Ensure the --bind-address argument for controller managers is set to 127.0.0.1

Error: The --bind-address argument for controller managers is not set to 127.0.0.1

Bridgecrew Policy ID: BC_K8S_86
Checkov Check ID: CKV_K8S_113
Severity: HIGH

The --bind-address argument for controller managers is not set to 127.0.0.1

Description

Do not bind the Controller Manager service to non-loopback insecure addresses. The Controller Manager API service which runs on port 10252/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
  kind: Pod
  metadata:
    creationTimestamp: null
    labels:
      component: kube-apiserver
      tier: control-plane
    name: kube-apiserver
    namespace: kube-system
  spec:
    containers:
    - command:
      - kube-controller-manager
+     - --bind-address=127.0.0.1
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0