For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/kubernetes-bind-address-not-properly-set.md. A documentation index is available at /llms.txt.

Bind address not properly set

This product is not supported for your selected Datadog site. ().

Metadata

Id: kubernetes-bind-address-not-properly-set

Platform: Kubernetes

Severity: Low

Category: Networking and Firewall

Learn More

Description

When running kube-controller-manager or kube-scheduler, the --bind-address flag must be set to 127.0.0.1. The rule inspects command arguments in both containers and initContainers and reports a finding if the --bind-address=127.0.0.1 flag is missing or set to a different value.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0
      command: ["kube-controller-manager"]
      args: ["--bind-address=127.0.0.1"]
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0
      command: ["kube-controller-manager","--bind-address=127.0.0.1"]
      args: []
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  labels:
    component: kube-scheduler
    tier: control-plane
  name: kube-scheduler
  namespace: kube-system
spec:
  selector:
    matchLabels:
      app: kube-controller-manager
  template:
    metadata:
      labels:
        app: kube-controller-manager
  containers:
    - name: command-demo-container
      image: k8s.gcr.io/kube-scheduler:v1.19.0
      command: ["kube-scheduler"]
      args: ["--bind-address=127.0.0.1"]
  restartPolicy: OnFailure

Non-Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0
      command: ["kube-controller-manager","--bind-address=0.0.0.0"]
      args: []
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0
      command: ["kube-controller-manager"]
      args: []
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  labels:
    component: kube-scheduler
    tier: control-plane
  name: kube-scheduler
  namespace: kube-system
spec:
  selector:
    matchLabels:
      app: kube-controller-manager
  template:
    metadata:
      labels:
        app: kube-controller-manager
  containers:
    - name: command-demo-container
      image: k8s.gcr.io/kube-scheduler:v1.19.0
      command: ["kube-scheduler"]
      args: []
  restartPolicy: OnFailure