An ACK cluster is considered "compliant" if no public endpoint is configured.
Scenarios
Configuring a public endpoint for an ACK cluster exposes resource objects such as pods, services, and ReplicaControllers to attacks from the public network. To reduce this risk, do not configure a public endpoint.
Risk level
Default risk level: High.
You can change the risk level as needed.
Detection logic
-
An ACK cluster is considered "compliant" if no public endpoint is configured.
-
An ACK cluster is considered "non-compliant" if it has a public endpoint configured. For more information about how to fix this issue, see Remediation.
Rule details
|
Parameter |
Description |
|
Rule name |
Public endpoint is not configured for the ACK cluster |
|
Rule identifier |
ack-cluster-public-endpoint-check |
|
Tag |
ACK |
|
Automatic remediation |
Not supported |
|
Rule trigger mechanism |
Scheduled execution |
|
Trigger frequency |
24 hours |
|
Supported rule types |
ACK cluster |
|
Input parameters |
None |
Remediation
Detach the Elastic IP Address (EIP) from the ACK cluster. For more information, see Access the API server over the internet.