C-0128 - Ensure that the API Server --secure-port argument is not set to 0
Framework
cis-v1.23-t1.0.1
Severity
High
Description of the the issue
The secure port is used to serve https with authentication and authorization. If you disable it, no https traffic is served and all traffic is served unencrypted.
Related resources
Pod
What does this control test
Do not disable the secure port.
How to check it manually
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the --secure-port
argument is either not set or is set to an integer value between 1 and 65535.
Remediation
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the Control Plane node and either remove the --secure-port
parameter or set it to a different (non-zero) desired port.
Impact Statement
You need to set the API Server up with the right TLS certificates.
Default Value
By default, port 6443 is used as the secure port.
Example
No example
Updated 11 days ago