1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1

Information

Do not bind the Controller Manager service to non-loopback insecure addresses.

The Controller Manager API service which runs on port 10252/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface

Solution

Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and ensure the correct value for the --bind-address parameter

Impact:

None

See Also

https://workbench.cisecurity.org/benchmarks/17568

Item Details

Category: ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-18, 800-53|SC-23, CSCv7|9.2

Plugin: Unix

Control ID: 825c2ad328235561c7e4cabc78724da966db0222b4db187e15948499663992ad