Ensure that the --insecure-port argument is set to 0

HIGH

Description

Description:

Do not bind to insecure port.

Rationale:

Setting up the apiserver to serve on an insecure port would allow unauthenticated and unencrypted access to your master node. This would allow attackers who could access this port, to easily take control of the cluster.

All components that use the API must connect via the secured port, authenticate themselves, and be authorized to use the API.

This includes:

kube-controller-manager
kube-proxy
kube-scheduler
kubelets.

Remediation

Edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and set the below parameter.

--insecure-port=0
.

Policy Details

Rule Reference ID: AC_K8S_0028

CSP: Kubernetes

Remediation Available: No

Domain: Infrastructure Security

Resource: kubernetes_pod

Resource Category: Compute

Resource Type: Pod

Frameworks

GDPR
NIST-800-171
NIST-800-53
NIST-CSF
HIPAA
CIS Kubernetes v1.4.0 Level 1
CIS Kubernetes v1.6.1 Level 1 - Master Node
NSA CISA Kubernetes Hardening Guide 1.0

Detections

Analytics