Kubelet HTTPS Set To False

  • Query id: cdc8b54e-6b16-4538-a1b0-35849dbe29cf
  • Query name: Kubelet HTTPS Set To False
  • Platform: Kubernetes
  • Severity: Medium
  • Category: Networking and Firewall
  • CWE: 311
  • URL: Github

Description

When using kube-apiserver command, the '--kubelet-https' flag should not be set to false
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: ["--kubelet-https=false"]
  restartPolicy: OnFailure

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
  restartPolicy: OnFailure
Negative test num. 2 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: ["--kubelet-https=true"]
  restartPolicy: OnFailure