Ensure Controller insecure port argument is unset

An XCCDF Rule

Description

To ensure the Controller Manager service is bound to secure loopback address and a secure port, set the RotateKubeletServerCertificate option to true in the openshift-kube-controller-manager configmap on the master node(s):

"extendedArguments": {
...
  "port": ["0"],
...

It is also acceptable for a system to deprecate the insecure port:

"extendedArguments": {
...
...

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[[.items[0].spec.containers[0].args[] | select(. | match("--port=[1-9]*[1-9]+") )] | length | if . == 0 then true else false end]{{else}}[.data."config.yaml" | fromjson | if .extendedArguments["port"]!=null then .extendedArguments["port"]==["0"] else true end]{{end}} and persist it to the local /api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#9f09cca56dc1e9f9605eb5a94aed74de554fd209513a9222e4fe9c0ed669aeee file.

Rationale

The Controller Manager API service is used for health and metrics information and is available without authentication or encryption. As such, it should only be bound to a localhost interface to minimize the cluster's attack surface.

ID: xccdf_org.ssgproject.content_rule_controller_insecure_port_disabled
Severity: Low
References: CIP-003-8 R4.2 CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R5.1 CIP-007-3 R6.1

CM-6 CM-6(1) SC-8 SC-8(1)

Req-2.2

SRG-APP-000516-CTR-001325

1.3.5

CCE-83578-5
Updated: about 1 year ago