An error occurred:

Check: CNTR-K8-000460

Kubernetes STIG: CNTR-K8-000460 (in versions v1 r11 through v1 r10)

Title

Kubernetes DynamicKubeletConfig must not be enabled. (Cat II impact)

Discussion

Kubernetes allows a user to configure kubelets with dynamic configurations. When dynamic configuration is used, the kubelet will watch for changes to the configuration file. When changes are made, the kubelet will automatically restart. Allowing this capability bypasses access restrictions and authorizations. Using this capability, an attacker can lower the security posture of the kubelet, which includes allowing the ability to run arbitrary commands in any container running on that node.

Check Content

This check is only applicable for Kubernetes versions 1.25 and older. On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command: grep -i feature-gates * In each manifest file, if the feature-gates does not exist, or does not contain the "DynamicKubeletConfig" flag, or sets the flag to "true", this is a finding. On each Control Plane and Worker node, run the command: ps -ef | grep kubelet Verify the "feature-gates" option is not present. Note the path to the config file (identified by --config). Inspect the content of the config file: If the "featureGates" setting is not present, or does not contain the "DynamicKubeletConfig", or sets the flag to "true", this is a finding.

Fix Text

This fix is only applicable to Kubernetes version 1.25 and older. On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command: grep -i feature-gates * Edit the manifest files so that every manifest has a "--feature-gates" setting with "DynamicKubeletConfig=false". On each Control Plane and Worker Node, run the command: ps -ef | grep kubelet Remove the "feature-gates" option if present. Note the path to the config file (identified by --config). Edit the config file: Add a "featureGates" setting if one does not yet exist. Add the feature gate "DynamicKubeletConfig=false". Restart the kubelet service using the following command: systemctl daemon-reload && systemctl restart kubelet

Additional Identifiers

Rule ID: SV-242399r918164_rule

Vulnerability ID: V-242399

Group Title: SRG-APP-000033-CTR-000095

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000213

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-3

Access Enforcement