Prevent Insecure Port Access

An XCCDF Rule

Description

By default, traffic for the OpenShift API server is served over HTTPS with authentication and authorization, and the secure API endpoint is bound to 0.0.0.0:8443. To ensure that the insecure port configuration has not been enabled, the insecure-port parameter should be set to 0. Edit the openshift-kube-apiserver configmap and change the insecure-port value to 0:

"apiServerArguments":{
  ...
  "insecure-port":[
    "1234"
  ],
  ...

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

Rationale

Configuring the API Server on an insecure port would allow unauthenticated and unencrypted access to your master node(s). It is assumed firewall rules will be configured to ensure this port is not reachable from outside the cluster, however as a defense in depth measure, OpenShift should not be configured to use insecure ports.

ID: xccdf_org.ssgproject.content_rule_api_server_insecure_port
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

Req-2.2 Req-2.3

SRG-APP-000516-CTR-001325

1.2.17

CCE-83813-6
Updated: about 1 year ago