Ensure that the --DenyServiceExternalIPs is not set

This admission controller rejects all net-new usage of the Service field externalIPs.This admission controller rejects all net-new usage of the Service field externalIPs. This feature is very powerful (allows network traffic interception) and not well controlled by policy. When enabled, users of the cluster may not create new Services which use externalIPs and may not add new values to externalIPs on existing Service objects. Existing uses of externalIPs are not affected, and users may remove values from externalIPs on existing Service objects.

Risk Level: Low
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.IAM.77
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

KubernetesPod where labels contain [value='kube-apiserver'] and namespace = 'kube-system' should have spec.containers with [parsedArgs contain-none [key like 'DenyServiceExternalIPs']]

REMEDIATION

Edit the API server pod specification file /etc/kubernetes/manifests/kube-
apiserver.yaml on the master node and remove the '--DenyServiceExternalIPs' parameter
or
The Kubernetes API server flag disable-admission-plugins takes a comma-delimited list of
admission control plugins to be disabled, even if they are in the list of plugins enabled by
default.
kube-apiserver --disable-admission-plugins=DenyServiceExternalIPs,AlwaysDeny...

References

  1. https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
  2. https://kubernetes.io/docs/admin/kube-apiserver/

Pods

Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

  • CIS Kubernetes Benchmark v1.23
  • CIS Kubernetes Benchmark v1.24