Insecure bind address set

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Insecure bind address set

Metadata

Id: b9380fd3-5ffe-4d10-9290-13e18e71eee1

Cloud Provider: k8s

Platform: Kubernetes

Severity: High

Category: Networking and Firewall

Learn More

Provider Reference

Description

When using kube-apiserver, the --insecure-bind-address flag should not be set. This flag causes the API server to listen on an unauthenticated HTTP endpoint, bypassing TLS and potentially exposing the API to unauthenticated access. This rule inspects the command fields of containers and initContainers for invocations of kube-apiserver and flags that start with --insecure-bind-address.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: []
  restartPolicy: OnFailure

Non-Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: ["--insecure-bind-address=127.0.0.1"]
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver", "--insecure-bind-address=127.0.0.1"]
  restartPolicy: OnFailure