An error occurred:

Check: CNTR-K8-001161

Kubernetes STIG: CNTR-K8-001161 (in version v2 r4)

Title

Sensitive information must be stored using Kubernetes Secrets or an external Secret store provider. (Cat I impact)

Discussion

Sensitive information, such as passwords, keys, and tokens must not be stored in application code. Kubernetes offers a resource called Secrets that are designed for storing sensitive information for use by applications. Secrets are created and managed separately from application code. Additionally, they can be encrypted at rest and access to the secrets can be controlled via RBAC.

Check Content

On the Kubernetes Master node, run the following command: kubectl get all,cm -A -o yaml Manually review the output for sensitive information. If any sensitive information is found, this is a finding.

Fix Text

Any sensitive information found must be stored in an approved external Secret store provider or use Kubernetes Secrets (attached on an as-needed basis to pods).

Additional Identifiers

Rule ID: SV-274883r1107230_rule

Vulnerability ID: V-274883

Group Title: SRG-APP-000171-CTR-000435

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-004062

For password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check