1.2.17 Ensure that the --insecure-port argument is set to 0

Information

Do not bind to insecure port.

Rationale:

Setting up the apiserver to serve on an insecure port would allow unauthenticated and unencrypted access to your master node. This would allow attackers who could access this port, to easily take control of the cluster.

Impact:

All components that use the API must connect via the secured port, authenticate themselves, and be authorized to use the API.

This includes:

kube-controller-manager

kube-proxy

kube-scheduler

kubelets

Solution

None.

Default Value:

By default, the openshift-kube-server is served over HTTPS with authentication and authorization; the secure API endpoint is bound to 0.0.0.0:6443 and the insecure-port has been removed in Kubernetes 1.20+.

See Also

https://workbench.cisecurity.org/benchmarks/16094

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-15, CSCv7|9.4

Plugin: OpenShift

Control ID: 50b77d17a168c0c40ba6ffcb9d42f7781cffd41984a15a17a0000db6f24f0fd8