Controller Manager with invalid --root-ca-file argument

ID

kube_controller_manager_root_ca_file

Severity

high

Vendor

Kubernetes

Resource

kube-controller-manager

Tags

reachable

Description

The Kubernetes controller manager is a daemon that embeds the core control loops shipped with Kubernetes.

Connections between pods and the API server should be protected by utilizing transport encryption protocols, such as TLS. Not using it could lead to man-in-the-middle attacks.

Thus, the --root-ca-file argument must be used to pass the trusted bundle into pods so that they can verify TLS connections to the API server.

Examples

apiVersion: v1
kind: Pod
metadata:
  name: bad
spec:
  containers:
  - command:
    - kube-controller-manager
    -  --root-ca-file=private.txt (1)
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.9.0
    name: bad-container
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /health
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
      name: k8s
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: certs
    - mountPath: /etc/pki
      name: pki
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes
    name: k8s
  - hostPath:
      path: /etc/ssl/certs
    name: certs
  - hostPath:
      path: /etc/pki
    name: pki
1 Bad --root-ca-file command argument means pods do not verify the API server’s serving certificate before establishing connections.

Mitigation / Fix

apiVersion: v1
kind: Pod
metadata:
  name: good
spec:
  containers:
  - command:
    - kube-controller-manager
    -  --root-ca-file=private.pem (1)
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.9.0
    name: good-container
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /health
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
      name: k8s
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: certs
    - mountPath: /etc/pki
      name: pki
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes
    name: k8s
  - hostPath:
      path: /etc/ssl/certs
    name: certs
  - hostPath:
      path: /etc/pki
    name: pki
1 Command argument --bind-address set to 127.0.0.1 means Controller Manager is not bind to a non-loopback insecure address.