1.3.5 Ensure that the --bind-address argument is set to 127.0.0.1

Information

Do not bind the Controller Manager service to non-loopback insecure addresses.

Rationale:

The Controller Manager API service which runs on port 10257/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface

Impact:

None.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

None.

Default Value:

By default, the --bind-address argument is not present, the secure-port argument is set to 10257 and the port argument is set to 0.

See Also

https://workbench.cisecurity.org/benchmarks/16094

Item Details

Category: ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-18, 800-53|SC-23, CSCv7|9.2

Plugin: OpenShift

Control ID: 8680570c7f0dbfd0926bc225c53fcd6fe8edbba5e0a336f83177d942cf85facb