Kubernetes Security Technical Implementation Guide

Description

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R8

Published: 2022-12-02

Updated At: 2023-01-25 00:41:50

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-242376r863952_rule CNTR-K8-000150 CCI-000068 MEDIUM The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination. The Kubernetes Controller Manager will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication. The use of unsupported protocol exposes vulnerabilities to the Kubernetes by rogue traffic interceptions, man-in-t
    SV-242377r863953_rule CNTR-K8-000160 CCI-000068 MEDIUM The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination. The Kubernetes Scheduler will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication. The use of unsupported protocol exposes vulnerabilities to the Kubernetes by rogue traffic interceptions, man-in-the-middle
    SV-242378r863954_rule CNTR-K8-000170 CCI-000068 MEDIUM The Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination. The Kubernetes API Server will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication. The use of unsupported protocol exposes vulnerabilities to the Kubernetes by rogue traffic interceptions, man-in-the-middl
    SV-242379r863955_rule CNTR-K8-000180 CCI-000068 MEDIUM The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination. Kubernetes etcd will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication. The use of unsupported protocol exposes vulnerabilities to the Kubernetes by rogue traffic interceptions, man-in-the-middle attacks,
    SV-242380r863956_rule CNTR-K8-000190 CCI-000068 MEDIUM The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination. The Kubernetes API Server will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication. The use of unsupported protocol exposes vulnerabilities to the Kubernetes by rogue traffic interceptions, man-in-the-middl
    SV-242381r863957_rule CNTR-K8-000220 CCI-000015 HIGH The Kubernetes Controller Manager must create unique service accounts for each work payload. The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state through the API Server. Every process executed in a pod has an associated service account. By default, service accounts use the same c
    SV-242382r863958_rule CNTR-K8-000270 CCI-000213 MEDIUM The Kubernetes API Server must enable Node,RBAC as the authorization mode. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., networks, web servers, and web portals) must be properly configured to incorporate access cont
    SV-242383r863959_rule CNTR-K8-000290 CCI-000366 HIGH User-managed resources must be created in dedicated namespaces. Creating namespaces for user-managed resources is important when implementing Role-Based Access Controls (RBAC). RBAC allows for the authorization of users and helps support proper API server permissions separation and network micro segmentation. If user-
    SV-242384r863960_rule CNTR-K8-000300 CCI-000213 MEDIUM The Kubernetes Scheduler must have secure binding. Limiting the number of attack vectors and implementing authentication and encryption on the endpoints available to external sources is paramount when securing the overall Kubernetes cluster. The Scheduler API service exposes port 10251/TCP by default for
    SV-242385r863961_rule CNTR-K8-000310 CCI-000213 MEDIUM The Kubernetes Controller Manager must have secure binding. Limiting the number of attack vectors and implementing authentication and encryption on the endpoints available to external sources is paramount when securing the overall Kubernetes cluster. The Controller Manager API service exposes port 10252/TCP by def
    SV-242386r863962_rule CNTR-K8-000320 CCI-000213 HIGH The Kubernetes API server must have the insecure port flag disabled. By default, the API server will listen on two ports. One port is the secure port and the other port is called the "localhost port". This port is also called the "insecure port", port 8080. Any requests to this port bypass authentication and authorization
    SV-242387r863963_rule CNTR-K8-000330 CCI-000213 HIGH The Kubernetes Kubelet must have the read-only port flag disabled. Kubelet serves a small REST API with read access to port 10255. The read-only port for Kubernetes provides no authentication or authorization security control. Providing unrestricted access on port 10255 exposes Kubernetes pods and containers to malicious
    SV-242388r863964_rule CNTR-K8-000340 CCI-000213 HIGH The Kubernetes API server must have the insecure bind address not set. By default, the API server will listen on two ports and addresses. One address is the secure address and the other address is called the "insecure bind" address and is set by default to localhost. Any requests to this address bypass authentication and aut
    SV-242389r863965_rule CNTR-K8-000350 CCI-000213 MEDIUM The Kubernetes API server must have the secure port set. By default, the API server will listen on what is rightfully called the secure port, port 6443. Any requests to this port will perform authentication and authorization checks. If this port is disabled, anyone who gains access to the host on which the Cont
    SV-242390r863966_rule CNTR-K8-000360 CCI-000213 HIGH The Kubernetes API server must have anonymous authentication disabled. The Kubernetes API Server controls Kubernetes via an API interface. A user who has access to the API essentially has root access to the entire Kubernetes cluster. To control access, users must be authenticated and authorized. By allowing anonymous connect
    SV-242391r863967_rule CNTR-K8-000370 CCI-000213 HIGH The Kubernetes Kubelet must have anonymous authentication disabled. A user who has access to the Kubelet essentially has root access to the nodes contained within the Kubernetes Control Plane. To control access, users must be authenticated and authorized. By allowing anonymous connections, the controls put in place to sec
    SV-242392r863968_rule CNTR-K8-000380 CCI-000213 HIGH The Kubernetes kubelet must enable explicit authorization. Kubelet is the primary agent on each node. The API server communicates with each kubelet to perform tasks such as starting/stopping pods. By default, kubelets allow all authenticated requests, even anonymous ones, without requiring any authorization check
    SV-242393r863969_rule CNTR-K8-000400 CCI-000213 MEDIUM Kubernetes Worker Nodes must not have sshd service running. Worker Nodes are maintained and monitored by the Control Plane. Direct access and manipulation of the nodes should not take place by administrators. Worker nodes should be treated as immutable and updated via replacement rather than in-place upgrades.
    SV-242394r863970_rule CNTR-K8-000410 CCI-000213 MEDIUM Kubernetes Worker Nodes must not have the sshd service enabled. Worker Nodes are maintained and monitored by the Control Plane. Direct access and manipulation of the nodes must not take place by administrators. Worker nodes must be treated as immutable and updated via replacement rather than in-place upgrades.
    SV-242395r863971_rule CNTR-K8-000420 CCI-000213 MEDIUM Kubernetes dashboard must not be enabled. While the Kubernetes dashboard is not inherently insecure on its own, it is often coupled with a misconfiguration of Role-Based Access control (RBAC) permissions that can unintentionally over-grant access. It is not commonly protected with "NetworkPolicie
    SV-242396r863972_rule CNTR-K8-000430 CCI-000213 MEDIUM Kubernetes Kubectl cp command must give expected access and results. One of the tools heavily used to interact with containers in the Kubernetes cluster is kubectl. The command is the tool System Administrators used to create, modify, and delete resources. One of the capabilities of the tool is to copy files to and from ru
    SV-242397r863973_rule CNTR-K8-000440 CCI-000213 HIGH The Kubernetes kubelet static PodPath must not enable static pods. Allowing kubelet to set a staticPodPath gives containers with root access permissions to traverse the hosting filesystem. The danger comes when the container can create a manifest file within the /etc/kubernetes/manifests directory. When a manifest is cre
    SV-242398r863974_rule CNTR-K8-000450 CCI-000213 MEDIUM Kubernetes DynamicAuditing must not be enabled. Protecting the audit data from change or deletion is important when an attack occurs. One way an attacker can cover their tracks is to change or delete audit records. This will either make the attack unnoticeable or make it more difficult to investigate h
    SV-242399r863975_rule CNTR-K8-000460 CCI-000213 MEDIUM Kubernetes DynamicKubeletConfig must not be enabled. Kubernetes allows a user to configure kubelets with dynamic configurations. When dynamic configuration is used, the kubelet will watch for changes to the configuration file. When changes are made, the kubelet will automatically restart. Allowing this capa
    SV-242400r863976_rule CNTR-K8-000470 CCI-000213 MEDIUM The Kubernetes API server must have Alpha APIs disabled. Kubernetes allows alpha API calls within the API server. The alpha features are disabled by default since they are not ready for production and likely to change without notice. These features may also contain security issues that are rectified as the feat
    SV-242401r863977_rule CNTR-K8-000600 CCI-001464 MEDIUM The Kubernetes API Server must have an audit policy set. When Kubernetes is started, components and user services are started. For auditing startup events, and events for components and services, it is important that auditing begin on startup. Within Kubernetes, audit data for all components is generated by the
    SV-242402r863978_rule CNTR-K8-000610 CCI-001464 MEDIUM The Kubernetes API Server must have an audit log path set. When Kubernetes is started, components and user services are started for auditing startup events, and events for components and services, it is important that auditing begin on startup. Within Kubernetes, audit data for all components is generated by the
    SV-242403r863979_rule CNTR-K8-000700 CCI-000018 MEDIUM Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event. Within Kubernetes, audit data for all components is generated by the API server. This audit data is important when there are issues, to include security incidents that must be investigated. To make the audit data worthwhile for the investigation of events
    SV-242404r863980_rule CNTR-K8-000850 CCI-001499 MEDIUM Kubernetes Kubelet must deny hostname override. Kubernetes allows for the overriding of hostnames. Allowing this feature to be implemented within the kubelets may break the TLS setup between the kubelet service and the API server. This setting also can make it difficult to associate logs with nodes if
    SV-242405r863981_rule CNTR-K8-000860 CCI-001499 MEDIUM The Kubernetes manifests must be owned by root. The manifest files contain the runtime configuration of the API server, proxy, scheduler, controller, and etcd. If an attacker can gain access to these files, changes can be made to open vulnerabilities and bypass user authorizations inherit within Kubern
    SV-242406r863982_rule CNTR-K8-000880 CCI-001499 MEDIUM The Kubernetes kubelet configuration file must be owned by root. The kubelet configuration file contains the runtime configuration of the kubelet service. If an attacker can gain access to this file, changes can be made to open vulnerabilities and bypass user authorizations inherent within Kubernetes with RBAC implemen
    SV-242407r863983_rule CNTR-K8-000890 CCI-001499 MEDIUM The Kubernetes kubelet configuration files must have file permissions set to 644 or more restrictive. The kubelet configuration file contains the runtime configuration of the kubelet service. If an attacker can gain access to this file, changes can be made to open vulnerabilities and bypass user authorizations inherit within Kubernetes with RBAC implement
    SV-242408r863984_rule CNTR-K8-000900 CCI-001499 MEDIUM The Kubernetes manifests must have least privileges. The manifest files contain the runtime configuration of the API server, scheduler, controller, and etcd. If an attacker can gain access to these files, changes can be made to open vulnerabilities and bypass user authorizations inherent within Kubernetes w
    SV-242409r863985_rule CNTR-K8-000910 CCI-000381 MEDIUM Kubernetes Controller Manager must disable profiling. Kubernetes profiling provides the ability to analyze and troubleshoot Controller Manager events over a web interface on a host port. Enabling this service can expose details about the Kubernetes architecture. This service must not be enabled unless deemed
    SV-242410r863986_rule CNTR-K8-000920 CCI-000382 MEDIUM The Kubernetes API Server must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL). Kubernetes API Server PPSs must be controlled and conform to the PPSM CAL. Those PPS that fall outside the PPSM CAL must be blocked. Instructions on the PPSM can be found in DoD Instruction 8551.01 Policy.
    SV-242411r863987_rule CNTR-K8-000930 CCI-000382 MEDIUM The Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL). Kubernetes Scheduler PPS must be controlled and conform to the PPSM CAL. Those ports, protocols, and services that fall outside the PPSM CAL must be blocked. Instructions on the PPSM can be found in DoD Instruction 8551.01 Policy.
    SV-242412r863988_rule CNTR-K8-000940 CCI-000382 MEDIUM The Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL). Kubernetes Controller ports, protocols, and services must be controlled and conform to the PPSM CAL. Those PPS that fall outside the PPSM CAL must be blocked. Instructions on the PPSM can be found in DoD Instruction 8551.01 Policy.
    SV-242413r863989_rule CNTR-K8-000950 CCI-000382 MEDIUM The Kubernetes etcd must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL). Kubernetes etcd PPS must be controlled and conform to the PPSM CAL. Those PPS that fall outside the PPSM CAL must be blocked. Instructions on the PPSM can be found in DoD Instruction 8551.01 Policy.
    SV-242414r863990_rule CNTR-K8-000960 CCI-000382 MEDIUM The Kubernetes cluster must use non-privileged host ports for user pods. Privileged ports are those ports below 1024 and that require system privileges for their use. If containers can use these ports, the container must be run as a privileged user. Kubernetes must stop containers that try to map to these ports directly. Allow
    SV-242415r863991_rule CNTR-K8-001160 CCI-000196 HIGH Secrets in Kubernetes must not be stored as environment variables. Secrets, such as passwords, keys, tokens, and certificates should not be stored as environment variables. These environment variables are accessible inside Kubernetes by the "Get Pod" API call, and by any system, such as CI/CD pipeline, which has access t
    SV-242417r863992_rule CNTR-K8-001360 CCI-001082 MEDIUM Kubernetes must separate user functionality. Separating user functionality from management functionality is a requirement for all the components within the Kubernetes Control Plane. Without the separation, users may have access to management functions that can degrade the Kubernetes architecture and
    SV-242418r863993_rule CNTR-K8-001400 CCI-001184 MEDIUM The Kubernetes API server must use approved cipher suites. The Kubernetes API server communicates to the kubelet service on the nodes to deploy, update, and delete resources. If an attacker were able to get between this communication and modify the request, the Kubernetes cluster could be compromised. Using appro
    SV-242419r863994_rule CNTR-K8-001410 CCI-001184 MEDIUM Kubernetes API Server must have the SSL Certificate Authority set. Kubernetes control plane and external communication is managed by API Server. The main implementation of the API Server is to manage hardware resources for pods and containers using horizontal or vertical scaling. Anyone who can access the API Server can
    SV-242420r863995_rule CNTR-K8-001420 CCI-001184 MEDIUM Kubernetes Kubelet must have the SSL Certificate Authority set. Kubernetes container and pod configuration are maintained by Kubelet. Kubelet agents register nodes with the API Server, mount volume storage, and perform health checks for containers and pods. Anyone who gains access to Kubelet agents can effectively con
    SV-242421r863996_rule CNTR-K8-001430 CCI-001184 MEDIUM Kubernetes Controller Manager must have the SSL Certificate Authority set. The Kubernetes Controller Manager is responsible for creating service accounts and tokens for the API Server, maintaining the correct number of pods for every replication controller and provides notifications when nodes are offline. Anyone who gains ac
    SV-242422r863997_rule CNTR-K8-001440 CCI-001184 MEDIUM Kubernetes API Server must have a certificate for communication. Kubernetes control plane and external communication is managed by API Server. The main implementation of the API Server is to manage hardware resources for pods and container using horizontal or vertical scaling. Anyone who can access the API Server can e
    SV-242423r863998_rule CNTR-K8-001450 CCI-001184 MEDIUM Kubernetes etcd must enable client authentication to secure service. Kubernetes container and pod configuration are maintained by Kubelet. Kubelet agents register nodes with the API Server, mount volume storage, and perform health checks for containers and pods. Anyone who gains access to Kubelet agents can effectively con
    SV-242424r863999_rule CNTR-K8-001460 CCI-001184 MEDIUM Kubernetes Kubelet must enable tls-private-key-file for client authentication to secure service. Kubernetes container and pod configuration are maintained by Kubelet. Kubelet agents register nodes with the API Server, mount volume storage, and perform health checks for containers and pods. Anyone who gains access to Kubelet agents can effectively con
    SV-242425r864000_rule CNTR-K8-001470 CCI-001184 MEDIUM Kubernetes Kubelet must enable tls-cert-file for client authentication to secure service. Kubernetes container and pod configuration are maintained by Kubelet. Kubelet agents register nodes with the API Server, mount volume storage, and perform health checks for containers and pods. Anyone who gains access to Kubelet agents can effectively con
    SV-242426r864001_rule CNTR-K8-001480 CCI-001184 MEDIUM Kubernetes etcd must enable client authentication to secure service. Kubernetes container and pod configuration are maintained by Kubelet. Kubelet agents register nodes with the API Server, mount volume storage, and perform health checks for containers and pods. Anyone who gains access to Kubelet agents can effectively con
    SV-242427r864002_rule CNTR-K8-001490 CCI-001184 MEDIUM Kubernetes etcd must have a key file for secure communication. Kubernetes stores configuration and state information in a distributed key-value store called etcd. Anyone who can write to etcd can effectively control the Kubernetes cluster. Even just reading the contents of etcd could easily provide helpful hints to a
    SV-242428r864003_rule CNTR-K8-001500 CCI-001184 MEDIUM Kubernetes etcd must have a certificate for communication. Kubernetes stores configuration and state information in a distributed key-value store called etcd. Anyone who can write to etcd can effectively control a Kubernetes cluster. Even just reading the contents of etcd could easily provide helpful hints to a w
    SV-242429r864004_rule CNTR-K8-001510 CCI-001184 MEDIUM Kubernetes etcd must have the SSL Certificate Authority set. Kubernetes stores configuration and state information in a distributed key-value store called etcd. Anyone who can write to etcd can effectively control a Kubernetes cluster. Even just reading the contents of etcd could easily provide helpful hints to a w
    SV-242430r864005_rule CNTR-K8-001520 CCI-001184 MEDIUM Kubernetes etcd must have a certificate for communication. Kubernetes stores configuration and state information in a distributed key-value store called etcd. Anyone who can write to etcd can effectively control your Kubernetes cluster. Even just reading the contents of etcd could easily provide helpful hints to
    SV-242431r864006_rule CNTR-K8-001530 CCI-001184 MEDIUM Kubernetes etcd must have a key file for secure communication. Kubernetes stores configuration and state information in a distributed key-value store called etcd. Anyone who can write to etcd can effectively control a Kubernetes cluster. Even just reading the contents of etcd could easily provide helpful hints to a w
    SV-242432r864007_rule CNTR-K8-001540 CCI-001184 MEDIUM Kubernetes etcd must have peer-cert-file set for secure communication. Kubernetes stores configuration and state information in a distributed key-value store called etcd. Anyone who can write to etcd can effectively control the Kubernetes cluster. Even just reading the contents of etcd could easily provide helpful hints to a
    SV-242433r864008_rule CNTR-K8-001550 CCI-001184 MEDIUM Kubernetes etcd must have a peer-key-file set for secure communication. Kubernetes stores configuration and state information in a distributed key-value store called etcd. Anyone who can write to etcd can effectively control a Kubernetes cluster. Even just reading the contents of etcd could easily provide helpful hints to a w
    SV-242434r864009_rule CNTR-K8-001620 CCI-001084 HIGH Kubernetes Kubelet must enable kernel protection. System kernel is responsible for memory, disk, and task management. The kernel provides a gateway between the system hardware and software. Kubernetes requires kernel access to allocate resources to the Control Plane. Threat actors that penetrate the syst
    SV-242435r864010_rule CNTR-K8-001990 CCI-000213 HIGH Kubernetes must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures or the installation of patches and updates. Kubernetes uses the API Server to control communication to the other services that makeup Kubernetes. The use of authorizations and not the default of "AlwaysAllow" enables the Kubernetes functions control to only the groups that need them. To control ac
    SV-242436r864011_rule CNTR-K8-002000 CCI-002263 HIGH The Kubernetes API server must have the ValidatingAdmissionWebhook enabled. Enabling the admissions webhook allows for Kubernetes to apply policies against objects that are to be created, read, updated, or deleted. By applying a pod security policy, control can be given to not allow images to be instantiated that run as the root
    SV-242437r864012_rule CNTR-K8-002010 CCI-002263 HIGH Kubernetes must have a pod security policy set. Enabling the admissions webhook allows for Kubernetes to apply policies against objects that are to be created, read, updated, or deleted. By applying a pod security policy, control can be given to not allow images to be instantiated that run as the root
    SV-242438r864013_rule CNTR-K8-002600 CCI-002415 MEDIUM Kubernetes API Server must configure timeouts to limit attack surface. Kubernetes API Server request timeouts sets the duration a request stays open before timing out. Since the API Server is the central component in the Kubernetes Control Plane, it is vital to protect this service. If request timeouts were not set, maliciou
    SV-242442r878098_rule CNTR-K8-002700 CCI-002647 MEDIUM Kubernetes must remove old components after updated versions have been installed. Previous versions of Kubernetes components that are not removed after updates have been installed may be exploited by adversaries by allowing the vulnerabilities to still exist within the cluster. It is important for Kubernetes to remove old pods when new
    SV-242443r864015_rule CNTR-K8-002720 CCI-002635 MEDIUM Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. Kubernetes software must stay up to date with the latest patches, service packs, and hot fixes. Not updating the Kubernetes control plane will expose the organization to vulnerabilities. Flaws discovered during security assessments, continuous monitoring
    SV-242444r864016_rule CNTR-K8-003110 CCI-000366 MEDIUM The Kubernetes component manifests must be owned by root. The Kubernetes manifests are those files that contain the arguments and settings for the Control Plane services. These services are etcd, the api server, controller, proxy, and scheduler. If these files can be changed, the scheduler will be implementing t
    SV-242445r864017_rule CNTR-K8-003120 CCI-000366 MEDIUM The Kubernetes component etcd must be owned by etcd. The Kubernetes etcd key-value store provides a way to store data to the Control Plane. If these files can be changed, data to API object and the Control Plane would be compromised. The scheduler will implement the changes immediately. Many of the security
    SV-242446r864018_rule CNTR-K8-003130 CCI-000366 MEDIUM The Kubernetes conf files must be owned by root. The Kubernetes conf files contain the arguments and settings for the Control Plane services. These services are controller and scheduler. If these files can be changed, the scheduler will be implementing the changes immediately. Many of the security setti
    SV-242447r864019_rule CNTR-K8-003140 CCI-000366 MEDIUM The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive. The Kubernetes kube proxy kubeconfig contain the argument and setting for the Control Planes. These settings contain network rules for restricting network communication between pods, clusters, and networks. If these files can be changed, data traversing b
    SV-242448r864020_rule CNTR-K8-003150 CCI-000366 MEDIUM The Kubernetes Kube Proxy must be owned by root. The Kubernetes kube proxy kubeconfig contain the argument and setting for the Control Planes. These settings contain network rules for restricting network communication between pods, clusters, and networks. If these files can be changed, data traversing b
    SV-242449r864021_rule CNTR-K8-003160 CCI-000366 MEDIUM The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive. The Kubernetes kubelet certificate authority file contains settings for the Kubernetes Node TLS certificate authority. Any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity cor
    SV-242450r864022_rule CNTR-K8-003170 CCI-000366 MEDIUM The Kubernetes Kubelet certificate authority must be owned by root. The Kubernetes kube proxy kubeconfig contain the argument and setting for the Control Planes. These settings contain network rules for restricting network communication between pods, clusters, and networks. If these files can be changed, data traversing b
    SV-242451r712709_rule CNTR-K8-003180 CCI-000366 MEDIUM The Kubernetes component PKI must be owned by root. The Kubernetes PKI directory contains all certificates (.crt files) supporting secure network communications in the Kubernetes Control Plane. If these files can be modified, data traversing within the architecture components would become unsecure and comp
    SV-242452r821616_rule CNTR-K8-003190 CCI-000366 MEDIUM The Kubernetes kubelet config must have file permissions set to 644 or more restrictive. The Kubernetes kubelet agent registers nodes with the API Server, mounts volume storage for pods, and performs health checks to containers within pods. If these files can be modified, the information system would be unaware of pod or container degradation
    SV-242453r712715_rule CNTR-K8-003200 CCI-000366 MEDIUM The Kubernetes kubelet config must be owned by root. The Kubernetes kubelet agent registers nodes with the API server and performs health checks to containers within pods. If these files can be modified, the information system would be unaware of pod or container degradation. Many of the security settings w
    SV-242454r754819_rule CNTR-K8-003210 CCI-000366 MEDIUM The Kubernetes kubeadm.conf must be owned by root. The Kubernetes kubeeadm.conf contains sensitive information regarding the cluster nodes configuration. If this file can be modified, the Kubernetes Platform Plane would be degraded or compromised for malicious intent. Many of the security settings within
    SV-242455r754822_rule CNTR-K8-003220 CCI-000366 MEDIUM The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive. The Kubernetes kubeadm.conf contains sensitive information regarding the cluster nodes configuration. If this file can be modified, the Kubernetes Platform Plane would be degraded or compromised for malicious intent. Many of the security settings within t
    SV-242456r821618_rule CNTR-K8-003230 CCI-000366 MEDIUM The Kubernetes kubelet config must have file permissions set to 644 or more restrictive. The Kubernetes kubelet agent registers nodes with the API server and performs health checks to containers within pods. If this file can be modified, the information system would be unaware of pod or container degradation.
    SV-242457r712727_rule CNTR-K8-003240 CCI-000366 MEDIUM The Kubernetes kubelet config must be owned by root. The Kubernetes kubelet agent registers nodes with the API Server and performs health checks to containers within pods. If this file can be modified, the information system would be unaware of pod or container degradation.
    SV-242458r864023_rule CNTR-K8-003250 CCI-000366 MEDIUM The Kubernetes API Server must have file permissions set to 644 or more restrictive. The Kubernetes manifests are those files that contain the arguments and settings for the Control Plane services. These services are etcd, the API Server, controller, proxy, and scheduler. If these files can be changed, the scheduler will be implementing t
    SV-242459r864024_rule CNTR-K8-003260 CCI-000366 MEDIUM The Kubernetes etcd must have file permissions set to 644 or more restrictive. The Kubernetes etcd key-value store provides a way to store data to the Control Plane. If these files can be changed, data to API object and Control Plane would be compromised.
    SV-242460r864025_rule CNTR-K8-003270 CCI-000366 MEDIUM The Kubernetes admin.conf must have file permissions set to 644 or more restrictive. The Kubernetes conf files contain the arguments and settings for the Control Plane services. These services are controller and scheduler. If these files can be changed, the scheduler will be implementing the changes immediately.
    SV-242461r864026_rule CNTR-K8-003280 CCI-000366 MEDIUM Kubernetes API Server audit logs must be enabled. Kubernetes API Server validates and configures pods and services for the API object. The REST operation provides frontend functionality to the cluster share state. Enabling audit logs provides a way to monitor and identify security risk events or misuse o
    SV-242462r864027_rule CNTR-K8-003290 CCI-000366 MEDIUM The Kubernetes API Server must be set to audit log max size. The Kubernetes API Server must be set for enough storage to retain log information over the period required. When audit logs are large in size, the monitoring service for events becomes degraded. The function of the maximum log file size is to set these l
    SV-242463r864028_rule CNTR-K8-003300 CCI-000366 MEDIUM The Kubernetes API Server must be set to audit log maximum backup. The Kubernetes API Server must set enough storage to retain logs for monitoring suspicious activity and system misconfiguration, and provide evidence for Cyber Security Investigations.
    SV-242464r864029_rule CNTR-K8-003310 CCI-000366 MEDIUM The Kubernetes API Server audit log retention must be set. The Kubernetes API Server must set enough storage to retain logs for monitoring suspicious activity and system misconfiguration, and provide evidence for Cyber Security Investigations.
    SV-242465r864030_rule CNTR-K8-003320 CCI-000366 MEDIUM The Kubernetes API Server audit log path must be set. Kubernetes API Server validates and configures pods and services for the API object. The REST operation provides frontend functionality to the cluster share state. Audit logs are necessary to provide evidence in the case the Kubernetes API Server is compr
    SV-242466r712754_rule CNTR-K8-003330 CCI-000366 MEDIUM The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive. The Kubernetes PKI directory contains all certificates (.crt files) supporting secure network communications in the Kubernetes Control Plane. If these files can be modified, data traversing within the architecture components would become unsecure and comp
    SV-242467r878165_rule CNTR-K8-003340 CCI-000366 MEDIUM The Kubernetes PKI keys must have file permissions set to 600 or more restrictive. The Kubernetes PKI directory contains all certificate key files supporting secure network communications in the Kubernetes Control Plane. If these files can be modified, data traversing within the architecture components would become unsecure and compromi
    SV-242468r864031_rule CNTR-K8-003350 CCI-001453 MEDIUM The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0. The Kubernetes API Server will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication. The use of unsupported protocol exposes vulnerabilities to Kubernetes by rogue traffic interceptions, man-in-the middle at
    SV-245541r864032_rule CNTR-K8-001300 CCI-001133 MEDIUM Kubernetes Kubelet must not disable timeouts. Idle connections from the Kubelet can be used by unauthorized users to perform malicious activity to the nodes, pods, containers, and cluster within the Kubernetes Control Plane. Setting the streaming connection idle timeout defines the maximum time an id
    SV-245542r864033_rule CNTR-K8-002620 CCI-002448 HIGH Kubernetes API Server must disable basic authentication to protect information in transit. Kubernetes basic authentication sends and receives request containing username, uid, groups, and other fields over a clear text HTTP communication. Basic authentication does not provide any security mechanisms using encryption standards. PKI certificate-b
    SV-245543r864034_rule CNTR-K8-002630 CCI-002448 MEDIUM Kubernetes API Server must disable token authentication to protect information in transit. Kubernetes token authentication uses password known as secrets in a plaintext file. This file contains sensitive information such as token, username and user uid. This token is used by service accounts within pods to authenticate with the API Server. This
    SV-245544r864035_rule CNTR-K8-002640 CCI-002448 MEDIUM Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit. Kubernetes control plane and external communication is managed by API Server. The main implementation of the API Server is to manage hardware resources for pods and container using horizontal or vertical scaling. Anyone who can gain access to the API Serv
    SV-254800r864040_rule CNTR-K8-002011 CCI-002263 HIGH Kubernetes must have a Pod Security Admission control file configured. An admission controller intercepts and processes requests to the Kubernetes API prior to persistence of the object, but after the request is authenticated and authorized. Kubernetes (> v1.23)offers a built-in Pod Security admission controller to enforce
    SV-254801r864044_rule CNTR-K8-002001 CCI-002263 HIGH Kubernetes must have a Pod Security Admission feature gate set. "In order to implement Pod Security Admission controller feature gates must be enabled. Feature gates are a set of key=value pairs that describe Kubernetes features. You can turn these features on or off using the --feature-gates command line flag on e