UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Kubernetes must have a Pod Security Admission feature gate set.


Overview

Finding ID Version Rule ID IA Controls Severity
V-254801 CNTR-K8-002001 SV-254801r864044_rule High
Description
"In order to implement Pod Security Admission controller feature gates must be enabled. Feature gates are a set of key=value pairs that describe Kubernetes features. You can turn these features on or off using the --feature-gates command line flag on each Kubernetes component."
STIG Date
Kubernetes Security Technical Implementation Guide 2022-12-02

Details

Check Text ( C-58412r863729_chk )
Check Static Pods:
On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command:

grep -i PodSecurity=true *

Ensure the argument "--feature-gates=PodSecurity=true" is present in each manifest file.

If kube-apiserver, kube-controller-manager or kube-schedule is missing the argument "--feature-gates=PodSecurity=true", this is a finding.

Check Kubelet:
Run the following command on each Worker Node:
ps -ef | grep kubelet

Verify that the "--feature-gates=PodSecurity=true" argument exists. If it doesn't exisit, this is a finding.

Check Control Plane Kubelet config file:
On the Kubernetes Control Plane, run the command:
ps -ef | grep kubelet
Check the config file (path identified by: --config).

Verify that the "--feature-gates=PodSecurity=true" argument exists. If it doesn't exisit, this is a finding.
Fix Text (F-58358r863730_fix)
Add the "--feature-gates=PodSecurity=true" argument to every component of Kubernetes.

kube-apiserver, kube-controller-manager and kube-scheduler:
These components are started as static pods, you can find their manifests in the /etc/kubernetes/manifests/ folder.
add "--feature-gates=PodSecurity=true" argument in each of the files.

Kubelet:
Edit the Kubernetes Kubelet file in the --config directory on the Kubernetes Control Plane:
Add "--feature-gates=PodSecurity=true"

Reset Kubelet service using the following command:
service kubelet restart

Note: if your cluster has multiple nodes you will need to make the changes on every node where the components are deployed.