Profile Applicability:

  • Level 1

Description:

Ensure that the --bind-address argument is set to 127.0.0.1 in the Kubernetes API server configuration. This argument defines the network address that the API server binds to for incoming requests. Setting it to 127.0.0.1 ensures that the API server listens only on the localhost, restricting access to the API server to only local connections.

Rationale:

Setting the --bind-address to 127.0.0.1 limits the Kubernetes API server to accept connections only from the local machine. This is a security best practice to prevent the API server from being exposed to external networks and reduces the attack surface, ensuring that sensitive Kubernetes resources can only be accessed from within the local host.

Impact:

Pros:

  • Increases security by restricting API server access to local requests only.

  • Reduces the risk of external attacks targeting the Kubernetes API server.

Cons:

  • This configuration could make it more difficult to manage Kubernetes remotely, as the API server would not be accessible from other machines unless other measures (like tunneling or proxying) are taken.

Default Value:

By default, the Kubernetes API server may listen on all network interfaces. Manual configuration is required to bind it only to 127.0.0.1.

Pre-Requisites:

  • Access to the Kubernetes API server configuration.

  • Sufficient privileges (root or administrator access) to modify the API server flags.

  • A Kubernetes environment configured for secure local access to the API server.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the Amazon Elastic Kubernetes Service (EKS) console.

  3. Navigate to the "Clusters" section and locate your cluster.

  4. Review the settings for the --bind-address argument in the API server configuration.

  5. Ensure that the --bind-address argument is set to 127.0.0.1.

Using AWS CLI:

Retrieve the configuration for the Kubernetes API server:

kubectl get deployment -n kube-system kube-apiserver -o yaml

Check for the presence of the --bind-address argument in the API server arguments section:

- --bind-address=127.0.0.1

  1. Ensure that the --bind-address argument is set to 127.0.0.1. If it is not, update the configuration to enable local binding.

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the EKS service and navigate to your cluster.

  3. Review the cluster's configuration for the --bind-address argument.

  4. If the argument is not set to 127.0.0.1, update the API server configuration to set --bind-address=127.0.0.1.

  5. Save and apply the changes to the Kubernetes API server configuration.

Using AWS CLI:

Modify the API server deployment by adding or updating the --bind-address=127.0.0.1 argument:

kubectl edit deployment -n kube-system kube-apiserver

  1. In the deployment YAML, locate the command section under the spec for the kube-apiserver container.

Add or update the following line to ensure the bind address is 127.0.0.1:

- --bind-address=127.0.0.1

  1. Save and exit the editor to apply the changes.

Backout Plan:

Using AWS Console:

  1. Sign in to the AWS Console.

  2. Open the EKS service and navigate to your cluster.

  3. Locate the API server configuration.

  4. If necessary, revert the change by setting the --bind-address argument to the previous value (e.g., 0.0.0.0 for all network interfaces).

  5. Save and apply the changes to the Kubernetes API server configuration.

Using AWS CLI:

To revert the change, edit the API server deployment to set the --bind-address argument back to its previous value:

kubectl edit deployment -n kube-system kube-apiserver

  1. Update the deployment YAML to include the previous value for the --bind-address argument.

  2. Save and exit the editor to apply the changes.

References: