Ensure the --insecure-port argument is set to 0

Error: The --insecure-port argument is not set to 0

Bridgecrew Policy ID: BC_K8S_64
Checkov Check ID: CKV_K8S_88
Severity: HIGH

The --insecure-port argument is not set to 0

Description

Do not bind to insecure port. Setting up the apiserver to serve on an insecure port would allow unauthenticated and unencrypted access to your master node. This would allow attackers who could access this port, to easily take control of the cluster.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
+   - kube-apiserver
+   - --insecure-port=0
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
    ...