Insecure Bind Address Set

YAML Configuration

rule.yaml YAML

apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-platform-002
  labels:
    severity: "critical"
    category: "platform"
  annotations:
    rules.spotter.dev/title: "Insecure Bind Address Set"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-319"
    rules.spotter.dev/description: "The API server's insecure bind address should not be set, as this exposes an unauthenticated and unencrypted endpoint."
spec:
  match:
    resources:
      kubernetes:
        apiGroups:
          - ""
        versions:
          - v1
        kinds:
          - Pod
  cel: |
    has(object.spec.containers) && object.spec.containers.exists(c,
      has(c.command) && c.command.exists(cmd, cmd == "kube-apiserver") &&
      (
        (has(c.args) && c.args.exists(arg, arg.startsWith("--insecure-bind-address="))) ||
        (has(c.command) && c.command.exists(cmd, cmd.startsWith("--insecure-bind-address=")))
      )
    )
  remediation:
    manual: "Remove the `--insecure-bind-address` flag from the kube-apiserver."
  references:
    - title: "Kubernetes API Server Flags"
      url: "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/"

Test Cases

test-cases.yaml YAML

- name: insecure sample 1 should fail
  pass: false
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: command-demo
      labels:
        purpose: demonstrate-command
    spec:
      containers:
        - name: command-demo-container
          image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
          command: ["kube-apiserver", "--insecure-bind-address=127.0.0.1"]
      restartPolicy: OnFailure

- name: insecure sample 2 should fail
  pass: false
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: command-demo
      labels:
        purpose: demonstrate-command
    spec:
      containers:
        - name: command-demo-container
          image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
          command: ["kube-apiserver"]
          args: ["--insecure-bind-address=127.0.0.1"]
      restartPolicy: OnFailure

- name: secure sample 1 should pass
  pass: true
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: command-demo
      labels:
        purpose: demonstrate-command
    spec:
      containers:
        - name: command-demo-container
          image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
          command: ["kube-apiserver"]
      restartPolicy: OnFailure

- name: secure sample 2 should pass
  pass: true
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: command-demo
      labels:
        purpose: demonstrate-command
    spec:
      containers:
        - name: command-demo-container
          image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
          command: ["kube-apiserver"]
          args: []
      restartPolicy: OnFailure

Validating Admission Policy

validating-admission-policy.yaml YAML

# VAP export for spotter-platform-002
# Generated from Spotter rule
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: spotter-platform-002
spec:
  # Add your VAP configuration here

Rule Metadata

Insecure Bind Address Set

YAML Configuration

Test Cases

Validating Admission Policy

Rule Metadata

Rule Information

Tags & Compliance

Compliance Standards

General Tags

Spotter Hub