C-0128 - Ensure that the API Server --secure-port argument is not set to 0

Framework

cis-v1.23-t1.0.1

Severity

High

Description of the the issue

The secure port is used to serve https with authentication and authorization. If you disable it, no https traffic is served and all traffic is served unencrypted.

Related resources

Pod

What does this control test

Do not disable the secure port.

How to check it manually

Run the following command on the Control Plane node:

ps -ef | grep kube-apiserver

Verify that the --secure-port argument is either not set or is set to an integer value between 1 and 65535.

Remediation

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and either remove the --secure-port parameter or set it to a different (non-zero) desired port.

Impact Statement

You need to set the API Server up with the right TLS certificates.

Default Value

By default, port 6443 is used as the secure port.

Example

No example