C-0115 - Ensure that the API Server --DenyServiceExternalIPs is not set

Framework

cis-v1.23-t1.0.1

Severity

Medium

Description of the the issue

This admission controller rejects all net-new usage of the Service field externalIPs. This feature is very powerful (allows network traffic interception) and not well controlled by policy. When enabled, users of the cluster may not create new Services which use externalIPs and may not add new values to externalIPs on existing Service objects. Existing uses of externalIPs are not affected, and users may remove values from externalIPs on existing Service objects.

Most users do not need this feature at all, and cluster admins should consider disabling it. Clusters that do need to use this feature should consider using some custom policy to manage usage of it.

Related resources

Pod

What does this control test

This admission controller rejects all net-new usage of the Service field externalIPs.

How to check it manually

Run the following command on the Control Plane node:

ps -ef | grep kube-apiserver

Verify that the `--DenyServiceExternalIPs argument does not exist.

Remediation

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the `--DenyServiceExternalIPs'parameter

or

The Kubernetes API server flag disable-admission-plugins takes a comma-delimited list of admission control plugins to be disabled, even if they are in the list of plugins enabled by default.

kube-apiserver --disable-admission-plugins=DenyServiceExternalIPs,AlwaysDeny ...

Impact Statement

When enabled, users of the cluster may not create new Services which use externalIPs and may not add new values to externalIPs on existing Service objects.

Default Value

By default, --token-auth-file argument is not set.

Example

No example