The Controller Manager API service should only bind to localhost

kubernetes

Classification:

compliance

Framework:

cis-kubernetes

Control:

1.3.7

Set up the kubernetes integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

Do not bind the Controller Manager service to non-loopback insecure addresses.

Rationale

The Controller Manager API service which runs on port 10252/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster’s attack surface

Audit

Run the following command on the master node:

ps -ef | grep kube-controller-manager

Verify that the --bind-address argument is set to 127.0.0.1.

Remediation

Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the master node and ensure the correct value for the --bind-address parameter.

Impact

None

Default value

By default, the --bind-address parameter is set to 0.0.0.0.

References

  1. https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/

Notes: Although the current Kubernetes documentation site says that --address is deprecated in favour of --bind-address. Kubeadm 1.11 still makes use of --address.

CIS controls

Version 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.

Version 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.