UCF STIG Viewer Logo

Kubernetes Kubelet must deny hostname override.


Finding ID Version Rule ID IA Controls Severity
V-242404 CNTR-K8-000850 SV-242404r863980_rule Medium
Kubernetes allows for the overriding of hostnames. Allowing this feature to be implemented within the kubelets may break the TLS setup between the kubelet service and the API server. This setting also can make it difficult to associate logs with nodes if security analytics needs to take place. The better practice is to setup nodes with resolvable FQDNs and avoid overriding the hostnames.
Kubernetes Security Technical Implementation Guide 2022-12-02


Check Text ( C-45679r863809_chk )
On the Kubernetes Control Plane and Worker nodes, run the command:
ps -ef | grep kubelet

Check the config file (path identified by: --config):

Change to the directory identified by --config (example /etc/sysconfig/) run the command:
grep -i hostname-override kubelet

If any of the nodes have the setting "hostname-override" present, this is a finding.
Fix Text (F-45637r863810_fix)
Edit the kubelet file on each node under the --config directory and remove the hostname-override setting.

Reset Kubelet service using the following command:
service kubelet restart