Kubernetes Kubelet must enable kernel protection.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-242434	CNTR-K8-001620	SV-242434r712658_rule		High

Description
System kernel is responsible for memory, disk, and task management. The kernel provides a gateway between the system hardware and software. Kubernetes requires kernel access to allocate resources to the Control Plane. Threat actors that penetrate the system kernel can inject malicious code or hijack the Kubernetes architecture. It is vital to implement protections through Kubernetes components to reduce the attack surface.

Description

System kernel is responsible for memory, disk, and task management. The kernel provides a gateway between the system hardware and software. Kubernetes requires kernel access to allocate resources to the Control Plane. Threat actors that penetrate the system kernel can inject malicious code or hijack the Kubernetes architecture. It is vital to implement protections through Kubernetes components to reduce the attack surface.

STIG	Date
Kubernetes Security Technical Implementation Guide	2021-11-22

Details

Check Text ( C-45709r712656_chk )
Change to the /etc/sysconfig/ directory on the Kubernetes Master Node. Run the command: grep -i protect-kernel-defaults kubelet If the setting "protect-kernel-defaults" is set to false or not set in the Kubernetes Kubelet, this is a finding.

Fix Text (F-45667r712657_fix)
Edit the Kubernetes Kuberlet file in the /etc/sysconfig directory on the Kubernetes Master Node. Set the argument "--protect-kernel-defaults" to "true". Reset Kubelet service using the following command: service kubelet restart