forked from elastic/csp-security-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
data.yaml
34 lines (32 loc) · 1.26 KB
/
data.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
metadata:
id: b38efe94-7174-5e1d-8f32-14ec97aa9d47
name: Ensure that the --secure-port argument is not set to 0
rule_number: 1.2.17
profile_applicability: '* Level 1 - Master Node'
description: Do not disable the secure port.
rationale: |-
The secure port is used to serve https with authentication and authorization.
If you disable it, no https traffic is served and all traffic is served unencrypted.
audit: |-
Run the following command on the Control Plane node:
```
ps -ef | grep kube-apiserver
```
Verify that the `--secure-port` argument is either not set or is set to an integer value between 1 and 65535.
remediation: |-
Edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the Control Plane node and either remove the `--secure-port` parameter or set it to a different (non-zero) desired port.
impact: You need to set the API Server up with the right TLS certificates.
default_value: |
By default, port 6443 is used as the secure port.
references: 1. https://kubernetes.io/docs/admin/kube-apiserver/
section: API Server
version: '1.0'
tags:
- CIS
- Kubernetes
- CIS 1.2.17
- API Server
benchmark:
name: CIS Kubernetes V1.23
version: v1.0.1
id: cis_k8s