Bind address not properly set

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Bind address not properly set

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: 46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2

Cloud Provider: Kubernetes

Platform: Kubernetes

Severity: Info

Category: Networking and Firewall

Learn More

Provider Reference

Description

When running kube-controller-manager or kube-scheduler, the --bind-address flag must be set to 127.0.0.1. The rule inspects command arguments in both containers and initContainers and reports a finding if the --bind-address=127.0.0.1 flag is missing or set to a different value.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0
      command: ["kube-controller-manager"]
      args: ["--bind-address=127.0.0.1"]
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  labels:
    component: kube-scheduler
    tier: control-plane
  name: kube-scheduler
  namespace: kube-system
spec:
  selector:
    matchLabels:
      app: kube-controller-manager
  template:
    metadata:
      labels:
        app: kube-controller-manager
  containers:
    - name: command-demo-container
      image: k8s.gcr.io/kube-scheduler:v1.19.0
      command: ["kube-scheduler","--bind-address=127.0.0.1"]
      args: []
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0
      command: ["kube-controller-manager","--bind-address=127.0.0.1"]
      args: []
  restartPolicy: OnFailure

Non-Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0
      command: ["kube-controller-manager"]
      args: []
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  labels:
    component: kube-scheduler
    tier: control-plane
  name: kube-scheduler
  namespace: kube-system
spec:
  selector:
    matchLabels:
      app: kube-controller-manager
  template:
    metadata:
      labels:
        app: kube-controller-manager
  containers:
    - name: command-demo-container
      image: k8s.gcr.io/kube-scheduler:v1.19.0
      command: ["kube-scheduler"]
      args: []
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  labels:
    component: kube-scheduler
    tier: control-plane
  name: kube-scheduler
  namespace: kube-system
spec:
  selector:
    matchLabels:
      app: kube-controller-manager
  template:
    metadata:
      labels:
        app: kube-controller-manager
  containers:
    - name: command-demo-container
      image: k8s.gcr.io/kube-scheduler:v1.19.0
      command: ["kube-scheduler","--bind-address=0.0.0.0"]
      args: []
  restartPolicy: OnFailure