Check: CNTR-K8-002000
Kubernetes STIG:
CNTR-K8-002000
(in versions v1 r6 through v1 r0.1)
Title
The Kubernetes API server must have the ValidatingAdmissionWebhook enabled. (Cat I impact)
Discussion
Enabling the admissions webhook allows for Kubernetes to apply policies against objects that are to be created, read, updated, or deleted. By applying a pod security policy, control can be given to not allow images to be instantiated that run as the root user. If pods run as the root user, the pod then has root privileges to the host system and all the resources it has. An attacker can use this to attack the Kubernetes cluster. By implementing a policy that does not allow root or privileged pods, the pod users are limited in what the pod can do and access.
Check Content
Change to the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Run the command: grep -i ValidatingAdmissionWebhook * If a line is not returned that includes enable-admission-plugins and ValidatingAdmissionWebhook, this is a finding.
Fix Text
Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the argument "--enable-admission-plugins" to include "ValidatingAdmissionWebhook". Each enabled plugin is separated by commas. Note: It is best to implement policies first and then enable the webhook, otherwise a denial of service may occur.
Additional Identifiers
Rule ID: SV-242436r712664_rule
Vulnerability ID: V-242436
Group Title: SRG-APP-000342-CTR-000775
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002233 |
The information system prevents organization-defined software from executing at higher privilege levels than users executing the software. |
Controls
Number | Title |
---|---|
AC-6 (8) |
Privilege Levels For Code Execution |