UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Kubernetes Kubelet must enable kernel protection.


Overview

Finding ID Version Rule ID IA Controls Severity
V-242434 CNTR-K8-001620 SV-242434r918188_rule High
Description
System kernel is responsible for memory, disk, and task management. The kernel provides a gateway between the system hardware and software. Kubernetes requires kernel access to allocate resources to the Control Plane. Threat actors that penetrate the system kernel can inject malicious code or hijack the Kubernetes architecture. It is vital to implement protections through Kubernetes components to reduce the attack surface.
STIG Date
Kubernetes Security Technical Implementation Guide 2023-06-20

Details

Check Text ( C-45709r918186_chk )
On the Control Plane, run the command:
ps -ef | grep kubelet

If the "--protect-kernel-defaults" option exists, this is a finding.

Note the path to the config file (identified by --config).

Run the command:
grep -i protectKernelDefaults

If the setting "protectKernelDefaults" is not set or is set to false, this is a finding.
Fix Text (F-45667r918187_fix)
On the Control Plane, run the command:
ps -ef | grep kubelet

Remove the "--protect-kernel-defaults" option if present.

Note the path to the Kubernetes Kubelet config file (identified by --config).

Edit the Kubernetes Kubelet config file:
Set "protectKernelDefaults" to "true".

Restart the kubelet service using the following command:
systemctl daemon-reload && systemctl restart kubelet