MKE must be configured to integrate with an Enterprise Identity Provider.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-260909	CNTR-MK-000030	SV-260909r986168_rule		Medium

Description
Configuring MKE to integrate with an Enterprise Identity Provider enhances security, simplifies user management, ensures compliance, provides auditing capabilities, and offers a more seamless and consistent user experience. It aligns MKE with enterprise standards and contributes to a more efficient and secure environment.

STIG	Date
Mirantis Kubernetes Engine Security Technical Implementation Guide	2024-06-17

Details

Check Text ( C-64638r966082_chk )
Verify that Enterprise Identity Provider integration is enabled and properly configured in the MKE Admin Settings. 1. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Authentication & Authorization. If LDAP or SAML are not set to "Enabled", this is a finding. 2. Identity Provider configurations: When using LDAP, ensure the following are set: - LDAP/AD server's URL. - Reader DN. - Reader Password. When using SAML: In the "SAML IdP Server" section, ensure the following: - URL for the identity provider exists in the "IdP Metadata URL" field. - Skip TLS Verification is unchecked. - Root Certificate Bundle is filled. In the "SAML Service Provider" section, ensure the MKE Host field has the MKE UI IP address. If the Identity Provider configurations do not match the System Security Plan (SSP), this is a finding.

Check Text ( C-64638r966082_chk )

Verify that Enterprise Identity Provider integration is enabled and properly configured in the MKE Admin Settings.

1. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Authentication & Authorization.

If LDAP or SAML are not set to "Enabled", this is a finding.

2. Identity Provider configurations:
When using LDAP, ensure the following are set:
- LDAP/AD server's URL.
- Reader DN.
- Reader Password.

When using SAML:
In the "SAML IdP Server" section, ensure the following:
- URL for the identity provider exists in the "IdP Metadata URL" field.
- Skip TLS Verification is unchecked.
- Root Certificate Bundle is filled.

In the "SAML Service Provider" section, ensure the MKE Host field has the MKE UI IP address.

If the Identity Provider configurations do not match the System Security Plan (SSP), this is a finding.

Fix Text (F-64546r986167_fix)
To configure Identity Provider, log in to the MKE web UI and navigate to admin >> Admin Settings >> Authentication & Authorization >> Identity Provider Integration section. To configure LDAP: Click the radial button to set LDAP to "Enabled". In the "LDAP Server" subsection set the following: - "LDAP Server URL" to the URL for the organization's AD or LDAP server (URL must be https). - "Reader DN" with the DN of the account used to search the LDAP entries. - "Reader Password" with the password for the Reader account. Click "Save". To configure SAML, click the radial button to set SAML to "Enabled". Enter URL in the "Service Provider Metadata URL" field. Upload the certificate bundle for the IdP provider in "Root Certificates Bundle". In the "SAML Service Provider" section, enter the "MKE IP address" in the MKE Host field. Click "Save".

Fix Text (F-64546r986167_fix)

To configure Identity Provider, log in to the MKE web UI and navigate to admin >> Admin Settings >> Authentication & Authorization >> Identity Provider Integration section.

To configure LDAP:
Click the radial button to set LDAP to "Enabled".

In the "LDAP Server" subsection set the following:
- "LDAP Server URL" to the URL for the organization's AD or LDAP server (URL must be https).
- "Reader DN" with the DN of the account used to search the LDAP entries.
- "Reader Password" with the password for the Reader account.

Click "Save".

To configure SAML, click the radial button to set SAML to "Enabled".

Enter URL in the "Service Provider Metadata URL" field.

Upload the certificate bundle for the IdP provider in "Root Certificates Bundle".

In the "SAML Service Provider" section, enter the "MKE IP address" in the MKE Host field.

Click "Save".