界: Environment
本节包括的所有内容均与源代码无关,但对所创建产品的安全性仍然至关重要。因为本节涉及的问题与源代码没有直接关系,所以我们将它与其他章节分开。
Kubernetes Misconfiguration: Unbound Controller Manager
Abstract
Kubernetes 控制器管理器接受外部连接。
Explanation
Kubernetes 控制器管理器监控群集的状态,并在需要时更改群集管理的任何资源。默认情况下,控制器管理器接受来自外部连接的请求。通过外部连接,攻击者可以访问安全敏感但保护充分的 API。
示例 1:以下配置将启动未设置绑定地址的 Kubernetes 控制器管理器。
示例 1:以下配置将启动未设置绑定地址的 Kubernetes 控制器管理器。
...
spec:
containers:
- command:
- kube-controller-manager
- --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf
- --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf
image: example.domain/kube-controller-manager:v1.9.7
imagePullPolicy: IfNotPresent
...
References
[1] Kubernetes controller manager The Kubernetes Authors
[2] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.3.7
[3] Standards Mapping - Common Weakness Enumeration CWE ID 20
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[9] Standards Mapping - FIPS200 CM
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[29] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020
[30] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.yaml.kubernetes_misconfiguration_unbound_controller_manager