1.1.6 Ensure that the --insecure-bind-address argument is not set

Information

Do not bind to non-loopback insecure addresses.

Rationale:

If you bind the apiserver to an insecure address, basically anyone who could connect to it over the insecure port, would have unauthenticated and unencrypted access to your master node. The apiserver doesn't do any authentication checking for insecure binds and neither the insecure traffic is encrypted. Hence, you should not bind the apiserver to an insecure address.

Solution

Edit the `/etc/kubernetes/apiserver` file on the master node and remove the `--insecure-bind-address` argument from the `KUBE_API_ADDRESS` parameter. Based on your system, restart the `kube-apiserver` service. For example: `systemctl restart kube-apiserver.service`

Impact:

None

See Also

https://workbench.cisecurity.org/files/1738

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., CSCv6|9.1

Plugin: Unix

Control ID: 068ac7959179aabf9fec7b0f4f53bc063073c918af7e2f856c68903f796e4edb