Insecure bind port

ID

api_server_insecure_port

Severity

high

Vendor

Kubernetes

Resource

kube-apiserver

Tags

reachable

Description

The Kubernetes API Server validates and configures data for the api objects which include pods, services, replicationcontrollers, and others.

By default, the API server will listen on two ports and addresses. One port is the secure port and the other port is called the "insecure port", typically port 8080.

Basically anyone who could connect to it over the insecure port, would have unauthenticated and unencrypted access to your master node. No server authentication is performed, and traffic to the Insecure API port is not encrypted, allowing attackers to potentially read sensitive data in transit.

Examples

apiVersion: v1
kind: Pod
metadata:
  name: bad (1)
spec:
  containers:
  - command:
    - kube-apiserver
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.9.0
    name: bad-container
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /health
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
      name: k8s
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: certs
    - mountPath: /etc/pki
      name: pki
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes
    name: k8s
  - hostPath:
      path: /etc/ssl/certs
    name: certs
  - hostPath:
      path: /etc/pki
    name: pki
1 Command argument --insecure-port not set to 0 means that connections to the insecure port are allowed.

Mitigation / Fix

apiVersion: v1
kind: Pod
metadata:
  name: good
spec:
  containers:
  - command:
    - kube-apiserver
    - --insecure-port=0 (1)
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.9.0
    name: good-container
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /health
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
      name: k8s
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: certs
    - mountPath: /etc/pki
      name: pki
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes
    name: k8s
  - hostPath:
      path: /etc/ssl/certs
    name: certs
  - hostPath:
      path: /etc/pki
    name: pki
1 Command argument --insecure-port set to 0 means that connections to the insecure port are not allowed.