Profile applicability: Level 1 - Worker Node
Do not bind the kube-proxy metrics port to non-loopback addresses.
kube-proxy has two APIs which provided access to information about the service and
can be bound
to network ports. The metrics API service includes endpoints (
/metrics and
/configz) which disclose information about the configuration and operation of
kube-proxy. These endpoints should not be exposed to untrusted networks as they do
not support
encryption or authentication to restrict access to the data they provide. |
NoteThe default value is
127.0.0.1:10249. |
Impact
3rd party services which try to access metrics or configuration information related
to
kube-proxy will require access to the localhost interface of the node.
Audit
Review the start-up flags provided to kube proxy.
ps -ef | grep -i kube-proxy
Ensure that the
--metrics-bind-address parameter is not set to a value other
than 127.0.0.1. From the output of this command gather the location specified in the
--config parameter. Review any file stored at that location and ensure that it
does not specify a value other than 127.0.0.1 for metricsBindAddress.Remediation
Modify or remove any values which bind the metrics service to a non-localhost address.