1.2.3 Ensure that the --DenyServiceExternalIPs is not set

Information

This admission controller rejects all net-new usage of the Service field externalIPs.

Rationale:

This admission controller rejects all net-new usage of the Service field externalIPs. This feature is very powerful (allows network traffic interception) and not well controlled by policy. When enabled, users of the cluster may not create new Services which use externalIPs and may not add new values to externalIPs on existing Service objects. Existing uses of externalIPs are not affected, and users may remove values from externalIPs on existing Service objects.

Most users do not need this feature at all, and cluster admins should consider disabling it. Clusters that do need to use this feature should consider using some custom policy to manage usage of it.

Impact:

When enabled, users of the cluster may not create new Services which use externalIPs and may not add new values to externalIPs on existing Service objects.

Solution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the '--DenyServiceExternalIPs'parameter
or
The Kubernetes API server flag disable-admission-plugins takes a comma-delimited list of admission control plugins to be disabled, even if they are in the list of plugins enabled by default.
kube-apiserver --disable-admission-plugins=DenyServiceExternalIPs,AlwaysDeny ...

Default Value:

By default, --token-auth-file argument is not set.

See Also

https://workbench.cisecurity.org/files/4111

Item Details

Category: CONFIGURATION MANAGEMENT, MAINTENANCE

References: 800-53|CM-7, 800-53|MA-4, CSCv7|16.4

Plugin: Unix

Control ID: ea4fe7aeab772fd9e151f1bcf4234bf8f19c5ebbe5109df452ac22f2692343ce