Merge pull request #13578 from songyaeji/k8s-api-services-bind-address-check

Add k8s-api-services-bind-address-check.yaml

cloud/kubernetes/security-compliance/k8s-controller-manager-bind-address.yaml

@@ -0,0 +1,49 @@
+id: k8s-controller-manager-bind-address
+
+info:
+  name: Ensure kube-controller-manager --bind-address is set to localhost
+  author: songyaeji
+  severity: high
+  description: |
+    Ensure kube-controller-manager is bound to localhost (127.0.0.1 or ::1). If --bind-address is missing or
+    set to 0.0.0.0 (::), the controller-manager API may be reachable from all network interfaces, increasing
+    exposure of the control-plane component.
+  impact: |
+    If the kube-controller-manager listens on all interfaces, an attacker with network access may be able to
+    interact with the controller-manager API, causing potential information leakage or enabling further attacks
+    against the cluster.
+  remediation: |
+    Set --bind-address=127.0.0.1 (or ::1) in the kube-controller-manager startup arguments. For example, edit
+    /etc/kubernetes/manifests/kube-controller-manager.yaml and add the argument to the command section.
+  reference:
+    - https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/
+    - Cloud Vulnerability Assessment Guide(2024) by KISA
+  tags: cloud,devops,kubernetes,devsecops,kube-controller-manager,bind-address,hardening,k8s,k8s-cluster-security
+
+variables:
+  component: "kube-controller-manager"
+
+self-contained: true
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      kubectl get pods -n kube-system -l component=kube-controller-manager -o jsonpath="{.items[*].spec.containers[*].command}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'kube-controller-manager'
+
+      - type: word
+        words:
+          - "--bind-address=127.0.0.1"
+          - "--bind-address=::1"
+        negative: true
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"kube-controller-manager configuration is missing --bind-address or set to unsafe value (expected: 127.0.0.1 or ::1)"'

cloud/kubernetes/security-compliance/k8s-scheduler-bind-address.yaml

@@ -0,0 +1,48 @@
+id: k8s-scheduler-bind-address
+
+info:
+  name: Ensure kube-scheduler --bind-address is set to localhost
+  author: songyaeji
+  severity: high
+  description: |
+    Ensure kube-scheduler is bound to localhost (127.0.0.1 or ::1). If --bind-address is missing or set to
+    0.0.0.0 (::), the scheduler API may be reachable from all network interfaces, increasing exposure of the
+    control-plane component.
+  impact: |
+    If the kube-scheduler listens on all interfaces, an attacker with network access may be able to interact
+    with the scheduler API, causing potential information leakage or enabling further attacks against the cluster.
+  remediation: |
+    Set --bind-address=127.0.0.1 (or ::1) in the kube-scheduler startup arguments. For example, edit
+    /etc/kubernetes/manifests/kube-scheduler.yaml and add the argument to the command section.
+  reference:
+    - https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/
+    - Cloud Vulnerability Assessment Guide(2024) by KISA
+  tags: cloud,devops,kubernetes,devsecops,kube-scheduler,bind-address,hardening,k8s,k8s-cluster-security
+
+variables:
+  component: "kube-scheduler"
+
+self-contained: true
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      kubectl get pods -n kube-system -l component=kube-scheduler -o jsonpath="{.items[*].spec.containers[*].command}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'kube-scheduler'
+
+      - type: word
+        words:
+          - "--bind-address=127.0.0.1"
+          - "--bind-address=::1"
+        negative: true
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"kube-scheduler configuration is missing --bind-address or set to unsafe value (expected: 127.0.0.1 or ::1)"'