Kubernetes STIG

Kubernetes Security Technical Implementation Guide

ID Vuln ID Title Cat Status
CNTR-K8-001520 V-242430 Kubernetes etcd must have a certificate for communication. Cat II
CNTR-K8-001450 V-242423 Kubernetes etcd must enable client authentication to secure service. Cat II
CNTR-K8-003270 V-242460 The Kubernetes admin.conf must have file permissions set to 644 or more restrictive. Cat II
CNTR-K8-003130 V-242446 The Kubernetes conf files must be owned by root. Cat II
CNTR-K8-000150 V-242376 The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination. Cat II
CNTR-K8-000470 V-242400 The Kubernetes API server must have Alpha APIs disabled. Cat II
CNTR-K8-001530 V-242431 Kubernetes etcd must have a key file for secure communication. Cat II
CNTR-K8-001620 V-242434 Kubernetes Kubelet must enable kernel protection. Cat I
CNTR-K8-000400 V-242393 Kubernetes Worker Nodes must not have sshd service running. Cat II
CNTR-K8-003120 V-242445 The Kubernetes component etcd must be owned by etcd. Cat II
CNTR-K8-003350 V-242468 The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0. Cat II
CNTR-K8-000380 V-242392 The Kubernetes kubelet must enable explicit authorization. Cat I
CNTR-K8-001550 V-242433 Kubernetes etcd must have a peer-key-file set for secure communication. Cat II
CNTR-K8-003340 V-242467 The Kubernetes PKI keys must have file permissions set to 600 or more restrictive. Cat II
CNTR-K8-000450 V-242398 Kubernetes DynamicAuditing must not be enabled. Cat II


Display this benchmark in a printer-friendly format for off-line reference. This display does not include any commands.

Version Changes

If there are multiple versions of this benchmark, Xylok can display the differences between any changes in the checks.