MKE's self-signed certificates must be replaced with DOD trusted, signed certificates.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-260927	CNTR-MK-000610	SV-260927r966138_rule		Medium

Description
Self-signed certificates pose security risks, as they are not issued by a trusted third party. DOD trusted, signed certificates have undergone a validation process by a trusted CA, reducing the risk of man-in-the-middle attacks and unauthorized access. MKE uses TLS to protect sessions. Using trusted certificates ensures that only trusted sources can access the MKE cluster.

STIG	Date
Mirantis Kubernetes Engine Security Technical Implementation Guide	2024-06-17

Details

Check Text ( C-64656r966136_chk )
If Kubernetes ingress is being used, this is Not Applicable. Check that MKE has been integrated with a trusted certificate authority (CA). Log in to the MKE web UI and navigate to admin >> Admin Settings >> Certificates. Click "Download MKE Server CA Certificate". Verify that the contents of the downloaded "ca.pem" file match that of the trusted CA certificate. If the certificate chain does not match the chain as defined by the System Security Plan (SSP), then this is a finding.

Check Text ( C-64656r966136_chk )

If Kubernetes ingress is being used, this is Not Applicable.

Check that MKE has been integrated with a trusted certificate authority (CA).

Log in to the MKE web UI and navigate to admin >> Admin Settings >> Certificates.

Click "Download MKE Server CA Certificate".

Verify that the contents of the downloaded "ca.pem" file match that of the trusted CA certificate.

If the certificate chain does not match the chain as defined by the System Security Plan (SSP), then this is a finding.

Fix Text (F-64564r966137_fix)
If Kubernetes ingress is being used, this is Not Applicable. Integrate MKE and MSR (if used) with a trusted certificate authority CA. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Certificates. Either fill in the "CA Certificate" field with the contents of the external public CA certificate or upload a file. Either fill in the "Server Certificate" and "Private Key" fields with the contents of the public/private certificates or upload a file. The "Server Certificate" field must include both the MKE server certificate and any intermediate certificates. Click "Save".

Fix Text (F-64564r966137_fix)

If Kubernetes ingress is being used, this is Not Applicable.

Integrate MKE and MSR (if used) with a trusted certificate authority CA.

Log in to the MKE web UI and navigate to admin >> Admin Settings >> Certificates.

Either fill in the "CA Certificate" field with the contents of the external public CA certificate or upload a file.

Either fill in the "Server Certificate" and "Private Key" fields with the contents of the public/private certificates or upload a file.

The "Server Certificate" field must include both the MKE server certificate and any intermediate certificates.

Click "Save".