Secure port set to zero

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Secure port set to zero

Metadata

Id: 3d24b204-b73d-42cb-b0bf-1a5438c5f71e

Cloud Provider: k8s

Platform: Kubernetes

Severity: High

Category: Networking and Firewall

Learn More

Provider Reference

Description

When using kube-apiserver, the --secure-port flag should not be set to 0. Setting --secure-port=0 disables the API server’s secure (HTTPS) listener, which can prevent encrypted communication and potentially expose the server to insecure access. This rule inspects container command arguments in containers and initContainers for kube-apiserver and flags any occurrence of --secure-port=0.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: []
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver","--secure-port=6443"]
      args: []
  restartPolicy: OnFailure

Non-Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: ["--secure-port=0"]
  restartPolicy: OnFailure