Only required ports must be open on containers in MKE.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-260907	CNTR-MK-000640	SV-260907r966078_rule		High

Description
Ports, protocols, and services within MKE runtime must be controlled and conform to the PPSM CAL. Those ports, protocols, and services that fall outside the PPSM CAL must be blocked by the runtime. Instructions on the PPSM can be found in DOD Instruction 8551.01 Policy. A container can be run just with the ports defined in the Dockerfile for its image or can be arbitrarily passed runtime parameters to open a list of ports. A periodic review of open ports must be performed. By default, all the ports that are listed in the Dockerfile under EXPOSE instruction for an image are opened when a container is run with -P or --publish-all flag.

Description

Ports, protocols, and services within MKE runtime must be controlled and conform to the PPSM CAL. Those ports, protocols, and services that fall outside the PPSM CAL must be blocked by the runtime. Instructions on the PPSM can be found in DOD Instruction 8551.01 Policy. A container can be run just with the ports defined in the Dockerfile for its image or can be arbitrarily passed runtime parameters to open a list of ports. A periodic review of open ports must be performed. By default, all the ports that are listed in the Dockerfile under EXPOSE instruction for an image are opened when a container is run with -P or --publish-all flag.

STIG	Date
Mirantis Kubernetes Engine Security Technical Implementation Guide	2024-04-10

Details

Check Text ( C-64636r966076_chk )
This check must be executed on all nodes in an MKE cluster to ensure that mapped ports are the ones that are needed by the containers. Via CLI: Linux: As an administrator, execute the following command using a Universal Control Plane (MKE) client bundle: docker ps --quiet \| xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}' Review the list and ensure the ports mapped are those needed for the container. If there are any mapped ports not documented by the System Security Plan (SSP), this is a finding.

Check Text ( C-64636r966076_chk )

This check must be executed on all nodes in an MKE cluster to ensure that mapped ports are the ones that are needed by the containers.

Via CLI:
Linux: As an administrator, execute the following command using a Universal Control Plane (MKE) client bundle:

docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'

Review the list and ensure the ports mapped are those needed for the container. If there are any mapped ports not documented by the System Security Plan (SSP), this is a finding.

Fix Text (F-64544r966077_fix)
Document the ports required for each container in the SSP. Fix the container image to expose only needed ports by the containerized application. Ignore the list of ports defined in the Dockerfile by NOT using -P (UPPERCASE) or --publish-all flag when starting the container. Use the -p (lowercase) or --publish flag to explicitly define the ports needed for a particular container instance. Example: docker run --interactive --tty --publish 5000 --publish 5001 --publish 5002 centos /bin/bash

Fix Text (F-64544r966077_fix)

Document the ports required for each container in the SSP.

Fix the container image to expose only needed ports by the containerized application. Ignore the list of ports defined in the Dockerfile by NOT using -P (UPPERCASE) or --publish-all flag when starting the container. Use the -p (lowercase) or --publish flag to explicitly define the ports needed for a particular container instance.

Example:
docker run --interactive --tty --publish 5000 --publish 5001 --publish 5002 centos /bin/bash