Check: CNTR-K8-000420
Kubernetes STIG:
CNTR-K8-000420
(in versions v2 r2 through v1 r7)
Title
Kubernetes dashboard must not be enabled. (Cat II impact)
Discussion
While the Kubernetes dashboard is not inherently insecure on its own, it is often coupled with a misconfiguration of Role-Based Access control (RBAC) permissions that can unintentionally over-grant access. It is not commonly protected with "NetworkPolicies", preventing all pods from being able to reach it. In increasingly rare circumstances, the Kubernetes dashboard is exposed publicly to the internet.
Check Content
From the Control Plane, run the command: kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard If any resources are returned, this is a finding.
Fix Text
Delete the Kubernetes dashboard deployment with the following command: kubectl delete deployment kubernetes-dashboard --namespace=kube-system
Additional Identifiers
Rule ID: SV-242395r960792_rule
Vulnerability ID: V-242395
Group Title: SRG-APP-000033-CTR-000095
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |