An error occurred:

Check: CNTR-K8-002001

Kubernetes STIG: CNTR-K8-002001 (in versions v1 r9 through v1 r7)

Title

Kubernetes must have a Pod Security Admission feature gate set. (Cat I impact)

Discussion

"In order to implement Pod Security Admission controller feature gates must be enabled. Feature gates are a set of key=value pairs that describe Kubernetes features. You can turn these features on or off using the --feature-gates command line flag on each Kubernetes component."

Check Content

Check Static Pods: On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command: grep -i PodSecurity=true * Ensure the argument "--feature-gates=PodSecurity=true" is present in each manifest file. If kube-apiserver, kube-controller-manager or kube-schedule is missing the argument "--feature-gates=PodSecurity=true", this is a finding. Check Kubelet: Run the following command on each Worker Node: ps -ef | grep kubelet Verify that the "--feature-gates=PodSecurity=true" argument exists. If it doesn't exisit, this is a finding. Check Control Plane Kubelet config file: On the Kubernetes Control Plane, run the command: ps -ef | grep kubelet Check the config file (path identified by: --config). Verify that the "--feature-gates=PodSecurity=true" argument exists. If it doesn't exisit, this is a finding.

Fix Text

Add the "--feature-gates=PodSecurity=true" argument to every component of Kubernetes. kube-apiserver, kube-controller-manager and kube-scheduler: These components are started as static pods, you can find their manifests in the /etc/kubernetes/manifests/ folder. add "--feature-gates=PodSecurity=true" argument in each of the files. Kubelet: Edit the Kubernetes Kubelet file in the --config directory on the Kubernetes Control Plane: Add "--feature-gates=PodSecurity=true" Reset Kubelet service using the following command: service kubelet restart Note: if your cluster has multiple nodes you will need to make the changes on every node where the components are deployed.

Additional Identifiers

Rule ID: SV-254801r879719_rule

Vulnerability ID: V-254801

Group Title: SRG-APP-000342-CTR-000775

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002263

Provide the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in process.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-16

Security Attributes