Insecure Bind Address Set

• Query id: b9380fd3-5ffe-4d10-9290-13e18e71eee1
• Query name: Insecure Bind Address Set
• Platform: Kubernetes
• Severity: High
• Category: Networking and Firewall
• CWE: 665
• URL: Github

Description

When using kube-apiserver command, the '--insecure-bind-address' flag should not be set
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver", "--insecure-bind-address=127.0.0.1"]
  restartPolicy: OnFailure

Positive test num. 2 - yaml file

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: ["--insecure-bind-address=127.0.0.1"]
  restartPolicy: OnFailure

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
  restartPolicy: OnFailure

Negative test num. 2 - yaml file

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: []
  restartPolicy: OnFailure