UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Kubernetes Kubelet must deny hostname override.


Overview

Finding ID Version Rule ID IA Controls Severity
V-242404 CNTR-K8-000850 SV-242404r918167_rule Medium
Description
Kubernetes allows for the overriding of hostnames. Allowing this feature to be implemented within the kubelets may break the TLS setup between the kubelet service and the API server. This setting also can make it difficult to associate logs with nodes if security analytics needs to take place. The better practice is to setup nodes with resolvable FQDNs and avoid overriding the hostnames.
STIG Date
Kubernetes Security Technical Implementation Guide 2023-08-29

Details

Check Text ( C-45679r918165_chk )
On the Control Plane and Worker nodes, run the command:
ps -ef | grep kubelet

If the option "--hostname-override" is present, this is a finding.
Fix Text (F-45637r918166_fix)
Run the command:
systemctl status kubelet.
Note the path to the drop-in file.

Determine the path to the environment file(s) with the command:
grep -i EnvironmentFile .

Remove the "--hostname-override" option from any environment file where it is present.

Restart the kubelet service using the following command:
systemctl daemon-reload && systemctl restart kubelet