Navigate

Check: CNTR-K8-000420

Kubernetes STIG: CNTR-K8-000420 (in versions v1 r11 through v1 r7)

Title

Kubernetes dashboard must not be enabled. (Cat II impact)

Discussion

While the Kubernetes dashboard is not inherently insecure on its own, it is often coupled with a misconfiguration of Role-Based Access control (RBAC) permissions that can unintentionally over-grant access. It is not commonly protected with "NetworkPolicies", preventing all pods from being able to reach it. In increasingly rare circumstances, the Kubernetes dashboard is exposed publicly to the internet.

Check Content

From the Control Plane, run the command: kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard If any resources are returned, this is a finding.

Fix Text

Delete the Kubernetes dashboard deployment with the following command: kubectl delete deployment kubernetes-dashboard --namespace=kube-system

Additional Identifiers

Rule ID: SV-242395r879530_rule

Vulnerability ID: V-242395

Group Title: SRG-APP-000033-CTR-000095

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000213	The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-3	Access Enforcement