UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

MKE must be configured to integrate with an Enterprise Identity Provider.


Overview

Finding ID Version Rule ID IA Controls Severity
V-260909 CNTR-MK-000030 SV-260909r966084_rule Medium
Description
Configuring MKE to integrate with an Enterprise Identity Provider enhances security, simplifies user management, ensures compliance, provides auditing capabilities, and offers a more seamless and consistent user experience. It aligns MKE with enterprise standards and contributes to a more efficient and secure environment.
STIG Date
Mirantis Kubernetes Engine Security Technical Implementation Guide 2024-04-10

Details

Check Text ( C-64638r966082_chk )
Verify that Enterprise Identity Provider integration is enabled and properly configured in the MKE Admin Settings.

1. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Authentication & Authorization.

If LDAP or SAML are not set to "Enabled", this is a finding.

2. Identity Provider configurations:
When using LDAP, ensure the following are set:
- LDAP/AD server's URL.
- Reader DN.
- Reader Password.

When using SAML:
In the "SAML IdP Server" section, ensure the following:
- URL for the identity provider exists in the "IdP Metadata URL" field.
- Skip TLS Verification is unchecked.
- Root Certificate Bundle is filled.

In the "SAML Service Provider" section, ensure the MKE Host field has the MKE UI IP address.

If the Identity Provider configurations do not match the System Security Plan (SSP), this is a finding.
Fix Text (F-64546r966083_fix)
To configure Identity Provider.
Log in to the MKE web UI and navigate to admin >> Admin Settings >> Authentication & Authorization >> Identity Provider Integration section.

To configure LDAP:
Click the radial button to set LDAP to "Enabled".

In the "LDAP Server" subsection set the following:
- "LDAP Server URL" to the URL for the organization's AD or LDAP server (URL must be https).
- "Reader DN" with the DN of the account used to search the LDAP entries.
- "Reader Password" with the password for the Reader account.

Click "Save".

To configure SAML:
Click the radial button to set SAML to "Enabled".

Enter URL in the "Service Provider Metadata URL" field.

Upload the certificate bundle for the IdP provider in "Root Certificates Bundle".

In the "SAML Service Provider" section, enter the "MKE IP address" in the MKE Host field.

Click "Save".