Kubernetes STIG

Kubernetes Security Technical Implementation Guide

ID Vuln ID Title Cat Status
CNTR-K8-001520 V-242430 Kubernetes etcd must have a certificate for communication. Cat II
CNTR-K8-001450 V-242423 Kubernetes etcd must enable client authentication to secure service. Cat II
CNTR-K8-003270 V-242460 The Kubernetes admin.conf must have file permissions set to 644 or more restrictive. Cat II
CNTR-K8-003130 V-242446 The Kubernetes conf files must be owned by root. Cat II
CNTR-K8-000150 V-242376 The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination. Cat II
CNTR-K8-000470 V-242400 The Kubernetes API server must have Alpha APIs disabled. Cat II
CNTR-K8-001530 V-242431 Kubernetes etcd must have a key file for secure communication. Cat II
CNTR-K8-001620 V-242434 Kubernetes Kubelet must enable kernel protection. Cat I
CNTR-K8-000400 V-242393 Kubernetes Worker Nodes must not have sshd service running. Cat II
CNTR-K8-003120 V-242445 The Kubernetes component etcd must be owned by etcd. Cat II
CNTR-K8-003350 V-242468 The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0. Cat II
CNTR-K8-000380 V-242392 The Kubernetes kubelet must enable explicit authorization. Cat I
CNTR-K8-001550 V-242433 Kubernetes etcd must have a peer-key-file set for secure communication. Cat II
CNTR-K8-003340 V-242467 The Kubernetes PKI keys must have file permissions set to 600 or more restrictive. Cat II
CNTR-K8-000450 V-242398 Kubernetes DynamicAuditing must not be enabled. Cat II

Print

Display this benchmark in a printer-friendly format for off-line reference. This display does not include any commands.
Print

Version Changes

If there are multiple versions of this benchmark, Xylok can display the differences between any changes in the checks.
Changes