UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

MKE's self-signed certificates must be replaced with DOD trusted, signed certificates.


Overview

Finding ID Version Rule ID IA Controls Severity
V-260927 CNTR-MK-000610 SV-260927r966138_rule Medium
Description
Self-signed certificates pose security risks, as they are not issued by a trusted third party. DOD trusted, signed certificates have undergone a validation process by a trusted CA, reducing the risk of man-in-the-middle attacks and unauthorized access. MKE uses TLS to protect sessions. Using trusted certificates ensures that only trusted sources can access the MKE cluster.
STIG Date
Mirantis Kubernetes Engine Security Technical Implementation Guide 2024-04-10

Details

Check Text ( C-64656r966136_chk )
If Kubernetes ingress is being used, this is Not Applicable.

Check that MKE has been integrated with a trusted certificate authority (CA).

Log in to the MKE web UI and navigate to admin >> Admin Settings >> Certificates.

Click "Download MKE Server CA Certificate".

Verify that the contents of the downloaded "ca.pem" file match that of the trusted CA certificate.

If the certificate chain does not match the chain as defined by the System Security Plan (SSP), then this is a finding.
Fix Text (F-64564r966137_fix)
If Kubernetes ingress is being used, this is Not Applicable.

Integrate MKE and MSR (if used) with a trusted certificate authority CA.

Log in to the MKE web UI and navigate to admin >> Admin Settings >> Certificates.

Either fill in the "CA Certificate" field with the contents of the external public CA certificate or upload a file.

Either fill in the "Server Certificate" and "Private Key" fields with the contents of the public/private certificates or upload a file.

The "Server Certificate" field must include both the MKE server certificate and any intermediate certificates.

Click "Save".