The network ports on all running containers must be limited to required ports.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-260941	CNTR-MK-001360	SV-260941r966180_rule		Medium

Description
To validate that the services are using only the approved ports and protocols, the organization must perform a periodic scan/review of MKE and disable functions, ports, protocols, and services deemed to be unneeded or nonsecure.

STIG	Date
Mirantis Kubernetes Engine Security Technical Implementation Guide	2024-06-17

Details

Check Text ( C-64670r966178_chk )
Verify that only needed ports are open on all running containers. If an ingress controller is configured for the cluster, this check is not applicable. Via CLI: As a remote MKE admin, execute the following command using a client bundle: docker ps -q \| xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}' Review the list and ensure that the ports mapped are the ones really needed for the containers per the requirements set forth by the System Security Plan (SSP). If ports are not documented and approved in the SSP, this is a finding.

Check Text ( C-64670r966178_chk )

Verify that only needed ports are open on all running containers. If an ingress controller is configured for the cluster, this check is not applicable.

Via CLI: As a remote MKE admin, execute the following command using a client bundle:

docker ps -q | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'

Review the list and ensure that the ports mapped are the ones really needed for the containers per the requirements set forth by the System Security Plan (SSP).

If ports are not documented and approved in the SSP, this is a finding.

Fix Text (F-64578r966179_fix)
Configuring an ingress controller is the preferred method to manage external ports. If an ingress controller is not used and unnecessary ports are in use, the container or pod network configurations must be updated. To update a pod's configuration, log in to the MKE UI as an administrator. Navigate to Kubernetes >> Pods and click the pod with an open port that is not allowed. Click the three dots in the upper right corner (edit). Modify the .yaml file to remove the port. Example: spec: container: - name: [pod name] ports: - containerPort: 80 [replace with 443] Click "Save". For a Swarm service, navigate to Swarm >> Services and click on the service with unauthorized port. Click the three dots in the top left corner. Select "Network" in the pop-up and remove the unauthorized port. Click "Save".

Fix Text (F-64578r966179_fix)

Configuring an ingress controller is the preferred method to manage external ports. If an ingress controller is not used and unnecessary ports are in use, the container or pod network configurations must be updated.

To update a pod's configuration, log in to the MKE UI as an administrator.

Navigate to Kubernetes >> Pods and click the pod with an open port that is not allowed.

Click the three dots in the upper right corner (edit).

Modify the .yaml file to remove the port. Example:

spec:
container:
- name: [pod name]
ports:
- containerPort: 80 [replace with 443]

Click "Save".

For a Swarm service, navigate to Swarm >> Services and click on the service with unauthorized port.

Click the three dots in the top left corner.

Select "Network" in the pop-up and remove the unauthorized port.

Click "Save".