界: Environment

このセクションには、ソースコード以外のものでも、作成中の製品のセキュリティにとって重要なものがすべて含まれています。この分野が対象とする問題は、ソースコードに直接関係しないため、この分野の他の部分と分けました。

Kubernetes Misconfiguration: Unbound Controller Manager

YAML

Abstract

Kubernetes コントローラーマネージャーは外部接続を受け入れます。

Explanation

Kubernetes コントローラーマネージャーはクラスターの状態を監視し、必要に応じて、クラスターが管理する任意のリソースに変更を加えることができます。デフォルトでは、コントローラーマネージャーは外部接続からのリクエストを受け入れます。攻撃者は、外部接続から、セキュリティが重要であるが保護が不十分な API にアクセスできます。

例 1: 次の設定では、バインドアドレスなしで Kubernetes コントローラーマネージャーを起動します。


...
spec:
  containers:
  - command:
    - kube-controller-manager
    - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf
    - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf
    image: example.domain/kube-controller-manager:v1.9.7
    imagePullPolicy: IfNotPresent
    ...

References

[1] Kubernetes controller manager The Kubernetes Authors

[2] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.3.7

[3] Standards Mapping - Common Weakness Enumeration CWE ID 20

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020

[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020

[9] Standards Mapping - FIPS200 CM

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)

[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[29] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020

[30] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.yaml.kubernetes_misconfiguration_unbound_controller_manager