Profile applicability: Level 1 - Master Node
Do not bind the Controller Manager service to non-loopback insecure addresses.
The Controller Manager API service which runs on port 10252/TCP by default is used
for health and metrics information and is available without authentication or encryption.
As such it should only be bound to a localhost interface, to minimize the cluster's
attack surface.
 |
NoteBy default, the
--bind-address parameter is set to 0.0.0.0. |
Audit
Run the following command on the Control Plane node:
ps -ef | grep kube-controller-manager
Verify that the
--bind-address argument is set to 127.0.0.1Remediation
Edit the Controller Manager pod specification file
/etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and ensure the correct value for the --bind-address parameter. |
NoteAlthough the current Kubernetes documentation site says that
--address is deprecated in favour of --bind-address Kubeadm 1.11 still makes use of --address. |