| Property | |
|---|---|
| Language |  |
| Severity |  |
Description
Do not allow all requests. Enable explicit authorization.
Resolution
edit Kubelet config and set authorization: mode to Webhook.
Ensure that the –authorization-mode argument is not set to AlwaysAllow
| Property | |
|---|---|
| Language | |
| Severity |  |
Description
The Kubernetes API server is configured with the –authorization-mode set to AlwaysAllow, which disables authorization checks and permits all API requests without restriction. This setting bypasses access controls, making the cluster insecure.
Impact
With authorization checks disabled, any user or service with API access can perform any action on the cluster, including modifying resources, accessing sensitive data, or disrupting workloads. This exposes the entire Kubernetes environment to unauthorized changes or potential compromise.
Ensure that the –auto-tls argument is not set to true
| Property | |
|---|---|
| Language | |
| Severity | |
Description
Enabling the –auto-tls flag in etcd causes the service to generate and use self-signed TLS certificates automatically, rather than relying on certificates signed by a trusted authority. This weakens the security of encrypted communication between etcd nodes.
Impact
If self-signed certificates are used, attackers could exploit the lack of mutual trust to intercept or modify traffic between etcd nodes, potentially exposing sensitive data or enabling unauthorized access to the Kubernetes control plane.
Ensure that the –bind-address argument is set to 127.0.0.1
| Property | |
|---|---|
| Language | |
| Severity | |
Description
Do not bind the scheduler service to non-loopback insecure addresses.
Resolution
Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml on the Control Plane node and ensure the correct value for the –bind-address parameter.
Ensure that the –bind-address argument is set to 127.0.0.1
| Property | |
|---|---|
| Language | |
| Severity | |
Description
The Kubernetes controller manager is configured to bind to an address other than 127.0.0.1, exposing its service on non-loopback network interfaces and making it accessible from outside the local host. This increases the risk of unauthorized access to the controller manager process.
Impact
If exploited, attackers could potentially connect to the controller manager from outside the control plane node, allowing them to interfere with cluster operations, access sensitive data, or gain further privileges within the Kubernetes environment.
Ensure that the –cert-file and –key-file arguments are set as appropriate
| Property | |
|---|---|
| Language | |
| Severity | |
Description
The etcd service is not configured with the –cert-file and –key-file arguments, meaning TLS encryption is not enforced for client connections. This leaves etcd traffic unencrypted and susceptible to interception.
Impact
Without TLS, sensitive data stored in etcd can be transmitted in plain text over the network, allowing attackers to eavesdrop, tamper with data, or impersonate legitimate clients. This can lead to unauthorized data access, privilege escalation, or compromise of the entire Kubernetes cluster.
Ensure that the –client-ca-file argument is set as appropriate
| Property | |
|---|---|
| Language | |
| Severity | |
Description
The Kubernetes API server is not configured with the –client-ca-file argument, meaning it does not validate client certificates for incoming connections. This leaves the API server open to unauthenticated or unauthorized access attempts.
Impact
Without client certificate verification, malicious actors could connect to the API server without proper authentication, potentially gaining access to sensitive cluster operations and data, increasing the risk of unauthorized actions or compromise of the Kubernetes environment.
Ensure that the –client-ca-file argument is set as appropriate
| Property | |
|---|---|
| Language | |
| Severity |  |
Description
Enable Kubelet authentication using certificates.
Resolution
If using a Kubelet config file, edit the –client-ca-file argument ito appropriate value
Ensure that the –client-cert-auth argument is set to true
| Property | |
|---|---|
| Language | |
| Severity | |
Description
The etcd service is not configured with the –client-cert-auth=true argument, meaning it does not require clients to present valid certificates for authentication. This leaves the etcd API accessible to unauthenticated clients.
Impact
Without client certificate authentication, unauthorized users or processes could connect to etcd, potentially reading or modifying sensitive cluster data, leading to compromise of the Kubernetes control plane and broader cluster security.
Ensure that the –DenyServiceExternalIPs is not set
| Property | |
|---|---|
| Language | |
| Severity | |
Description
Enabling the DenyServiceExternalIPs admission controller blocks all new usage of the ’externalIPs’ field in Kubernetes Services, preventing workloads from being assigned external IP addresses via this method.
Impact
If this restriction is enforced, legitimate use cases requiring external IP assignment for services will fail, potentially disrupting network connectivity and limiting cluster functionality for applications that depend on external access.
Resolution
Edit the API server pod specification file $apiserverconf on the control plane node and remove the DenyServiceExternalIPs from enabled admission plugins.