C-0005 - API server insecure port is enabled
Framework
AllControls, ArmoBest, security, ClusterScan, NSA
Severity
Critical
Description of the the issue
The control plane is the core of Kubernetes and gives users the ability to view containers, schedule new Pods, read Secrets, and execute commands in the cluster. Therefore, it should be protected. It is recommended to avoid control plane exposure to the Internet or to an untrusted network. The API server runs on ports 6443 and 8080. We recommend to block them in the firewall. Note also that port 8080, when accessed through the local machine, does not require TLS encryption, and the requests bypass authentication and authorization modules.
Related resources
Pod
What does this control test
Check if the insecure-port flag is set (in case of cloud vendor hosted Kubernetes service this verification will not be effective).
Remediation
Set the insecure-port flag of the API server to zero.
Example
No example
Updated 3 months ago