UCF STIG Viewer Logo

Kubernetes Kubelet must deny hostname override.


Overview

Finding ID Version Rule ID IA Controls Severity
V-242404 CNTR-K8-000850 SV-242404r712568_rule Medium
Description
Kubernetes allows for the overriding of hostnames. Allowing this feature to be implemented within the kubelets may break the TLS setup between the kubelet service and the API server. This setting also can make it difficult to associate logs with nodes if security analytics needs to take place. The better practice is to setup nodes with resolvable FQDNs and avoid overriding the hostnames.
STIG Date
Kubernetes Security Technical Implementation Guide 2021-04-14

Details

Check Text ( C-45679r712566_chk )
On the Master and each Worker node, change to the /etc/sysconfig/ directory and run the command:

grep -i hostname-override kubelet
--hostname-override

If any of the nodes have the setting "hostname-override" present, this is a finding.
Fix Text (F-45637r712567_fix)
Edit the Kubernetes Kubelet file in the /etc/sysconfig directory on the Master and Worker nodes and remove the "--hostname-override" setting. Restart the service after the change is made by running:

service kubelet restart