The Controller Manager API service should only bind to localhost
Set up the kubernetes integration.
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Description
Do not bind the Controller Manager service to non-loopback insecure addresses.
Rationale
The Controller Manager API service which runs on port 10252/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster’s attack surface
Audit
Run the following command on the master node:
ps -ef | grep kube-controller-manager
Verify that the --bind-address
argument is set to 127.0.0.1
.
Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the master node and ensure the correct value for the --bind-address
parameter.
Impact
None
Default value
By default, the --bind-address
parameter is set to 0.0.0.0
.
References
- https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/
Notes: Although the current Kubernetes documentation site says that --address
is deprecated in favour of --bind-address
. Kubeadm 1.11 still makes use of --address
.
CIS controls
Version 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.
Version 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.