forked from elastic/csp-security-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdata.yaml
35 lines (33 loc) · 1.37 KB
/
data.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
metadata:
id: 091b1308-4f72-59ef-9103-4b548386ae27
name: Ensure that the --bind-address argument is set to 127.0.0.1
rule_number: 1.3.7
profile_applicability: '* Level 1 - Master Node'
description: Do not bind the Controller Manager service to non-loopback insecure
addresses.
rationale: |-
The Controller Manager API service which runs on port 10252/TCP by default is used for health and metrics information and is available without authentication or encryption.
As such it should only be bound to a localhost interface, to minimize the cluster's attack surface
audit: |-
Run the following command on the Control Plane node:
```
ps -ef | grep kube-controller-manager
```
Verify that the `--bind-address` argument is set to 127.0.0.1
remediation: |-
Edit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the Control Plane node and ensure the correct value for the `--bind-address` parameter
impact: None
default_value: |
By default, the `--bind-address` parameter is set to 0.0.0.0
references: 1. https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/
section: Controller Manager
version: '1.0'
tags:
- CIS
- Kubernetes
- CIS 1.3.7
- Controller Manager
benchmark:
name: CIS Kubernetes V1.23
version: v1.0.1
id: cis_k8s