the default configuration while using the latest version of k3s online installation:

1. The k3s server defaults to enabling anonymous access to the kubelet 10255 port, which was not the case in previous versions.

2. The k3s agent will also default to enabling anonymous access to this service after joining the cluster.

This service will expose sensitive information in the pod online, such as passwords in env, tokens, and ak/sk.

This issue did not occur in previous version installations, and the official documentation (English, Chinese) did not indicate that the latest version requires manual setting of the kubelet service.

Solution:

1. Specify the server & agent to add the parameter "--kubelet-arg '--read-only-port=0'" when starting.

2. Do not enable this port service by default.