UCF STIG Viewer Logo

Kubernetes Security Technical Implementation Guide


Overview

Date Finding Count (93)
2021-06-17 CAT I (High): 15 CAT II (Med): 78 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-242388 High The Kubernetes API server must have the insecure bind address not set.
V-242381 High The Kubernetes Controller Manager must create unique service accounts for each work payload.
V-242383 High User-managed resources must be created in dedicated namespaces.
V-242386 High The Kubernetes API server must have the insecure port flag disabled.
V-242387 High The Kubernetes Kubelet must have the read-only port flag disabled.
V-242392 High The Kubernetes kubelet must enable explicit authorization.
V-242391 High The Kubernetes Kubelet must have anonymous authentication disabled.
V-242390 High The Kubernetes API server must have anonymous authentication disabled.
V-242397 High The Kubernetes kubelet static PodPath must not enable static pods.
V-245542 High Kubernetes API Server must disable basic authentication to protect information in transit.
V-242415 High Secrets in Kubernetes must not be stored as environment variables.
V-242436 High The Kubernetes API server must have the ValidatingAdmissionWebhook enabled.
V-242437 High Kubernetes must have a pod security policy set.
V-242434 High Kubernetes Kubelet must enable kernel protection.
V-242435 High Kubernetes must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures or the installation of patches and updates.
V-242389 Medium The Kubernetes API server must have the secure port set.
V-242380 Medium The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
V-242382 Medium The Kubernetes API Server must enable Node,RBAC as the authorization mode.
V-242384 Medium The Kubernetes Scheduler must have secure binding.
V-242385 Medium The Kubernetes Controller Manager must have secure binding.
V-242468 Medium The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0.
V-242461 Medium Kubernetes API Server audit logs must be enabled.
V-242460 Medium The Kubernetes admin.conf must have file permissions set to 644 or more restrictive.
V-242463 Medium The Kubernetes API Server must be set to audit log maximum backup.
V-242462 Medium The Kubernetes API Server must be set to audit log max size.
V-242465 Medium The Kubernetes API Server audit log path must be set.
V-242464 Medium The Kubernetes API Server audit log retention must be set.
V-242467 Medium The Kubernetes PKI keys must have file permissions set to 600 or more restrictive.
V-242466 Medium The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive.
V-242377 Medium The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
V-242376 Medium The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
V-242379 Medium The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
V-242378 Medium The Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
V-242399 Medium Kubernetes DynamicKubeletConfig must not be enabled.
V-242398 Medium Kubernetes DynamicAuditing must not be enabled.
V-242393 Medium Kubernetes Worker Nodes must not have sshd service running.
V-242396 Medium Kubernetes Kubectl cp command must give expected access and results.
V-242395 Medium Kubernetes dashboard must not be enabled.
V-242394 Medium Kubernetes Worker Nodes must not have the sshd service enabled.
V-245543 Medium Kubernetes API Server must disable token authentication to protect information in transit.
V-245541 Medium Kubernetes Kubelet must not disable timeouts.
V-242418 Medium The Kubernetes API server must use approved cipher suites.
V-242419 Medium Kubernetes API Server must have the SSL Certificate Authority set.
V-245544 Medium Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit.
V-242414 Medium The Kubernetes cluster must use non-privileged host ports for user pods.
V-242417 Medium Kubernetes must separate user functionality.
V-242410 Medium The Kubernetes API Server must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
V-242411 Medium The Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
V-242412 Medium The Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
V-242413 Medium The Kubernetes etcd must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
V-242409 Medium Kubernetes Controller Manager must disable profiling.
V-242408 Medium The Kubernetes manifests must have least privileges.
V-242407 Medium The Kubernetes kubelet configuration file must be owned by root.
V-242406 Medium The Kubernetes kubelet configuration file must be owned by root.
V-242405 Medium The Kubernetes manifests must be owned by root.
V-242404 Medium Kubernetes Kubelet must deny hostname override.
V-242403 Medium Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event.
V-242402 Medium The Kubernetes API Server must have an audit log path set.
V-242401 Medium The Kubernetes API Server must have an audit policy set.
V-242400 Medium The Kubernetes API server must have Alpha APIs disabled.
V-242432 Medium Kubernetes etcd must have peer-cert-file set for secure communication.
V-242433 Medium Kubernetes etcd must have a peer-key-file set for secure communication.
V-242430 Medium Kubernetes etcd must have a certificate for communication.
V-242431 Medium Kubernetes etcd must have a key file for secure communication.
V-242438 Medium Kubernetes API Server must configure timeouts to limit attack surface.
V-242425 Medium Kubernetes Kubelet must enable tls-cert-file for client authentication to secure service.
V-242424 Medium Kubernetes Kubelet must enable tls-private-key-file for client authentication to secure service.
V-242427 Medium Kubernetes etcd must have a key file for secure communication.
V-242426 Medium Kubernetes etcd must enable client authentication to secure service.
V-242421 Medium Kubernetes Controller Manager must have the SSL Certificate Authority set.
V-242420 Medium Kubernetes Kubelet must have the SSL Certificate Authority set.
V-242423 Medium Kubernetes etcd must enable client authentication to secure service.
V-242422 Medium Kubernetes API Server must have a certificate for communication.
V-242429 Medium Kubernetes etcd must have the SSL Certificate Authority set.
V-242428 Medium Kubernetes etcd must have a certificate for communication.
V-242450 Medium The Kubernetes Kubelet certificate authority must be owned by root.
V-242451 Medium The Kubernetes component PKI must be owned by root.
V-242452 Medium The Kubernetes kubelet config must have file permissions set to 644 or more restrictive.
V-242453 Medium The Kubernetes kubelet config must be owned by root.
V-242454 Medium The Kubernetes kubeadm.conf must be owned by root.
V-242455 Medium The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive.
V-242456 Medium The Kubernetes kubelet config must have file permissions set to 644 or more restrictive.
V-242457 Medium The Kubernetes kubelet config must be owned by root.
V-242458 Medium The Kubernetes API Server must have file permissions set to 644 or more restrictive.
V-242459 Medium The Kubernetes etcd must have file permissions set to 644 or more restrictive.
V-242443 Medium Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs.
V-242442 Medium Kubernetes must remove old components after updated versions have been installed.
V-242447 Medium The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive.
V-242446 Medium The Kubernetes conf files must be owned by root.
V-242445 Medium The Kubernetes component etcd must be owned by etcd.
V-242444 Medium The Kubernetes component manifests must be owned by root.
V-242449 Medium The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive.
V-242448 Medium The Kubernetes Kube Proxy must be owned by root.