Insecure bind address

api_server_insecure_bind_address

Severity

high

Vendor

Kubernetes

Resource

kube-apiserver

Description

The Kubernetes API Server validates and configures data for the api objects which include pods, services, replication controllers, and others.

By default, the API server will listen on two ports and addresses. One address is the secure address and the other address is called the "insecure bind" address and is set by default to localhost. Basically anyone who could connect to it over the insecure address, would have unauthenticated and unencrypted access to your master node. None authentication checking is performed for insecure binds and traffic to the Insecure API port is not encrpyted, allowing attackers to potentially read sensitive data in transit.

Examples

apiVersion: apps/v1
kind: Deployment
metadata:
  name: bad
spec:
  template:
    spec:
      serviceAccountName: kube-apiserver
      tolerations:
      - key: node-role.kubernetes.io/master
        operator: Exists
        effect: NoSchedule
      containers:
      - name: kube-apiserver
        image: k8s.gcr.io/kube-apiserver
        command:
        - kube-apiserver
        - --insecure-bind-address=192.168.1.1 (1)

yml

1	Provided `--insecure-bind-address` command argument means that insecure connections to the insecure port are allowed.

Mitigation / Fix

apiVersion: apps/v1
kind: Deployment
metadata:
  name: good (1)
spec:
  template:
    spec:
      serviceAccountName: kube-apiserver
      tolerations:
      - key: node-role.kubernetes.io/master
        operator: Exists
        effect: NoSchedule
      containers:
      - name: kube-apiserver
        image: k8s.gcr.io/kube-apiserver
        command:
        - kube-apiserver

yml

1	Removing `--insecure-bind-address` command argument deactivates insecure ports.