-
Notifications
You must be signed in to change notification settings - Fork 35
/
k3s-server-sample.json
9618 lines (9618 loc) · 834 KB
/
k3s-server-sample.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"platform": {
"name": "centos",
"release": "8.3.2011"
},
"profiles": [
{
"attributes": [],
"controls": [
{
"code": "control 'V-242376' do\n title \"The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to\nprotect the confidentiality of sensitive data during electronic dissemination.\"\n desc \"The Kubernetes Controller Manager will prohibit the use of SSL and\nunauthorized versions of TLS protocols to properly secure communication.\n\n The use of unsupported protocol exposes vulnerabilities to the Kubernetes\nby rogue traffic interceptions, man-in-the-middle attacks, and impersonation of\nusers or services from the container platform runtime, registry, and key store.\nTo enable the minimum version of TLS to be used by the Kubernetes Controller\nManager, the setting \\\"tls-min-version\\\" must be set.\n \"\n desc 'rationale', ''\n desc 'check', \"\n Change to the /etc/kubernetes/manifests/ directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i tls-min-version *\n\n If the setting \\\"tls-min-version\\\" is not configured in the Kubernetes\nController Manager manifest file or it is set to \\\"VersionTLS10\\\" or\n\\\"VersionTLS11\\\", this is a finding.\n \"\n desc 'fix', \"Edit the Kubernetes Controller Manager manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nvalue of \\\"--tls-min-version\\\" to \\\"VersionTLS12\\\" or higher.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-APP-000014-CTR-000035'\n tag gid: 'V-242376'\n tag rid: 'SV-242376r712484_rule'\n tag stig_id: 'CNTR-K8-000150'\n tag fix_id: 'F-45609r712483_fix'\n tag cci: ['CCI-000068']\n tag nist: ['AC-17 (2)']\n\n unless kube_controller_manager.exist?\n impact 0.0\n desc 'caveat', 'Kubernetes Controller Manager process is not running on the target.'\n end\n\n describe kube_controller_manager do\n its('tls-min-version') { should_not be_nil }\n its('tls-min-version') { should_not cmp 'VersionTLS10' }\n its('tls-min-version') { should_not cmp 'VersionTLS11' }\n end\nend\n",
"desc": "The Kubernetes Controller Manager will prohibit the use of SSL and\nunauthorized versions of TLS protocols to properly secure communication.\n\n The use of unsupported protocol exposes vulnerabilities to the Kubernetes\nby rogue traffic interceptions, man-in-the-middle attacks, and impersonation of\nusers or services from the container platform runtime, registry, and key store.\nTo enable the minimum version of TLS to be used by the Kubernetes Controller\nManager, the setting \"tls-min-version\" must be set.",
"descriptions": [
{
"data": "The Kubernetes Controller Manager will prohibit the use of SSL and\nunauthorized versions of TLS protocols to properly secure communication.\n\n The use of unsupported protocol exposes vulnerabilities to the Kubernetes\nby rogue traffic interceptions, man-in-the-middle attacks, and impersonation of\nusers or services from the container platform runtime, registry, and key store.\nTo enable the minimum version of TLS to be used by the Kubernetes Controller\nManager, the setting \"tls-min-version\" must be set.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "Change to the /etc/kubernetes/manifests/ directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i tls-min-version *\n\n If the setting \"tls-min-version\" is not configured in the Kubernetes\nController Manager manifest file or it is set to \"VersionTLS10\" or\n\"VersionTLS11\", this is a finding.",
"label": "check"
},
{
"data": "Edit the Kubernetes Controller Manager manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nvalue of \"--tls-min-version\" to \"VersionTLS12\" or higher.",
"label": "fix"
}
],
"id": "V-242376",
"impact": 0.5,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242376.rb"
},
"tags": {
"cci": ["CCI-000068"],
"fix_id": "F-45609r712483_fix",
"gid": "V-242376",
"gtitle": "SRG-APP-000014-CTR-000035",
"nist": ["AC-17 (2)"],
"rid": "SV-242376r712484_rule",
"severity": "medium",
"stig_id": "CNTR-K8-000150"
},
"title": "The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to\nprotect the confidentiality of sensitive data during electronic dissemination.",
"waiver_data": {}
},
{
"code": "control 'V-242377' do\n title \"The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect\nthe confidentiality of sensitive data during electronic dissemination.\"\n desc \"The Kubernetes Scheduler will prohibit the use of SSL and unauthorized\nversions of TLS protocols to properly secure communication.\n\n The use of unsupported protocol exposes vulnerabilities to the Kubernetes\nby rogue traffic interceptions, man-in-the-middle attacks, and impersonation of\nusers or services from the container platform runtime, registry, and keystore.\nTo enable the minimum version of TLS to be used by the Kubernetes API Server,\nthe setting \\\"tls-min-version\\\" must be set.\n \"\n desc 'rationale', ''\n desc 'check', \"\n Change to the /etc/kubernetes/manifests/ directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i tls-min-version *\n\n If the setting \\\"tls-min-version\\\" is not configured in the Kubernetes\nScheduler manifest file or it is set to \\\"VersionTLS10\\\" or \\\"VersionTLS11\\\",\nthis is a finding.\n \"\n desc 'fix', \"Edit the Kubernetes Scheduler manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nvalue of \\\"--tls-min-version\\\" to \\\"VersionTLS12\\\" or higher.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-APP-000014-CTR-000035'\n tag gid: 'V-242377'\n tag rid: 'SV-242377r712487_rule'\n tag stig_id: 'CNTR-K8-000160'\n tag fix_id: 'F-45610r712486_fix'\n tag cci: ['CCI-000068']\n tag nist: ['AC-17 (2)']\n\n unless kube_scheduler.exist?\n impact 0.0\n desc 'caveat', 'Kubernetes Scheduler process is not running on the target.'\n end\n\n describe kube_scheduler do\n its('tls-min-version') { should_not be_nil }\n its('tls-min-version') { should_not cmp 'VersionTLS10' }\n its('tls-min-version') { should_not cmp 'VersionTLS11' }\n end\nend\n",
"desc": "The Kubernetes Scheduler will prohibit the use of SSL and unauthorized\nversions of TLS protocols to properly secure communication.\n\n The use of unsupported protocol exposes vulnerabilities to the Kubernetes\nby rogue traffic interceptions, man-in-the-middle attacks, and impersonation of\nusers or services from the container platform runtime, registry, and keystore.\nTo enable the minimum version of TLS to be used by the Kubernetes API Server,\nthe setting \"tls-min-version\" must be set.",
"descriptions": [
{
"data": "The Kubernetes Scheduler will prohibit the use of SSL and unauthorized\nversions of TLS protocols to properly secure communication.\n\n The use of unsupported protocol exposes vulnerabilities to the Kubernetes\nby rogue traffic interceptions, man-in-the-middle attacks, and impersonation of\nusers or services from the container platform runtime, registry, and keystore.\nTo enable the minimum version of TLS to be used by the Kubernetes API Server,\nthe setting \"tls-min-version\" must be set.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "Change to the /etc/kubernetes/manifests/ directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i tls-min-version *\n\n If the setting \"tls-min-version\" is not configured in the Kubernetes\nScheduler manifest file or it is set to \"VersionTLS10\" or \"VersionTLS11\",\nthis is a finding.",
"label": "check"
},
{
"data": "Edit the Kubernetes Scheduler manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nvalue of \"--tls-min-version\" to \"VersionTLS12\" or higher.",
"label": "fix"
}
],
"id": "V-242377",
"impact": 0.5,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242377.rb"
},
"tags": {
"cci": ["CCI-000068"],
"fix_id": "F-45610r712486_fix",
"gid": "V-242377",
"gtitle": "SRG-APP-000014-CTR-000035",
"nist": ["AC-17 (2)"],
"rid": "SV-242377r712487_rule",
"severity": "medium",
"stig_id": "CNTR-K8-000160"
},
"title": "The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect\nthe confidentiality of sensitive data during electronic dissemination.",
"waiver_data": {}
},
{
"code": "control 'V-242378' do\n title \"The Kubernetes API Server must use TLS 1.2, at a minimum, to protect\nthe confidentiality of sensitive data during electronic dissemination.\"\n desc \"The Kubernetes API Server will prohibit the use of SSL and\nunauthorized versions of TLS protocols to properly secure communication.\n\n The use of unsupported protocol exposes vulnerabilities to the Kubernetes\nby rogue traffic interceptions, man-in-the-middle attacks, and impersonation of\nusers or services from the container platform runtime, registry, and keystore.\nTo enable the minimum version of TLS to be used by the Kubernetes API Server,\nthe setting \\\"tls-min-version\\\" must be set.\n \"\n desc 'rationale', ''\n desc 'check', \"\n Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i tls-min-version *\n\n If the setting \\\"tls-min-version\\\" is not configured in the Kubernetes API\nServer manifest file or it is set to \\\"VersionTLS10\\\" or \\\"VersionTLS11\\\", this\nis a finding.\n \"\n desc 'fix', \"Edit the Kubernetes API Server manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nvalue of \\\"--tls-min-version\\\" to \\\"VersionTLS12\\\" or higher.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-APP-000014-CTR-000040'\n tag gid: 'V-242378'\n tag rid: 'SV-242378r712490_rule'\n tag stig_id: 'CNTR-K8-000170'\n tag fix_id: 'F-45611r712489_fix'\n tag cci: ['CCI-000068']\n tag nist: ['AC-17 (2)']\n\n unless kube_apiserver.exist?\n impact 0.0\n desc 'caveat', 'Kubernetes API Server process is not running on the target.'\n end\n\n describe kube_apiserver do\n its('tls-min-version') { should_not be_nil }\n its('tls-min-version') { should_not cmp 'VersionTLS10' }\n its('tls-min-version') { should_not cmp 'VersionTLS11' }\n end\nend\n",
"desc": "The Kubernetes API Server will prohibit the use of SSL and\nunauthorized versions of TLS protocols to properly secure communication.\n\n The use of unsupported protocol exposes vulnerabilities to the Kubernetes\nby rogue traffic interceptions, man-in-the-middle attacks, and impersonation of\nusers or services from the container platform runtime, registry, and keystore.\nTo enable the minimum version of TLS to be used by the Kubernetes API Server,\nthe setting \"tls-min-version\" must be set.",
"descriptions": [
{
"data": "The Kubernetes API Server will prohibit the use of SSL and\nunauthorized versions of TLS protocols to properly secure communication.\n\n The use of unsupported protocol exposes vulnerabilities to the Kubernetes\nby rogue traffic interceptions, man-in-the-middle attacks, and impersonation of\nusers or services from the container platform runtime, registry, and keystore.\nTo enable the minimum version of TLS to be used by the Kubernetes API Server,\nthe setting \"tls-min-version\" must be set.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i tls-min-version *\n\n If the setting \"tls-min-version\" is not configured in the Kubernetes API\nServer manifest file or it is set to \"VersionTLS10\" or \"VersionTLS11\", this\nis a finding.",
"label": "check"
},
{
"data": "Edit the Kubernetes API Server manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nvalue of \"--tls-min-version\" to \"VersionTLS12\" or higher.",
"label": "fix"
}
],
"id": "V-242378",
"impact": 0.5,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242378.rb"
},
"tags": {
"cci": ["CCI-000068"],
"fix_id": "F-45611r712489_fix",
"gid": "V-242378",
"gtitle": "SRG-APP-000014-CTR-000040",
"nist": ["AC-17 (2)"],
"rid": "SV-242378r712490_rule",
"severity": "medium",
"stig_id": "CNTR-K8-000170"
},
"title": "The Kubernetes API Server must use TLS 1.2, at a minimum, to protect\nthe confidentiality of sensitive data during electronic dissemination.",
"waiver_data": {}
},
{
"code": "control 'V-242379' do\n title \"The Kubernetes etcd must use TLS to protect the confidentiality of\nsensitive data during electronic dissemination.\"\n desc \"Kubernetes etcd will prohibit the use of SSL and unauthorized versions\nof TLS protocols to properly secure communication.\n\n The use of unsupported protocol exposes vulnerabilities to the Kubernetes\nby rogue traffic interceptions, man-in-the-middle attacks, and impersonation of\nusers or services from the container platform runtime, registry, and keystore.\nTo enable the minimum version of TLS to be used by the Kubernetes API Server,\nthe setting \\\"tls-min-version\\\" must be set.\n \"\n desc 'rationale', ''\n desc 'check', \"\n Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i auto-tls *\n\n If the setting \\\"auto-tls\\\" is not configured in the Kubernetes etcd\nmanifest file or it is set to true, this is a finding.\n \"\n desc 'fix', \"Edit the Kubernetes etcd manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nvalue of \\\"-auto-tls\\\" to \\\"false\\\".\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-APP-000014-CTR-000035'\n tag gid: 'V-242379'\n tag rid: 'SV-242379r712493_rule'\n tag stig_id: 'CNTR-K8-000180'\n tag fix_id: 'F-45612r712492_fix'\n tag cci: ['CCI-000068']\n tag nist: ['AC-17 (2)']\n\n if etcd.exist?\n describe.one do\n describe etcd do\n its('auto-tls') { should cmp 'false' }\n end\n\n describe process_env_var('etcd') do\n its(:ETCD_AUTO_TLS) { should cmp 'false' }\n end\n end\n else\n describe 'ETCD process is not running on the target.' do\n skip\n end\n end\nend\n",
"desc": "Kubernetes etcd will prohibit the use of SSL and unauthorized versions\nof TLS protocols to properly secure communication.\n\n The use of unsupported protocol exposes vulnerabilities to the Kubernetes\nby rogue traffic interceptions, man-in-the-middle attacks, and impersonation of\nusers or services from the container platform runtime, registry, and keystore.\nTo enable the minimum version of TLS to be used by the Kubernetes API Server,\nthe setting \"tls-min-version\" must be set.",
"descriptions": [
{
"data": "Kubernetes etcd will prohibit the use of SSL and unauthorized versions\nof TLS protocols to properly secure communication.\n\n The use of unsupported protocol exposes vulnerabilities to the Kubernetes\nby rogue traffic interceptions, man-in-the-middle attacks, and impersonation of\nusers or services from the container platform runtime, registry, and keystore.\nTo enable the minimum version of TLS to be used by the Kubernetes API Server,\nthe setting \"tls-min-version\" must be set.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i auto-tls *\n\n If the setting \"auto-tls\" is not configured in the Kubernetes etcd\nmanifest file or it is set to true, this is a finding.",
"label": "check"
},
{
"data": "Edit the Kubernetes etcd manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nvalue of \"-auto-tls\" to \"false\".",
"label": "fix"
}
],
"id": "V-242379",
"impact": 0.5,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242379.rb"
},
"tags": {
"cci": ["CCI-000068"],
"fix_id": "F-45612r712492_fix",
"gid": "V-242379",
"gtitle": "SRG-APP-000014-CTR-000035",
"nist": ["AC-17 (2)"],
"rid": "SV-242379r712493_rule",
"severity": "medium",
"stig_id": "CNTR-K8-000180"
},
"title": "The Kubernetes etcd must use TLS to protect the confidentiality of\nsensitive data during electronic dissemination.",
"waiver_data": {}
},
{
"code": "control 'V-242380' do\n title \"The Kubernetes etcd must use TLS to protect the confidentiality of\nsensitive data during electronic dissemination.\"\n desc \"The Kubernetes API Server will prohibit the use of SSL and\nunauthorized versions of TLS protocols to properly secure communication.\n\n The use of unsupported protocol exposes vulnerabilities to the Kubernetes\nby rogue traffic interceptions, man-in-the-middle attacks, and impersonation of\nusers or services from the container platform runtime, registry, and keystore.\nTo enable the minimum version of TLS to be used by the Kubernetes API Server,\nthe setting \\\"tls-min-version\\\" must be set.\n \"\n desc 'rationale', ''\n desc 'check', \"\n Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -I peer-auto-tls *\n\n If the setting \\\"peer-auto-tls\\\" is not configured in the Kubernetes etcd\nmanifest file or it is set to \\\"true\\\", this is a finding.\n \"\n desc 'fix', \"Edit the Kubernetes etcd manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nvalue of \\\"peer-auto-tls\\\" to \\\"false\\\".\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-APP-000014-CTR-000035'\n tag gid: 'V-242380'\n tag rid: 'SV-242380r712496_rule'\n tag stig_id: 'CNTR-K8-000190'\n tag fix_id: 'F-45613r712495_fix'\n tag cci: ['CCI-000068']\n tag nist: ['AC-17 (2)']\n\n if etcd.exist?\n describe.one do\n describe etcd do\n its('peer-auto-tls') { should cmp 'false' }\n end\n\n describe process_env_var('etcd') do\n its(:ETCD_PEER_AUTO_TLS) { should cmp 'false' }\n end\n end\n else\n describe 'ETCD process is not running on the target.' do\n skip\n end\n end\nend\n",
"desc": "The Kubernetes API Server will prohibit the use of SSL and\nunauthorized versions of TLS protocols to properly secure communication.\n\n The use of unsupported protocol exposes vulnerabilities to the Kubernetes\nby rogue traffic interceptions, man-in-the-middle attacks, and impersonation of\nusers or services from the container platform runtime, registry, and keystore.\nTo enable the minimum version of TLS to be used by the Kubernetes API Server,\nthe setting \"tls-min-version\" must be set.",
"descriptions": [
{
"data": "The Kubernetes API Server will prohibit the use of SSL and\nunauthorized versions of TLS protocols to properly secure communication.\n\n The use of unsupported protocol exposes vulnerabilities to the Kubernetes\nby rogue traffic interceptions, man-in-the-middle attacks, and impersonation of\nusers or services from the container platform runtime, registry, and keystore.\nTo enable the minimum version of TLS to be used by the Kubernetes API Server,\nthe setting \"tls-min-version\" must be set.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -I peer-auto-tls *\n\n If the setting \"peer-auto-tls\" is not configured in the Kubernetes etcd\nmanifest file or it is set to \"true\", this is a finding.",
"label": "check"
},
{
"data": "Edit the Kubernetes etcd manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nvalue of \"peer-auto-tls\" to \"false\".",
"label": "fix"
}
],
"id": "V-242380",
"impact": 0.5,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242380.rb"
},
"tags": {
"cci": ["CCI-000068"],
"fix_id": "F-45613r712495_fix",
"gid": "V-242380",
"gtitle": "SRG-APP-000014-CTR-000035",
"nist": ["AC-17 (2)"],
"rid": "SV-242380r712496_rule",
"severity": "medium",
"stig_id": "CNTR-K8-000190"
},
"title": "The Kubernetes etcd must use TLS to protect the confidentiality of\nsensitive data during electronic dissemination.",
"waiver_data": {}
},
{
"code": "control 'V-242381' do\n title \"The Kubernetes Controller Manager must create unique service accounts\nfor each work payload.\"\n desc \"The Kubernetes Controller Manager is a background process that embeds\ncore control loops regulating cluster system state through the API Server.\nEvery process executed in a pod has an associated service account. By default,\nservice accounts use the same credentials for authentication. Implementing the\ndefault settings poses a High risk to the Kubernetes Controller Manager.\nSetting the use-service-account-credentials value lowers the attack surface by\ngenerating unique service accounts settings for each controller instance.\"\n desc 'rationale', ''\n desc 'check', \"\n Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i use-service-account-credentials *\n\n If the setting use-service-account-credential is not configured in the\nKubernetes Controller Manager manifest file or it is set to \\\"false\\\", this is\na finding.\n \"\n desc 'fix', \"Edit the Kubernetes Controller Manager manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nvalue of \\\"use-service-account-credentials\\\" to \\\"true\\\".\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'SRG-APP-000023-CTR-000055'\n tag gid: 'V-242381'\n tag rid: 'SV-242381r712499_rule'\n tag stig_id: 'CNTR-K8-000220'\n tag fix_id: 'F-45614r712498_fix'\n tag cci: ['CCI-000015']\n tag nist: ['AC-2 (1)']\n\n unless kube_controller_manager.exist?\n impact 0.0\n desc 'caveat', 'Kubernetes Controller Manager process is not running on the target.'\n end\n\n describe kube_controller_manager do\n its('use-service-account-credentials') { should cmp 'true' }\n end\nend\n",
"desc": "The Kubernetes Controller Manager is a background process that embeds\ncore control loops regulating cluster system state through the API Server.\nEvery process executed in a pod has an associated service account. By default,\nservice accounts use the same credentials for authentication. Implementing the\ndefault settings poses a High risk to the Kubernetes Controller Manager.\nSetting the use-service-account-credentials value lowers the attack surface by\ngenerating unique service accounts settings for each controller instance.",
"descriptions": [
{
"data": "The Kubernetes Controller Manager is a background process that embeds\ncore control loops regulating cluster system state through the API Server.\nEvery process executed in a pod has an associated service account. By default,\nservice accounts use the same credentials for authentication. Implementing the\ndefault settings poses a High risk to the Kubernetes Controller Manager.\nSetting the use-service-account-credentials value lowers the attack surface by\ngenerating unique service accounts settings for each controller instance.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i use-service-account-credentials *\n\n If the setting use-service-account-credential is not configured in the\nKubernetes Controller Manager manifest file or it is set to \"false\", this is\na finding.",
"label": "check"
},
{
"data": "Edit the Kubernetes Controller Manager manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nvalue of \"use-service-account-credentials\" to \"true\".",
"label": "fix"
}
],
"id": "V-242381",
"impact": 0.7,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242381.rb"
},
"tags": {
"cci": ["CCI-000015"],
"fix_id": "F-45614r712498_fix",
"gid": "V-242381",
"gtitle": "SRG-APP-000023-CTR-000055",
"nist": ["AC-2 (1)"],
"rid": "SV-242381r712499_rule",
"severity": "high",
"stig_id": "CNTR-K8-000220"
},
"title": "The Kubernetes Controller Manager must create unique service accounts\nfor each work payload.",
"waiver_data": {}
},
{
"code": "control 'V-242382' do\n title \"The Kubernetes API Server must enable Node,RBAC as the authorization\nmode.\"\n desc \"To mitigate the risk of unauthorized access to sensitive information\nby entities that have been issued certificates by DoD-approved PKIs, all DoD\nsystems (e.g., networks, web servers, and web portals) must be properly\nconfigured to incorporate access control methods that do not rely solely on the\npossession of a certificate for access. Successful authentication must not\nautomatically give an entity access to an asset or security boundary.\nAuthorization procedures and controls must be implemented to ensure each\nauthenticated entity also has a validated and current authorization.\nAuthorization is the process of determining whether an entity, once\nauthenticated, is permitted to access a specific asset.\n\n Node,RBAC is the method within Kubernetes to control access of users and\napplications. Kubernetes uses roles to grant authorization API requests made by\nkubelets.\n\n\n \"\n desc 'rationale', ''\n desc 'check', \"\n Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n \\\"grep -i authorization-mode *\\\"\n\n If the setting \\\"authorization-mode\\\" is not configured in the Kubernetes\nAPI Server manifest file or is not set to \\\"Node,RBAC\\\", this is a finding.\n \"\n desc 'fix', \"Edit the Kubernetes API Server manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nvalue of \\\"--authorization-mode\\\" to \\\"Node,RBAC\\\".\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-APP-000033-CTR-000090'\n tag satisfies: ['SRG-APP-000033-CTR-000090', 'SRG-APP-000033-CTR-000095']\n tag gid: 'V-242382'\n tag rid: 'SV-242382r712502_rule'\n tag stig_id: 'CNTR-K8-000270'\n tag fix_id: 'F-45615r712501_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n unless kube_apiserver.exist?\n impact 0.0\n desc 'caveat', 'Kubernetes API Server process is not running on the target.'\n end\n\n describe kube_apiserver do\n its('authorization-mode') { should cmp 'Node,RBAC' }\n end\nend\n",
"desc": "To mitigate the risk of unauthorized access to sensitive information\nby entities that have been issued certificates by DoD-approved PKIs, all DoD\nsystems (e.g., networks, web servers, and web portals) must be properly\nconfigured to incorporate access control methods that do not rely solely on the\npossession of a certificate for access. Successful authentication must not\nautomatically give an entity access to an asset or security boundary.\nAuthorization procedures and controls must be implemented to ensure each\nauthenticated entity also has a validated and current authorization.\nAuthorization is the process of determining whether an entity, once\nauthenticated, is permitted to access a specific asset.\n\n Node,RBAC is the method within Kubernetes to control access of users and\napplications. Kubernetes uses roles to grant authorization API requests made by\nkubelets.",
"descriptions": [
{
"data": "To mitigate the risk of unauthorized access to sensitive information\nby entities that have been issued certificates by DoD-approved PKIs, all DoD\nsystems (e.g., networks, web servers, and web portals) must be properly\nconfigured to incorporate access control methods that do not rely solely on the\npossession of a certificate for access. Successful authentication must not\nautomatically give an entity access to an asset or security boundary.\nAuthorization procedures and controls must be implemented to ensure each\nauthenticated entity also has a validated and current authorization.\nAuthorization is the process of determining whether an entity, once\nauthenticated, is permitted to access a specific asset.\n\n Node,RBAC is the method within Kubernetes to control access of users and\napplications. Kubernetes uses roles to grant authorization API requests made by\nkubelets.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n \"grep -i authorization-mode *\"\n\n If the setting \"authorization-mode\" is not configured in the Kubernetes\nAPI Server manifest file or is not set to \"Node,RBAC\", this is a finding.",
"label": "check"
},
{
"data": "Edit the Kubernetes API Server manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nvalue of \"--authorization-mode\" to \"Node,RBAC\".",
"label": "fix"
}
],
"id": "V-242382",
"impact": 0.5,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242382.rb"
},
"tags": {
"cci": ["CCI-000213"],
"fix_id": "F-45615r712501_fix",
"gid": "V-242382",
"gtitle": "SRG-APP-000033-CTR-000090",
"nist": ["AC-3"],
"rid": "SV-242382r712502_rule",
"satisfies": [
"SRG-APP-000033-CTR-000090",
"SRG-APP-000033-CTR-000095"
],
"severity": "medium",
"stig_id": "CNTR-K8-000270"
},
"title": "The Kubernetes API Server must enable Node,RBAC as the authorization\nmode.",
"waiver_data": {}
},
{
"code": "control 'V-242384' do\n title 'The Kubernetes Scheduler must have secure binding.'\n desc \"Limiting the number of attack vectors and implementing authentication\nand encryption on the endpoints available to external sources is paramount when\nsecuring the overall Kubernetes cluster. The Scheduler API service exposes port\n10251/TCP by default for health and metrics information use. This port does not\nencrypt or authenticate connections. If this port is exposed externally, an\nattacker can use this port to attack the entire Kubernetes cluster. By setting\nthe bind address to localhost (i.e., 127.0.0.1), only those internal services\nthat require health and metrics information can access the Scheduler API.\"\n desc 'rationale', ''\n desc 'check', \"\n Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i bind-address *\n\n If the setting \\\"bind-address\\\" is not set to \\\"127.0.0.1\\\" or is not found\nin the Kubernetes Scheduler manifest file, this is a finding.\n \"\n desc 'fix', \"Edit the Kubernetes Scheduler manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nargument \\\"--bind-address\\\" to \\\"127.0.0.1\\\".\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-APP-000033-CTR-000090'\n tag gid: 'V-242384'\n tag rid: 'SV-242384r712508_rule'\n tag stig_id: 'CNTR-K8-000300'\n tag fix_id: 'F-45617r712507_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n unless kube_scheduler.exist?\n impact 0.0\n desc 'caveat', 'Kubernetes Scheduler process is not running on the target.'\n end\n\n describe kube_scheduler do\n its('bind-address') { should cmp '127.0.0.1' }\n end\nend\n",
"desc": "Limiting the number of attack vectors and implementing authentication\nand encryption on the endpoints available to external sources is paramount when\nsecuring the overall Kubernetes cluster. The Scheduler API service exposes port\n10251/TCP by default for health and metrics information use. This port does not\nencrypt or authenticate connections. If this port is exposed externally, an\nattacker can use this port to attack the entire Kubernetes cluster. By setting\nthe bind address to localhost (i.e., 127.0.0.1), only those internal services\nthat require health and metrics information can access the Scheduler API.",
"descriptions": [
{
"data": "Limiting the number of attack vectors and implementing authentication\nand encryption on the endpoints available to external sources is paramount when\nsecuring the overall Kubernetes cluster. The Scheduler API service exposes port\n10251/TCP by default for health and metrics information use. This port does not\nencrypt or authenticate connections. If this port is exposed externally, an\nattacker can use this port to attack the entire Kubernetes cluster. By setting\nthe bind address to localhost (i.e., 127.0.0.1), only those internal services\nthat require health and metrics information can access the Scheduler API.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i bind-address *\n\n If the setting \"bind-address\" is not set to \"127.0.0.1\" or is not found\nin the Kubernetes Scheduler manifest file, this is a finding.",
"label": "check"
},
{
"data": "Edit the Kubernetes Scheduler manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nargument \"--bind-address\" to \"127.0.0.1\".",
"label": "fix"
}
],
"id": "V-242384",
"impact": 0.5,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242384.rb"
},
"tags": {
"cci": ["CCI-000213"],
"fix_id": "F-45617r712507_fix",
"gid": "V-242384",
"gtitle": "SRG-APP-000033-CTR-000090",
"nist": ["AC-3"],
"rid": "SV-242384r712508_rule",
"severity": "medium",
"stig_id": "CNTR-K8-000300"
},
"title": "The Kubernetes Scheduler must have secure binding.",
"waiver_data": {}
},
{
"code": "control 'V-242385' do\n title 'The Kubernetes Controller Manager must have secure binding.'\n desc \"Limiting the number of attack vectors and implementing authentication\nand encryption on the endpoints available to external sources is paramount when\nsecuring the overall Kubernetes cluster. The Controller Manager API service\nexposes port 10252/TCP by default for health and metrics information use. This\nport does not encrypt or authenticate connections. If this port is exposed\nexternally, an attacker can use this port to attack the entire Kubernetes\ncluster. By setting the bind address to only localhost (i.e., 127.0.0.1), only\nthose internal services that require health and metrics information can access\nthe Control Manager API.\"\n desc 'rationale', ''\n desc 'check', \"\n Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i bind-address *\n\n If the setting bind-address is not set to \\\"127.0.0.1\\\" or is not found in\nthe Kubernetes Controller Manager manifest file, this is a finding.\n \"\n desc 'fix', \"Edit the Kubernetes Controller Manager manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nargument \\\"--bind-address\\\" to \\\"127.0.0.1\\\".\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-APP-000033-CTR-000090'\n tag gid: 'V-242385'\n tag rid: 'SV-242385r712511_rule'\n tag stig_id: 'CNTR-K8-000310'\n tag fix_id: 'F-45618r712510_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n unless kube_controller_manager.exist?\n impact 0.0\n desc 'caveat', 'Kubernetes Controller Manager process is not running on the target.'\n end\n\n describe kube_controller_manager do\n its('bind-address') { should cmp '127.0.0.1' }\n end\nend\n",
"desc": "Limiting the number of attack vectors and implementing authentication\nand encryption on the endpoints available to external sources is paramount when\nsecuring the overall Kubernetes cluster. The Controller Manager API service\nexposes port 10252/TCP by default for health and metrics information use. This\nport does not encrypt or authenticate connections. If this port is exposed\nexternally, an attacker can use this port to attack the entire Kubernetes\ncluster. By setting the bind address to only localhost (i.e., 127.0.0.1), only\nthose internal services that require health and metrics information can access\nthe Control Manager API.",
"descriptions": [
{
"data": "Limiting the number of attack vectors and implementing authentication\nand encryption on the endpoints available to external sources is paramount when\nsecuring the overall Kubernetes cluster. The Controller Manager API service\nexposes port 10252/TCP by default for health and metrics information use. This\nport does not encrypt or authenticate connections. If this port is exposed\nexternally, an attacker can use this port to attack the entire Kubernetes\ncluster. By setting the bind address to only localhost (i.e., 127.0.0.1), only\nthose internal services that require health and metrics information can access\nthe Control Manager API.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i bind-address *\n\n If the setting bind-address is not set to \"127.0.0.1\" or is not found in\nthe Kubernetes Controller Manager manifest file, this is a finding.",
"label": "check"
},
{
"data": "Edit the Kubernetes Controller Manager manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nargument \"--bind-address\" to \"127.0.0.1\".",
"label": "fix"
}
],
"id": "V-242385",
"impact": 0.5,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242385.rb"
},
"tags": {
"cci": ["CCI-000213"],
"fix_id": "F-45618r712510_fix",
"gid": "V-242385",
"gtitle": "SRG-APP-000033-CTR-000090",
"nist": ["AC-3"],
"rid": "SV-242385r712511_rule",
"severity": "medium",
"stig_id": "CNTR-K8-000310"
},
"title": "The Kubernetes Controller Manager must have secure binding.",
"waiver_data": {}
},
{
"code": "control 'V-242386' do\n title 'The Kubernetes API server must have the insecure port flag disabled.'\n desc \"By default, the API server will listen on two ports. One port is the\nsecure port and the other port is called the \\\"localhost port\\\". This port is\nalso called the \\\"insecure port\\\", port 8080. Any requests to this port bypass\nauthentication and authorization checks. If this port is left open, anyone who\ngains access to the host on which the master is running can bypass all\nauthorization and authentication mechanisms put in place, and have full control\nover the entire cluster.\n\n Close the insecure port by setting the API server's --insecure-port flag to\n\\\"0\\\", ensuring that the --insecure-bind-address is not set.\n \"\n desc 'rationale', ''\n desc 'check', \"\n Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i insecure-port *\n\n If the setting insecure-port is not set to \\\"0\\\" or is not configured in\nthe Kubernetes API server manifest file, this is a finding.\n \"\n desc 'fix', \"Edit the Kubernetes API Server manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nargument --insecure-port to \\\"0\\\".\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'SRG-APP-000033-CTR-000095'\n tag gid: 'V-242386'\n tag rid: 'SV-242386r712514_rule'\n tag stig_id: 'CNTR-K8-000320'\n tag fix_id: 'F-45619r712513_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n unless kube_apiserver.exist?\n impact 0.0\n desc 'caveat', 'Kubernetes API Server process is not running on the target.'\n end\n\n describe kube_apiserver do\n its('insecure-port') { should cmp '0' }\n end\nend\n",
"desc": "By default, the API server will listen on two ports. One port is the\nsecure port and the other port is called the \"localhost port\". This port is\nalso called the \"insecure port\", port 8080. Any requests to this port bypass\nauthentication and authorization checks. If this port is left open, anyone who\ngains access to the host on which the master is running can bypass all\nauthorization and authentication mechanisms put in place, and have full control\nover the entire cluster.\n\n Close the insecure port by setting the API server's --insecure-port flag to\n\"0\", ensuring that the --insecure-bind-address is not set.",
"descriptions": [
{
"data": "By default, the API server will listen on two ports. One port is the\nsecure port and the other port is called the \"localhost port\". This port is\nalso called the \"insecure port\", port 8080. Any requests to this port bypass\nauthentication and authorization checks. If this port is left open, anyone who\ngains access to the host on which the master is running can bypass all\nauthorization and authentication mechanisms put in place, and have full control\nover the entire cluster.\n\n Close the insecure port by setting the API server's --insecure-port flag to\n\"0\", ensuring that the --insecure-bind-address is not set.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i insecure-port *\n\n If the setting insecure-port is not set to \"0\" or is not configured in\nthe Kubernetes API server manifest file, this is a finding.",
"label": "check"
},
{
"data": "Edit the Kubernetes API Server manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nargument --insecure-port to \"0\".",
"label": "fix"
}
],
"id": "V-242386",
"impact": 0.7,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242386.rb"
},
"tags": {
"cci": ["CCI-000213"],
"fix_id": "F-45619r712513_fix",
"gid": "V-242386",
"gtitle": "SRG-APP-000033-CTR-000095",
"nist": ["AC-3"],
"rid": "SV-242386r712514_rule",
"severity": "high",
"stig_id": "CNTR-K8-000320"
},
"title": "The Kubernetes API server must have the insecure port flag disabled.",
"waiver_data": {}
},
{
"code": "control 'V-242387' do\n title 'The Kubernetes Kubelet must have the read-only port flag disabled.'\n desc \"Kubelet serves a small REST API with read access to port 10255. The\nread-only port for Kubernetes provides no authentication or authorization\nsecurity control. Providing unrestricted access on port 10255 exposes\nKubernetes pods and containers to malicious attacks or compromise. Port 10255\nis deprecated and should be disabled.\n\n Close the read-only-port by setting the API server's read-only port flag to\n\\\"0\\\".\n \"\n desc 'rationale', ''\n desc 'check', \"\n Run the following command on each Worker Node:\n ps -ef | grep kubelet\n\n Verify that the --read-only-port argument exists and is set to \\\"0\\\".\n\n If the --read-only-port argument exists and is not set to \\\"0\\\", this is a\nfinding.\n\n If the --read-only-port argument does not exist, check the Master Node\nKubelet config file.\n\n On the Kubernetes Master Node, run the command:\n ps -ef | grep kubelet\n (path identified by: --config)\n\n Verify there is a readOnlyPort entry in the config file and it is set to\n\\\"0\\\".\n\n If the --read-only-port argument exists and is not set to \\\"0\\\" this is a\nfinding.\n\n If \\\"--read-only-port=0\\\" argument does not exist on the worker node and\nthe master node, this is a finding.\n \"\n desc 'fix', \"\n Edit the Kubernetes Kubelet file in the --config directory on the\nKubernetes Master Node. Set the argument --read-only-port to 0.\n\n Reset Kubelet service using the following command:\n service kubelet restart\n\n If using worker node arguments, edit the kubelet service file\n/usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf on each Worker Node:\nset the parameter in KUBELET_SYSTEM_PODS_ARGS variable to\n\\\"--read-only-port=0\\\".\n \"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'SRG-APP-000033-CTR-000095'\n tag gid: 'V-242387'\n tag rid: 'SV-242387r717013_rule'\n tag stig_id: 'CNTR-K8-000330'\n tag fix_id: 'F-45620r717012_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n describe.one do\n describe kubelet do\n its('read-only-port') { should cmp 0 }\n end\n\n describe kubelet_config_file do\n its('readOnlyPort') { should cmp 0 }\n end\n end\nend\n",
"desc": "Kubelet serves a small REST API with read access to port 10255. The\nread-only port for Kubernetes provides no authentication or authorization\nsecurity control. Providing unrestricted access on port 10255 exposes\nKubernetes pods and containers to malicious attacks or compromise. Port 10255\nis deprecated and should be disabled.\n\n Close the read-only-port by setting the API server's read-only port flag to\n\"0\".",
"descriptions": [
{
"data": "Kubelet serves a small REST API with read access to port 10255. The\nread-only port for Kubernetes provides no authentication or authorization\nsecurity control. Providing unrestricted access on port 10255 exposes\nKubernetes pods and containers to malicious attacks or compromise. Port 10255\nis deprecated and should be disabled.\n\n Close the read-only-port by setting the API server's read-only port flag to\n\"0\".",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "Run the following command on each Worker Node:\n ps -ef | grep kubelet\n\n Verify that the --read-only-port argument exists and is set to \"0\".\n\n If the --read-only-port argument exists and is not set to \"0\", this is a\nfinding.\n\n If the --read-only-port argument does not exist, check the Master Node\nKubelet config file.\n\n On the Kubernetes Master Node, run the command:\n ps -ef | grep kubelet\n (path identified by: --config)\n\n Verify there is a readOnlyPort entry in the config file and it is set to\n\"0\".\n\n If the --read-only-port argument exists and is not set to \"0\" this is a\nfinding.\n\n If \"--read-only-port=0\" argument does not exist on the worker node and\nthe master node, this is a finding.",
"label": "check"
},
{
"data": "Edit the Kubernetes Kubelet file in the --config directory on the\nKubernetes Master Node. Set the argument --read-only-port to 0.\n\n Reset Kubelet service using the following command:\n service kubelet restart\n\n If using worker node arguments, edit the kubelet service file\n/usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf on each Worker Node:\nset the parameter in KUBELET_SYSTEM_PODS_ARGS variable to\n\"--read-only-port=0\".",
"label": "fix"
}
],
"id": "V-242387",
"impact": 0.7,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242387.rb"
},
"tags": {
"cci": ["CCI-000213"],
"fix_id": "F-45620r717012_fix",
"gid": "V-242387",
"gtitle": "SRG-APP-000033-CTR-000095",
"nist": ["AC-3"],
"rid": "SV-242387r717013_rule",
"severity": "high",
"stig_id": "CNTR-K8-000330"
},
"title": "The Kubernetes Kubelet must have the read-only port flag disabled.",
"waiver_data": {}
},
{
"code": "control 'V-242388' do\n title 'The Kubernetes API server must have the insecure bind address not set.'\n desc \"By default, the API server will listen on two ports and addresses. One\naddress is the secure address and the other address is called the \\\"insecure\nbind\\\" address and is set by default to localhost. Any requests to this address\nbypass authentication and authorization checks. If this insecure bind address\nis set to localhost, anyone who gains access to the host on which the master is\nrunning can bypass all authorization and authentication mechanisms put in place\nand have full control over the entire cluster.\n\n Close or set the insecure bind address by setting the API server's\n--insecure-bind-address flag to an IP or leave it unset and ensure that the\n--insecure-bind-port is not set.\n \"\n desc 'rationale', ''\n desc 'check', \"\n Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i insecure-bind-address *\n\n If the setting insecure-bind-address is found and set to \\\"localhost\\\" in\nthe Kubernetes API manifest file, this is a finding.\n \"\n desc 'fix', \"Edit the Kubernetes API Server manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Remove the\nvalue for the --insecure-bind-address setting.\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'SRG-APP-000033-CTR-000095'\n tag gid: 'V-242388'\n tag rid: 'SV-242388r712520_rule'\n tag stig_id: 'CNTR-K8-000340'\n tag fix_id: 'F-45621r712519_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n unless kube_apiserver.exist?\n impact 0.0\n desc 'caveat', 'Kubernetes API Server process is not running on the target.'\n end\n\n describe kube_apiserver do\n its('insecure-bind-address') { should be_nil }\n end\nend\n",
"desc": "By default, the API server will listen on two ports and addresses. One\naddress is the secure address and the other address is called the \"insecure\nbind\" address and is set by default to localhost. Any requests to this address\nbypass authentication and authorization checks. If this insecure bind address\nis set to localhost, anyone who gains access to the host on which the master is\nrunning can bypass all authorization and authentication mechanisms put in place\nand have full control over the entire cluster.\n\n Close or set the insecure bind address by setting the API server's\n--insecure-bind-address flag to an IP or leave it unset and ensure that the\n--insecure-bind-port is not set.",
"descriptions": [
{
"data": "By default, the API server will listen on two ports and addresses. One\naddress is the secure address and the other address is called the \"insecure\nbind\" address and is set by default to localhost. Any requests to this address\nbypass authentication and authorization checks. If this insecure bind address\nis set to localhost, anyone who gains access to the host on which the master is\nrunning can bypass all authorization and authentication mechanisms put in place\nand have full control over the entire cluster.\n\n Close or set the insecure bind address by setting the API server's\n--insecure-bind-address flag to an IP or leave it unset and ensure that the\n--insecure-bind-port is not set.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i insecure-bind-address *\n\n If the setting insecure-bind-address is found and set to \"localhost\" in\nthe Kubernetes API manifest file, this is a finding.",
"label": "check"
},
{
"data": "Edit the Kubernetes API Server manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Remove the\nvalue for the --insecure-bind-address setting.",
"label": "fix"
}
],
"id": "V-242388",
"impact": 0.7,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242388.rb"
},
"tags": {
"cci": ["CCI-000213"],
"fix_id": "F-45621r712519_fix",
"gid": "V-242388",
"gtitle": "SRG-APP-000033-CTR-000095",
"nist": ["AC-3"],
"rid": "SV-242388r712520_rule",
"severity": "high",
"stig_id": "CNTR-K8-000340"
},
"title": "The Kubernetes API server must have the insecure bind address not set.",
"waiver_data": {}
},
{
"code": "control 'V-242389' do\n title 'The Kubernetes API server must have the secure port set.'\n desc \"By default, the API server will listen on what is rightfully called\nthe secure port, port 6443. Any requests to this port will perform\nauthentication and authorization checks. If this port is disabled, anyone who\ngains access to the host on which the master is running has full control of the\nentire cluster over encrypted traffic.\n\n Open the secure port by setting the API server's --secure-port flag to a\nvalue other than \\\"0\\\".\n \"\n desc 'rationale', ''\n desc 'check', \"\n Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i secure-port *\n\n If the setting secure-port is set to \\\"0\\\" or is not configured in the\nKubernetes API manifest file, this is a finding.\n \"\n desc 'fix', \"Edit the Kubernetes API Server manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nargument --secure-port to a value greater than \\\"0\\\".\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-APP-000033-CTR-000100'\n tag gid: 'V-242389'\n tag rid: 'SV-242389r712523_rule'\n tag stig_id: 'CNTR-K8-000350'\n tag fix_id: 'F-45622r712522_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n unless kube_apiserver.exist?\n impact 0.0\n desc 'caveat', 'Kubernetes API Server process is not running on the target.'\n end\n\n describe kube_apiserver do\n its('secure-port') { should cmp > 0 }\n end\nend\n",
"desc": "By default, the API server will listen on what is rightfully called\nthe secure port, port 6443. Any requests to this port will perform\nauthentication and authorization checks. If this port is disabled, anyone who\ngains access to the host on which the master is running has full control of the\nentire cluster over encrypted traffic.\n\n Open the secure port by setting the API server's --secure-port flag to a\nvalue other than \"0\".",
"descriptions": [
{
"data": "By default, the API server will listen on what is rightfully called\nthe secure port, port 6443. Any requests to this port will perform\nauthentication and authorization checks. If this port is disabled, anyone who\ngains access to the host on which the master is running has full control of the\nentire cluster over encrypted traffic.\n\n Open the secure port by setting the API server's --secure-port flag to a\nvalue other than \"0\".",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i secure-port *\n\n If the setting secure-port is set to \"0\" or is not configured in the\nKubernetes API manifest file, this is a finding.",
"label": "check"
},
{
"data": "Edit the Kubernetes API Server manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nargument --secure-port to a value greater than \"0\".",
"label": "fix"
}
],
"id": "V-242389",
"impact": 0.5,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242389.rb"
},
"tags": {
"cci": ["CCI-000213"],
"fix_id": "F-45622r712522_fix",
"gid": "V-242389",
"gtitle": "SRG-APP-000033-CTR-000100",
"nist": ["AC-3"],
"rid": "SV-242389r712523_rule",
"severity": "medium",
"stig_id": "CNTR-K8-000350"
},
"title": "The Kubernetes API server must have the secure port set.",
"waiver_data": {}
},
{
"code": "control 'V-242390' do\n title 'The Kubernetes API server must have anonymous authentication disabled.'\n desc \"The Kubernetes API Server controls Kubernetes via an API interface. A\nuser who has access to the API essentially has root access to the entire\nKubernetes cluster. To control access, users must be authenticated and\nauthorized. By allowing anonymous connections, the controls put in place to\nsecure the API can be bypassed.\n\n Setting anonymous authentication to \\\"false\\\" also disables unauthenticated\nrequests from kubelets.\n\n While there are instances where anonymous connections may be needed (e.g.,\nhealth checks) and Role-Based Access Controls (RBAC) are in place to limit the\nanonymous access, this access should be disabled, and only enabled when\nnecessary.\n \"\n desc 'rationale', ''\n desc 'check', \"\n Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i anonymous-auth *\n\n If the setting anonymous-auth is set to \\\"true\\\" in the Kubernetes API\nServer manifest file, this is a finding.\n \"\n desc 'fix', \"Edit the Kubernetes API Server manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nargument --anonymous-auth to \\\"false\\\".\"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'SRG-APP-000033-CTR-000100'\n tag gid: 'V-242390'\n tag rid: 'SV-242390r712526_rule'\n tag stig_id: 'CNTR-K8-000360'\n tag fix_id: 'F-45623r712525_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n unless kube_apiserver.exist?\n impact 0.0\n desc 'caveat', 'Kubernetes API Server process is not running on the target.'\n end\n\n describe kube_apiserver do\n its('anonymous-auth') { should_not cmp 'true' }\n end\nend\n",
"desc": "The Kubernetes API Server controls Kubernetes via an API interface. A\nuser who has access to the API essentially has root access to the entire\nKubernetes cluster. To control access, users must be authenticated and\nauthorized. By allowing anonymous connections, the controls put in place to\nsecure the API can be bypassed.\n\n Setting anonymous authentication to \"false\" also disables unauthenticated\nrequests from kubelets.\n\n While there are instances where anonymous connections may be needed (e.g.,\nhealth checks) and Role-Based Access Controls (RBAC) are in place to limit the\nanonymous access, this access should be disabled, and only enabled when\nnecessary.",
"descriptions": [
{
"data": "The Kubernetes API Server controls Kubernetes via an API interface. A\nuser who has access to the API essentially has root access to the entire\nKubernetes cluster. To control access, users must be authenticated and\nauthorized. By allowing anonymous connections, the controls put in place to\nsecure the API can be bypassed.\n\n Setting anonymous authentication to \"false\" also disables unauthenticated\nrequests from kubelets.\n\n While there are instances where anonymous connections may be needed (e.g.,\nhealth checks) and Role-Based Access Controls (RBAC) are in place to limit the\nanonymous access, this access should be disabled, and only enabled when\nnecessary.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i anonymous-auth *\n\n If the setting anonymous-auth is set to \"true\" in the Kubernetes API\nServer manifest file, this is a finding.",
"label": "check"
},
{
"data": "Edit the Kubernetes API Server manifest file in the\n/etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the\nargument --anonymous-auth to \"false\".",
"label": "fix"
}
],
"id": "V-242390",
"impact": 0.7,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242390.rb"
},
"tags": {
"cci": ["CCI-000213"],
"fix_id": "F-45623r712525_fix",
"gid": "V-242390",
"gtitle": "SRG-APP-000033-CTR-000100",
"nist": ["AC-3"],
"rid": "SV-242390r712526_rule",
"severity": "high",
"stig_id": "CNTR-K8-000360"
},
"title": "The Kubernetes API server must have anonymous authentication disabled.",
"waiver_data": {}
},
{
"code": "control 'V-242391' do\n title 'The Kubernetes Kubelet must have anonymous authentication disabled.'\n desc \"A user who has access to the Kubelet essentially has root access to\nthe nodes contained within the Kubernetes Control Plane. To control access,\nusers must be authenticated and authorized. By allowing anonymous connections,\nthe controls put in place to secure the Kubelet can be bypassed.\n\n Setting anonymous authentication to \\\"false\\\" also disables unauthenticated\nrequests from kubelets.\n\n While there are instances where anonymous connections may be needed (e.g.,\nhealth checks) and Role-Based Access Controls (RBAC) are in place to limit the\nanonymous access, this access must be disabled and only enabled when necessary.\n \"\n desc 'rationale', ''\n desc 'check', \"\n Change to the /etc/sysconfig/ directory on the Kubernetes Master Node. Run\nthe command:\n\n grep -i anonymous-auth kubelet\n\n If the setting \\\"anonymous-auth\\\" is set to \\\"true\\\" or the parameter not\nset in the Kubernetes Kubelet configuration file, this is a finding.\n \"\n desc 'fix', \"\n Edit the Kubernetes Kubelet file in the/etc/sysconfig/ directory on the\nKubernetes Master Node.\n\n Set the argument \\\"--anonymous-auth\\\" to \\\"false\\\".\n\n Restart kubelet service using command:\n service kubelet restart\n \"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'SRG-APP-000033-CTR-000090'\n tag gid: 'V-242391'\n tag rid: 'SV-242391r712529_rule'\n tag stig_id: 'CNTR-K8-000370'\n tag fix_id: 'F-45624r712528_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n describe.one do\n describe kubelet do\n its('anonymous-auth') { should cmp 'false' }\n end\n\n describe kubelet_config_file do\n its(%w(authentication anonymous enabled)) { should cmp 'false' }\n end\n end\nend\n",
"desc": "A user who has access to the Kubelet essentially has root access to\nthe nodes contained within the Kubernetes Control Plane. To control access,\nusers must be authenticated and authorized. By allowing anonymous connections,\nthe controls put in place to secure the Kubelet can be bypassed.\n\n Setting anonymous authentication to \"false\" also disables unauthenticated\nrequests from kubelets.\n\n While there are instances where anonymous connections may be needed (e.g.,\nhealth checks) and Role-Based Access Controls (RBAC) are in place to limit the\nanonymous access, this access must be disabled and only enabled when necessary.",
"descriptions": [
{
"data": "A user who has access to the Kubelet essentially has root access to\nthe nodes contained within the Kubernetes Control Plane. To control access,\nusers must be authenticated and authorized. By allowing anonymous connections,\nthe controls put in place to secure the Kubelet can be bypassed.\n\n Setting anonymous authentication to \"false\" also disables unauthenticated\nrequests from kubelets.\n\n While there are instances where anonymous connections may be needed (e.g.,\nhealth checks) and Role-Based Access Controls (RBAC) are in place to limit the\nanonymous access, this access must be disabled and only enabled when necessary.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "Change to the /etc/sysconfig/ directory on the Kubernetes Master Node. Run\nthe command:\n\n grep -i anonymous-auth kubelet\n\n If the setting \"anonymous-auth\" is set to \"true\" or the parameter not\nset in the Kubernetes Kubelet configuration file, this is a finding.",
"label": "check"
},
{
"data": "Edit the Kubernetes Kubelet file in the/etc/sysconfig/ directory on the\nKubernetes Master Node.\n\n Set the argument \"--anonymous-auth\" to \"false\".\n\n Restart kubelet service using command:\n service kubelet restart",
"label": "fix"
}
],
"id": "V-242391",
"impact": 0.7,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242391.rb"
},
"tags": {
"cci": ["CCI-000213"],
"fix_id": "F-45624r712528_fix",
"gid": "V-242391",
"gtitle": "SRG-APP-000033-CTR-000090",
"nist": ["AC-3"],
"rid": "SV-242391r712529_rule",
"severity": "high",
"stig_id": "CNTR-K8-000370"
},
"title": "The Kubernetes Kubelet must have anonymous authentication disabled.",
"waiver_data": {}
},
{
"code": "control 'V-242392' do\n title 'The Kubernetes kubelet must enable explicit authorization.'\n desc \"Kubelet is the primary agent on each node. The API server communicates\nwith each kubelet to perform tasks such as starting/stopping pods. By default,\nkubelets allow all authenticated requests, even anonymous ones, without\nrequiring any authorization checks from the API server. This default behavior\nbypasses any authorization controls put in place to limit what users may\nperform within the Kubernetes cluster. To change this behavior, the default\nsetting of AlwaysAllow for the authorization mode must be set to \\\"Webhook\\\".\"\n desc 'rationale', ''\n desc 'check', \"\n Change to the /etc/sysconfig/ directory on the Kubernetes Master Node. Run\nthe command:\n\n grep -i authorization-mode kubelet\n\n On each Worker node, change to the /etc/sysconfig/ directory. Run the\ncommand:\n\n grep -i authorization-mode kubelet\n\n If authorization-mode is missing or is set to \\\"AllowAlways\\\" on the Master\nnode or any of the Worker nodes, this is a finding.\n \"\n desc 'fix', \"\n Edit the Kubernetes Kubelet file in the/etc/sysconfig/ directory on the\nKubernetes Master and Worker nodes.\n\n Set the argument --authorization-mode to \\\"Webhook\\\".\n\n Restart each kubelet service after the change is made using the command:\n service kubelet restart\n \"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'SRG-APP-000033-CTR-000095'\n tag gid: 'V-242392'\n tag rid: 'SV-242392r712532_rule'\n tag stig_id: 'CNTR-K8-000380'\n tag fix_id: 'F-45625r717029_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n describe.one do\n describe kubelet do\n its('authorization-mode') { should cmp 'Webhook' }\n end\n\n describe kubelet_config_file do\n its(%w(authorization mode)) { should cmp 'Webhook' }\n end\n end\nend\n",
"desc": "Kubelet is the primary agent on each node. The API server communicates\nwith each kubelet to perform tasks such as starting/stopping pods. By default,\nkubelets allow all authenticated requests, even anonymous ones, without\nrequiring any authorization checks from the API server. This default behavior\nbypasses any authorization controls put in place to limit what users may\nperform within the Kubernetes cluster. To change this behavior, the default\nsetting of AlwaysAllow for the authorization mode must be set to \"Webhook\".",
"descriptions": [
{
"data": "Kubelet is the primary agent on each node. The API server communicates\nwith each kubelet to perform tasks such as starting/stopping pods. By default,\nkubelets allow all authenticated requests, even anonymous ones, without\nrequiring any authorization checks from the API server. This default behavior\nbypasses any authorization controls put in place to limit what users may\nperform within the Kubernetes cluster. To change this behavior, the default\nsetting of AlwaysAllow for the authorization mode must be set to \"Webhook\".",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "Change to the /etc/sysconfig/ directory on the Kubernetes Master Node. Run\nthe command:\n\n grep -i authorization-mode kubelet\n\n On each Worker node, change to the /etc/sysconfig/ directory. Run the\ncommand:\n\n grep -i authorization-mode kubelet\n\n If authorization-mode is missing or is set to \"AllowAlways\" on the Master\nnode or any of the Worker nodes, this is a finding.",
"label": "check"
},
{
"data": "Edit the Kubernetes Kubelet file in the/etc/sysconfig/ directory on the\nKubernetes Master and Worker nodes.\n\n Set the argument --authorization-mode to \"Webhook\".\n\n Restart each kubelet service after the change is made using the command:\n service kubelet restart",
"label": "fix"
}
],
"id": "V-242392",
"impact": 0.7,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242392.rb"
},
"tags": {
"cci": ["CCI-000213"],
"fix_id": "F-45625r717029_fix",
"gid": "V-242392",
"gtitle": "SRG-APP-000033-CTR-000095",
"nist": ["AC-3"],
"rid": "SV-242392r712532_rule",
"severity": "high",
"stig_id": "CNTR-K8-000380"
},
"title": "The Kubernetes kubelet must enable explicit authorization.",
"waiver_data": {}
},
{
"code": "control 'V-242393' do\n title 'Kubernetes Worker Nodes must not have sshd service running.'\n desc \"Worker Nodes are maintained and monitored by the Master Node. Direct\naccess and manipulation of the nodes should not take place by administrators.\nWorker nodes should be treated as immutable and updated via replacement rather\nthan in-place upgrades.\"\n desc 'rationale', ''\n desc 'check', \"\n Log in to each worker node. Verify that the sshd service is not running. To\nvalidate that the service is not running, run the command:\n\n systemctl status sshd\n\n If the service sshd is active (running), this is a finding.\n\n Note: If console access is not available, SSH access can be attempted. If\nthe worker nodes cannot be reached, this requirement is \\\"not a finding\\\".\n \"\n desc 'fix', \"\n To stop the sshd service, run the command:\n\n systemctl stop sshd\n\n Note: If access to the worker node is through an SSH session, it is\nimportant to realize there are two requirements for disabling and stopping the\nsshd service and they should be done during the same SSH session. Disabling the\nservice must be performed first and then the service stopped to guarantee both\nsettings can be made if the session is interrupted.\n \"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-APP-000033-CTR-000095'\n tag gid: 'V-242393'\n tag rid: 'SV-242393r717015_rule'\n tag stig_id: 'CNTR-K8-000400'\n tag fix_id: 'F-45626r717014_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n describe service('sshd') do\n it { should_not be_running }\n end\nend\n",
"desc": "Worker Nodes are maintained and monitored by the Master Node. Direct\naccess and manipulation of the nodes should not take place by administrators.\nWorker nodes should be treated as immutable and updated via replacement rather\nthan in-place upgrades.",
"descriptions": [
{
"data": "Worker Nodes are maintained and monitored by the Master Node. Direct\naccess and manipulation of the nodes should not take place by administrators.\nWorker nodes should be treated as immutable and updated via replacement rather\nthan in-place upgrades.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "Log in to each worker node. Verify that the sshd service is not running. To\nvalidate that the service is not running, run the command:\n\n systemctl status sshd\n\n If the service sshd is active (running), this is a finding.\n\n Note: If console access is not available, SSH access can be attempted. If\nthe worker nodes cannot be reached, this requirement is \"not a finding\".",
"label": "check"
},
{
"data": "To stop the sshd service, run the command:\n\n systemctl stop sshd\n\n Note: If access to the worker node is through an SSH session, it is\nimportant to realize there are two requirements for disabling and stopping the\nsshd service and they should be done during the same SSH session. Disabling the\nservice must be performed first and then the service stopped to guarantee both\nsettings can be made if the session is interrupted.",
"label": "fix"
}
],
"id": "V-242393",
"impact": 0.5,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242393.rb"
},
"tags": {
"cci": ["CCI-000213"],
"fix_id": "F-45626r717014_fix",
"gid": "V-242393",
"gtitle": "SRG-APP-000033-CTR-000095",
"nist": ["AC-3"],
"rid": "SV-242393r717015_rule",
"severity": "medium",
"stig_id": "CNTR-K8-000400"
},
"title": "Kubernetes Worker Nodes must not have sshd service running.",
"waiver_data": {}
},
{
"code": "control 'V-242394' do\n title 'Kubernetes Worker Nodes must not have the sshd service enabled.'\n desc \"Worker Nodes are maintained and monitored by the Master Node. Direct\naccess and manipulation of the nodes must not take place by administrators.\nWorker nodes must be treated as immutable and updated via replacement rather\nthan in-place upgrades.\"\n desc 'rationale', ''\n desc 'check', \"\n Log in to each worker node. Verify that the sshd service is not enabled. To\nvalidate the service is not enabled, run the command:\n\n systemctl is-enabled sshd.service\n\n If the service sshd is enabled, this is a finding.\n\n Note: If console access is not available, SSH access can be attempted. If\nthe worker nodes cannot be reached, this requirement is \\\"not a finding\\\".\n \"\n desc 'fix', \"\n To disable the sshd service, run the command:\n\n chkconfig sshd off\n\n Note: If access to the worker node is through an SSH session, it is\nimportant to realize there are two requirements for disabling and stopping the\nsshd service that must be done during the same SSH session. Disabling the\nservice must be performed first and then the service stopped to guarantee both\nsettings can be made if the session is interrupted.\n \"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-APP-000033-CTR-000095'\n tag gid: 'V-242394'\n tag rid: 'SV-242394r717017_rule'\n tag stig_id: 'CNTR-K8-000410'\n tag fix_id: 'F-45627r717016_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n describe service('sshd') do\n it { should_not be_enabled }\n end\nend\n",
"desc": "Worker Nodes are maintained and monitored by the Master Node. Direct\naccess and manipulation of the nodes must not take place by administrators.\nWorker nodes must be treated as immutable and updated via replacement rather\nthan in-place upgrades.",
"descriptions": [
{
"data": "Worker Nodes are maintained and monitored by the Master Node. Direct\naccess and manipulation of the nodes must not take place by administrators.\nWorker nodes must be treated as immutable and updated via replacement rather\nthan in-place upgrades.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "Log in to each worker node. Verify that the sshd service is not enabled. To\nvalidate the service is not enabled, run the command:\n\n systemctl is-enabled sshd.service\n\n If the service sshd is enabled, this is a finding.\n\n Note: If console access is not available, SSH access can be attempted. If\nthe worker nodes cannot be reached, this requirement is \"not a finding\".",
"label": "check"
},
{
"data": "To disable the sshd service, run the command:\n\n chkconfig sshd off\n\n Note: If access to the worker node is through an SSH session, it is\nimportant to realize there are two requirements for disabling and stopping the\nsshd service that must be done during the same SSH session. Disabling the\nservice must be performed first and then the service stopped to guarantee both\nsettings can be made if the session is interrupted.",
"label": "fix"
}
],
"id": "V-242394",
"impact": 0.5,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242394.rb"
},
"tags": {
"cci": ["CCI-000213"],
"fix_id": "F-45627r717016_fix",
"gid": "V-242394",
"gtitle": "SRG-APP-000033-CTR-000095",
"nist": ["AC-3"],
"rid": "SV-242394r717017_rule",
"severity": "medium",
"stig_id": "CNTR-K8-000410"
},
"title": "Kubernetes Worker Nodes must not have the sshd service enabled.",
"waiver_data": {}
},
{
"code": "control 'V-242396' do\n title 'Kubernetes Kubectl cp command must give expected access and results.'\n desc \"One of the tools heavily used to interact with containers in the\nKubernetes cluster is kubectl. The command is the tool System Administrators\nused to create, modify, and delete resources. One of the capabilities of the\ntool is to copy files to and from running containers (i.e., kubectl cp). The\ncommand uses the \\\"tar\\\" command of the container to copy files from the\ncontainer to the host executing the \\\"kubectl cp\\\" command. If the \\\"tar\\\"\ncommand on the container has been replaced by a malicious user, the command can\ncopy files anywhere on the host machine. This flaw has been fixed in later\nversions of the tool. It is recommended to use kubectl versions newer than\n1.12.9.\"\n desc 'rationale', ''\n desc 'check', \"\n From the Master and each Worker node, check the version of kubectl by\nexecuting the command:\n\n kubectl version --client\n\n If the Master or any Work nodes are not using kubectl version 1.12.9 or\nnewer, this is a finding.\n \"\n desc 'fix', \"Upgrade the Master and Worker nodes to the latest version of\nkubectl.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-APP-000033-CTR-000090'\n tag gid: 'V-242396'\n tag rid: 'SV-242396r712544_rule'\n tag stig_id: 'CNTR-K8-000430'\n tag fix_id: 'F-45629r712543_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n kubectl = command(input('kubectl_path'))\n\n kubectl_minversion = input('kubectl_minversion')\n\n unless kubectl.exist?\n impact 0.0\n desc 'caveat', 'kubectl command available on target on the target.'\n\n describe 'kubectl command not found on target' do\n skip\n end\n end\n\n if kubectl.exist?\n describe json(command: \"#{input('kubectl_path')} version --client --output=json\") do\n its(%w(clientVersion gitVersion)) { should cmp >= kubectl_minversion }\n end\n end\nend\n",
"desc": "One of the tools heavily used to interact with containers in the\nKubernetes cluster is kubectl. The command is the tool System Administrators\nused to create, modify, and delete resources. One of the capabilities of the\ntool is to copy files to and from running containers (i.e., kubectl cp). The\ncommand uses the \"tar\" command of the container to copy files from the\ncontainer to the host executing the \"kubectl cp\" command. If the \"tar\"\ncommand on the container has been replaced by a malicious user, the command can\ncopy files anywhere on the host machine. This flaw has been fixed in later\nversions of the tool. It is recommended to use kubectl versions newer than\n1.12.9.",
"descriptions": [
{
"data": "One of the tools heavily used to interact with containers in the\nKubernetes cluster is kubectl. The command is the tool System Administrators\nused to create, modify, and delete resources. One of the capabilities of the\ntool is to copy files to and from running containers (i.e., kubectl cp). The\ncommand uses the \"tar\" command of the container to copy files from the\ncontainer to the host executing the \"kubectl cp\" command. If the \"tar\"\ncommand on the container has been replaced by a malicious user, the command can\ncopy files anywhere on the host machine. This flaw has been fixed in later\nversions of the tool. It is recommended to use kubectl versions newer than\n1.12.9.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "From the Master and each Worker node, check the version of kubectl by\nexecuting the command:\n\n kubectl version --client\n\n If the Master or any Work nodes are not using kubectl version 1.12.9 or\nnewer, this is a finding.",
"label": "check"
},
{
"data": "Upgrade the Master and Worker nodes to the latest version of\nkubectl.",
"label": "fix"
}
],
"id": "V-242396",
"impact": 0.5,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242396.rb"
},
"tags": {
"cci": ["CCI-000213"],
"fix_id": "F-45629r712543_fix",
"gid": "V-242396",
"gtitle": "SRG-APP-000033-CTR-000090",
"nist": ["AC-3"],
"rid": "SV-242396r712544_rule",
"severity": "medium",
"stig_id": "CNTR-K8-000430"
},
"title": "Kubernetes Kubectl cp command must give expected access and results.",
"waiver_data": {}
},
{
"code": "control 'V-242397' do\n title 'The Kubernetes kubelet static PodPath must not enable static pods.'\n desc \"Allowing kubelet to set a staticPodPath gives containers with root\naccess permissions to traverse the hosting filesystem. The danger comes when\nthe container can create a manifest file within the /etc/kubernetes/manifests\ndirectory. When a manifest is created within this directory, containers are\nentirely governed by the Kubelet not the API Server. The container is not\nsusceptible to admission control at all. Any containers or pods that are\ninstantiated in this manner are called \\\"static pods\\\" and are meant to be used\nfor pods such as the API server, scheduler, controller, etc., not workload pods\nthat need to be governed by the API Server.\"\n desc 'rationale', ''\n desc 'check', \"\n On the Master and Worker nodes, change to the /etc/sysconfig/ directory and\nrun the command:\n\n grep -i staticPodPath kubelet\n\n If any of the nodes return a value for staticPodPath, this is a finding.\n \"\n desc 'fix', \"\n Edit the kubelet file on each node under the /etc/sysconfig directory to\nremove the staticPodPath setting and restart the kubelet service by executing\nthe command:\n\n service kubelet restart\n \"\n impact 0.7\n tag severity: 'high'\n tag gtitle: 'SRG-APP-000033-CTR-000090'\n tag gid: 'V-242397'\n tag rid: 'SV-242397r712547_rule'\n tag stig_id: 'CNTR-K8-000440'\n tag fix_id: 'F-45630r712546_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n describe kubelet do\n its('staticPodPath') { should be_nil }\n end\n\n describe kubelet_config_file do\n its('staticPodPath') { should be_nil }\n end\nend\n",
"desc": "Allowing kubelet to set a staticPodPath gives containers with root\naccess permissions to traverse the hosting filesystem. The danger comes when\nthe container can create a manifest file within the /etc/kubernetes/manifests\ndirectory. When a manifest is created within this directory, containers are\nentirely governed by the Kubelet not the API Server. The container is not\nsusceptible to admission control at all. Any containers or pods that are\ninstantiated in this manner are called \"static pods\" and are meant to be used\nfor pods such as the API server, scheduler, controller, etc., not workload pods\nthat need to be governed by the API Server.",
"descriptions": [
{
"data": "Allowing kubelet to set a staticPodPath gives containers with root\naccess permissions to traverse the hosting filesystem. The danger comes when\nthe container can create a manifest file within the /etc/kubernetes/manifests\ndirectory. When a manifest is created within this directory, containers are\nentirely governed by the Kubelet not the API Server. The container is not\nsusceptible to admission control at all. Any containers or pods that are\ninstantiated in this manner are called \"static pods\" and are meant to be used\nfor pods such as the API server, scheduler, controller, etc., not workload pods\nthat need to be governed by the API Server.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "On the Master and Worker nodes, change to the /etc/sysconfig/ directory and\nrun the command:\n\n grep -i staticPodPath kubelet\n\n If any of the nodes return a value for staticPodPath, this is a finding.",
"label": "check"
},
{
"data": "Edit the kubelet file on each node under the /etc/sysconfig directory to\nremove the staticPodPath setting and restart the kubelet service by executing\nthe command:\n\n service kubelet restart",
"label": "fix"
}
],
"id": "V-242397",
"impact": 0.7,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242397.rb"
},
"tags": {
"cci": ["CCI-000213"],
"fix_id": "F-45630r712546_fix",
"gid": "V-242397",
"gtitle": "SRG-APP-000033-CTR-000090",
"nist": ["AC-3"],
"rid": "SV-242397r712547_rule",
"severity": "high",
"stig_id": "CNTR-K8-000440"
},
"title": "The Kubernetes kubelet static PodPath must not enable static pods.",
"waiver_data": {}
},
{
"code": "control 'V-242398' do\n title 'Kubernetes DynamicAuditing must not be enabled.'\n desc \"Protecting the audit data from change or deletion is important when an\nattack occurs. One way an attacker can cover their tracks is to change or\ndelete audit records. This will either make the attack unnoticeable or make it\nmore difficult to investigate how the attack took place and what changes were\nmade. The audit data can be protected through audit log file protections and\nuser authorization.\n\n One way for an attacker to thwart these measures is to send the audit logs\nto another source and filter the audited results before sending them on to the\noriginal target. This can be done in Kubernetes through the configuration of\ndynamic audit webhooks through the DynamicAuditing flag.\n \"\n desc 'rationale', ''\n desc 'check', \"\n On the Master node, change to the manifests' directory at\n/etc/kubernetes/manifests and run the command:\n\n grep -i feature-gates *\n\n Review the feature-gates setting, if one is returned.\n\n If the feature-gates setting is available and contains the DynamicAuditing\nflag set to \\\"true\\\", this is a finding.\n\n Change to the directory /etc/sysconfig on the Master and each Worker Node\nand execute the command:\n\n grep -i feature-gates kubelet\n\n Review every feature-gates setting that is returned.\n\n If any feature-gates setting is available and contains the\n\\\"DynamicAuditing\\\" flag set to \\\"true\\\", this is a finding.\n \"\n desc 'fix', \"Edit any manifest files or kubelet config files that contain\nthe feature-gates setting with DynamicAuditing set to \\\"true\\\". Set the flag to\n\\\"false\\\" or remove the \\\"DynamicAuditing\\\" setting completely. Restart the\nkubelet service if the kubelet config file is changed.\"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-APP-000033-CTR-000100'\n tag gid: 'V-242398'\n tag rid: 'SV-242398r717019_rule'\n tag stig_id: 'CNTR-K8-000450'\n tag fix_id: 'F-45631r717018_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n describe kube_scheduler do\n its('feature-gates.to_s') { should_not match /DynamicAuditing=[T|t]rue/ }\n end\n\n describe kube_controller_manager do\n its('feature-gates.to_s') { should_not match /DynamicAuditing=[T|t]rue/ }\n end\n\n describe kube_apiserver do\n its('feature-gates.to_s') { should_not match /DynamicAuditing=[T|t]rue/ }\n end\n\n describe kubelet do\n its('feature-gates.to_s') { should_not match /DynamicAuditing=[T|t]rue/ }\n end\n\n describe kubelet_config_file do\n its(%w(featureGates DynamicAuditing)) { should_not cmp 'true' }\n end\nend\n",
"desc": "Protecting the audit data from change or deletion is important when an\nattack occurs. One way an attacker can cover their tracks is to change or\ndelete audit records. This will either make the attack unnoticeable or make it\nmore difficult to investigate how the attack took place and what changes were\nmade. The audit data can be protected through audit log file protections and\nuser authorization.\n\n One way for an attacker to thwart these measures is to send the audit logs\nto another source and filter the audited results before sending them on to the\noriginal target. This can be done in Kubernetes through the configuration of\ndynamic audit webhooks through the DynamicAuditing flag.",
"descriptions": [
{
"data": "Protecting the audit data from change or deletion is important when an\nattack occurs. One way an attacker can cover their tracks is to change or\ndelete audit records. This will either make the attack unnoticeable or make it\nmore difficult to investigate how the attack took place and what changes were\nmade. The audit data can be protected through audit log file protections and\nuser authorization.\n\n One way for an attacker to thwart these measures is to send the audit logs\nto another source and filter the audited results before sending them on to the\noriginal target. This can be done in Kubernetes through the configuration of\ndynamic audit webhooks through the DynamicAuditing flag.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "On the Master node, change to the manifests' directory at\n/etc/kubernetes/manifests and run the command:\n\n grep -i feature-gates *\n\n Review the feature-gates setting, if one is returned.\n\n If the feature-gates setting is available and contains the DynamicAuditing\nflag set to \"true\", this is a finding.\n\n Change to the directory /etc/sysconfig on the Master and each Worker Node\nand execute the command:\n\n grep -i feature-gates kubelet\n\n Review every feature-gates setting that is returned.\n\n If any feature-gates setting is available and contains the\n\"DynamicAuditing\" flag set to \"true\", this is a finding.",
"label": "check"
},
{
"data": "Edit any manifest files or kubelet config files that contain\nthe feature-gates setting with DynamicAuditing set to \"true\". Set the flag to\n\"false\" or remove the \"DynamicAuditing\" setting completely. Restart the\nkubelet service if the kubelet config file is changed.",
"label": "fix"
}
],
"id": "V-242398",
"impact": 0.5,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242398.rb"
},
"tags": {
"cci": ["CCI-000213"],
"fix_id": "F-45631r717018_fix",
"gid": "V-242398",
"gtitle": "SRG-APP-000033-CTR-000100",
"nist": ["AC-3"],
"rid": "SV-242398r717019_rule",
"severity": "medium",
"stig_id": "CNTR-K8-000450"
},
"title": "Kubernetes DynamicAuditing must not be enabled.",
"waiver_data": {}
},
{
"code": "control 'V-242399' do\n title 'Kubernetes DynamicKubeletConfig must not be enabled.'\n desc \"Kubernetes allows a user to configure kubelets with dynamic\nconfigurations. When dynamic configuration is used, the kubelet will watch for\nchanges to the configuration file. When changes are made, the kubelet will\nautomatically restart. Allowing this capability bypasses access restrictions\nand authorizations. Using this capability, an attacker can lower the security\nposture of the kubelet, which includes allowing the ability to run arbitrary\ncommands in any container running on that node.\"\n desc 'rationale', ''\n desc 'check', \"\n On the Master node, change to the manifests' directory at\n/etc/kubernetes/manifests and run the command:\n\n grep -i feature-gates *\n\n Review the feature-gates setting if one is returned.\n\n If the feature-gates setting does not exist or feature-gates does not\ncontain the DynamicKubeletConfig flag or the \\\"DynamicKubletConfig\\\" flag is\nset to \\\"true\\\", this is a finding.\n\n Change to the directory /etc/sysconfig on the Master and each Worker node\nand execute the command:\n\n grep -i feature-gates kubelet\n\n Review every feature-gates setting if one is returned.\n\n If the feature-gates setting does not exist or feature-gates does not\ncontain the DynamicKubeletConfig flag or the DynamicKubletConfig flag is set to\n\\\"true\\\", this is a finding.\n \"\n desc 'fix', \"\n Edit any manifest file or kubelet config file that does not contain a\nfeature-gates setting or has DynamicKubeletConfig set to \\\"true\\\".\n\n An omission of DynamicKubeletConfig within the feature-gates defaults to\ntrue. Set DynamicKubeletConfig to \\\"false\\\". Restart the kubelet service if the\nkubelet config file is changed.\n \"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-APP-000033-CTR-000095'\n tag gid: 'V-242399'\n tag rid: 'SV-242399r717021_rule'\n tag stig_id: 'CNTR-K8-000460'\n tag fix_id: 'F-45632r717020_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n describe kube_scheduler do\n its('feature-gates.to_s') { should match /DynamicKubeletConfig=[F|f]alse/ }\n end\n\n describe kube_controller_manager do\n its('feature-gates.to_s') { should match /DynamicKubeletConfig=[F|f]alse/ }\n end\n\n describe kube_apiserver do\n its('feature-gates.to_s') { should match /DynamicKubeletConfig=[F|f]alse/ }\n end\n\n describe.one do\n describe kubelet do\n its('feature-gates.to_s') { should match /DynamicKubeletConfig=[F|f]alse/ }\n end\n describe kubelet_config_file do\n its(%w(featureGates DynamicKubeletConfig)) { should_not cmp 'false' }\n end\n end\nend\n",
"desc": "Kubernetes allows a user to configure kubelets with dynamic\nconfigurations. When dynamic configuration is used, the kubelet will watch for\nchanges to the configuration file. When changes are made, the kubelet will\nautomatically restart. Allowing this capability bypasses access restrictions\nand authorizations. Using this capability, an attacker can lower the security\nposture of the kubelet, which includes allowing the ability to run arbitrary\ncommands in any container running on that node.",
"descriptions": [
{
"data": "Kubernetes allows a user to configure kubelets with dynamic\nconfigurations. When dynamic configuration is used, the kubelet will watch for\nchanges to the configuration file. When changes are made, the kubelet will\nautomatically restart. Allowing this capability bypasses access restrictions\nand authorizations. Using this capability, an attacker can lower the security\nposture of the kubelet, which includes allowing the ability to run arbitrary\ncommands in any container running on that node.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "On the Master node, change to the manifests' directory at\n/etc/kubernetes/manifests and run the command:\n\n grep -i feature-gates *\n\n Review the feature-gates setting if one is returned.\n\n If the feature-gates setting does not exist or feature-gates does not\ncontain the DynamicKubeletConfig flag or the \"DynamicKubletConfig\" flag is\nset to \"true\", this is a finding.\n\n Change to the directory /etc/sysconfig on the Master and each Worker node\nand execute the command:\n\n grep -i feature-gates kubelet\n\n Review every feature-gates setting if one is returned.\n\n If the feature-gates setting does not exist or feature-gates does not\ncontain the DynamicKubeletConfig flag or the DynamicKubletConfig flag is set to\n\"true\", this is a finding.",
"label": "check"
},
{
"data": "Edit any manifest file or kubelet config file that does not contain a\nfeature-gates setting or has DynamicKubeletConfig set to \"true\".\n\n An omission of DynamicKubeletConfig within the feature-gates defaults to\ntrue. Set DynamicKubeletConfig to \"false\". Restart the kubelet service if the\nkubelet config file is changed.",
"label": "fix"
}
],
"id": "V-242399",
"impact": 0.5,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242399.rb"
},
"tags": {
"cci": ["CCI-000213"],
"fix_id": "F-45632r717020_fix",
"gid": "V-242399",
"gtitle": "SRG-APP-000033-CTR-000095",
"nist": ["AC-3"],
"rid": "SV-242399r717021_rule",
"severity": "medium",
"stig_id": "CNTR-K8-000460"
},
"title": "Kubernetes DynamicKubeletConfig must not be enabled.",
"waiver_data": {}
},
{
"code": "control 'V-242400' do\n title 'The Kubernetes API server must have Alpha APIs disabled.'\n desc \"Kubernetes allows alpha API calls within the API server. The alpha\nfeatures are disabled by default since they are not ready for production and\nlikely to change without notice. These features may also contain security\nissues that are rectified as the feature matures. To keep the Kubernetes\ncluster secure and stable, these alpha features must not be used.\"\n desc 'rationale', ''\n desc 'check', \"\n On the Master node, change to the manifests' directory at\n/etc/kubernetes/manifests and run the command:\n\n grep -i feature-gates *\n\n Review the feature-gates setting, if one is returned.\n\n If the feature-gates setting is available and contains the AllAlpha flag\nset to \\\"true\\\", this is a finding.\n \"\n desc 'fix', \"\n Edit any manifest files that contain the feature-gates setting with\nAllAlpha set to \\\"true\\\". Set the flag to \\\"false\\\" or remove the AllAlpha\nsetting completely.\n (AllAlpha- default=false)\n \"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-APP-000033-CTR-000090'\n tag gid: 'V-242400'\n tag rid: 'SV-242400r712556_rule'\n tag stig_id: 'CNTR-K8-000470'\n tag fix_id: 'F-45633r712555_fix'\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n describe kube_scheduler do\n its('feature-gates.to_s') { should_not match /AllAlpha=[T|t]rue/ }\n end\n\n describe kube_controller_manager do\n its('feature-gates.to_s') { should_not match /AllAlpha=[T|t]rue/ }\n end\n\n describe kube_apiserver do\n its('feature-gates.to_s') { should_not match /AllAlpha=[T|t]rue/ }\n end\n\n describe kubelet do\n its('feature-gates.to_s') { should_not match /AllAlpha=[T|t]rue/ }\n end\n\n describe kubelet_config_file do\n its(%w(featureGates AllAlpha)) { should_not cmp 'true' }\n end\nend\n",
"desc": "Kubernetes allows alpha API calls within the API server. The alpha\nfeatures are disabled by default since they are not ready for production and\nlikely to change without notice. These features may also contain security\nissues that are rectified as the feature matures. To keep the Kubernetes\ncluster secure and stable, these alpha features must not be used.",
"descriptions": [
{
"data": "Kubernetes allows alpha API calls within the API server. The alpha\nfeatures are disabled by default since they are not ready for production and\nlikely to change without notice. These features may also contain security\nissues that are rectified as the feature matures. To keep the Kubernetes\ncluster secure and stable, these alpha features must not be used.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "On the Master node, change to the manifests' directory at\n/etc/kubernetes/manifests and run the command:\n\n grep -i feature-gates *\n\n Review the feature-gates setting, if one is returned.\n\n If the feature-gates setting is available and contains the AllAlpha flag\nset to \"true\", this is a finding.",
"label": "check"
},
{
"data": "Edit any manifest files that contain the feature-gates setting with\nAllAlpha set to \"true\". Set the flag to \"false\" or remove the AllAlpha\nsetting completely.\n (AllAlpha- default=false)",
"label": "fix"
}
],
"id": "V-242400",
"impact": 0.5,
"refs": [],
"results": [],
"source_location": {
"line": 3,
"ref": "/home/rnemonik/.inspec/cache/64f618e96910e06ffcd837ee04f7c0c85aa2d63b/controls/V-242400.rb"
},
"tags": {
"cci": ["CCI-000213"],
"fix_id": "F-45633r712555_fix",
"gid": "V-242400",
"gtitle": "SRG-APP-000033-CTR-000090",
"nist": ["AC-3"],
"rid": "SV-242400r712556_rule",
"severity": "medium",
"stig_id": "CNTR-K8-000470"
},
"title": "The Kubernetes API server must have Alpha APIs disabled.",
"waiver_data": {}
},
{
"code": "control 'V-242401' do\n title 'The Kubernetes API Server must have an audit policy set.'\n desc \"When Kubernetes is started, components and user services are started.\nFor auditing startup events, and events for components and services, it is\nimportant that auditing begin on startup. Within Kubernetes, audit data for all\ncomponents is generated by the API server. To enable auditing to begin, an\naudit policy must be defined for the events and the information to be stored\nwith each event. It is also necessary to give a secure location where the audit\nlogs are to be stored. If an audit log path is not specified, all audit data is\nsent to studio.\"\n desc 'rationale', ''\n desc 'check', \"\n Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i audit-policy-file *\n\n If the audit-policy-file is not set, this is a finding.\n \"\n desc 'fix', \"\n Edit the Kubernetes API Server manifest and set \\\"--audit-policy-file\\\" to\nthe audit policy file.\n\n Note: If the API server is running as a Pod, then the manifest will also\nneed to be updated to mount the host system filesystem where the audit policy\nfile resides.\n \"\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-APP-000092-CTR-000165'\n tag gid: 'V-242401'\n tag rid: 'SV-242401r712559_rule'\n tag stig_id: 'CNTR-K8-000600'\n tag fix_id: 'F-45634r717023_fix'\n tag cci: ['CCI-001464']\n tag nist: ['AU-14 (1)']\n\n unless kube_apiserver.exist?\n impact 0.0\n desc 'caveat', 'Kubernetes API Server process is not running on the target.'\n end\n\n describe kube_apiserver do\n its('audit-policy-file') { should_not be_nil }\n end\nend\n",
"desc": "When Kubernetes is started, components and user services are started.\nFor auditing startup events, and events for components and services, it is\nimportant that auditing begin on startup. Within Kubernetes, audit data for all\ncomponents is generated by the API server. To enable auditing to begin, an\naudit policy must be defined for the events and the information to be stored\nwith each event. It is also necessary to give a secure location where the audit\nlogs are to be stored. If an audit log path is not specified, all audit data is\nsent to studio.",
"descriptions": [
{
"data": "When Kubernetes is started, components and user services are started.\nFor auditing startup events, and events for components and services, it is\nimportant that auditing begin on startup. Within Kubernetes, audit data for all\ncomponents is generated by the API server. To enable auditing to begin, an\naudit policy must be defined for the events and the information to be stored\nwith each event. It is also necessary to give a secure location where the audit\nlogs are to be stored. If an audit log path is not specified, all audit data is\nsent to studio.",
"label": "default"
},
{
"data": "",
"label": "rationale"
},
{
"data": "Change to the /etc/kubernetes/manifests directory on the Kubernetes Master\nNode. Run the command:\n\n grep -i audit-policy-file *\n\n If the audit-policy-file is not set, this is a finding.",
"label": "check"
},
{
"data": "Edit the Kubernetes API Server manifest and set \"--audit-policy-file\" to\nthe audit policy file.\n\n Note: If the API server is running as a Pod, then the manifest will also\nneed to be updated to mount the host system filesystem where the audit policy\nfile resides.",
"label": "fix"
}
],