Ensure the --bind-address argument for controller managers is set to

Error: The --bind-address argument for controller managers is not set to

Bridgecrew Policy ID: BC_K8S_86
Checkov Check ID: CKV_K8S_113
Severity: HIGH

The --bind-address argument for controller managers is not set to


Do not bind the Controller Manager service to non-loopback insecure addresses. The Controller Manager API service which runs on port 10252/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface

Fix - Buildtime


  • Kind: Pod
apiVersion: v1
  kind: Pod
    creationTimestamp: null
      component: kube-apiserver
      tier: control-plane
    name: kube-apiserver
    namespace: kube-system
    - command:
      - kube-controller-manager
+     - --bind-address=
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0