Controller Manager has profiling active
ID |
kube_controller_manager_profiling |
Severity |
low |
Vendor |
Kubernetes |
Resource |
kube-apiserver |
Tags |
reachable |
Description
Kubernetes profiling allows to analyze the performance of the system in order to improve poorly performing applications, it is not recommended in production due to the significant performance hit during the profiling process, but also might expose system and program details as it generate significant amount of data.
--profiling is set true as default for Kube Controller Manager. it is recommended to turn it off to reduce the potential attack surface.
Examples
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-controller-manager
tier: control-plane
name: weak
namespace: kube-system
spec:
containers:
- command:
- kube-controller-manager (1)
- --controllers=*,bootstrapsigner,tokencleaner
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0| 1 | When --profiling is not set, service account token couldn’t be ensure it is rotate. |
Mitigation / Fix
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-controller-manager
tier: control-plane
name: good
namespace: kube-system
spec:
containers:
- command:
- kube-controller-manager
- --controllers=*,bootstrapsigner,tokencleaner
- --profiling=false (1)
image: gcr.io/<image>| 1 | Verify --profiling=false is set explicitly. |