3.1.5 Ensure that the --insecure-port argument is set to 0

Information

Do not bind to insecure port.

Rationale:

Setting up the federation apiserver to serve on an insecure port would allow unauthenticated and unencrypted access to it. It is assumed that firewall rules are set up such that this port is not reachable from outside of the cluster. But, as a defense in depth measure, you should not use an insecure port.

Solution

Edit the deployment specs and set `--insecure-port=0`. `kubectl edit deployments federation-apiserver-deployment --namespace=federation-system`

Impact:

None

See Also

https://workbench.cisecurity.org/files/1738

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., CSCv6|9.1

Plugin: Unix

Control ID: 46b011d89213c7233c34be6383da9040f8f33349ef4523c02e809a4f68dc1d8e