C-0005 - API server insecure port is enabled

Framework

AllControls, ArmoBest, security, ClusterScan, NSA

Severity

Critical

Description of the the issue

The control plane is the core of Kubernetes and gives users the ability to view containers, schedule new Pods, read Secrets, and execute commands in the cluster. Therefore, it should be protected. It is recommended to avoid control plane exposure to the Internet or to an untrusted network. The API server runs on ports 6443 and 8080. We recommend to block them in the firewall. Note also that port 8080, when accessed through the local machine, does not require TLS encryption, and the requests bypass authentication and authorization modules.

Related resources

Pod

What does this control test

Check if the insecure-port flag is set (in case of cloud vendor hosted Kubernetes service this verification will not be effective).

Remediation

Set the insecure-port flag of the API server to zero.

Example

No example