Check: CNTR-K8-001620
Kubernetes STIG:
CNTR-K8-001620
(in versions v2 r2 through v1 r10)
Title
Kubernetes Kubelet must enable kernel protection. (Cat I impact)
Discussion
System kernel is responsible for memory, disk, and task management. The kernel provides a gateway between the system hardware and software. Kubernetes requires kernel access to allocate resources to the Control Plane. Threat actors that penetrate the system kernel can inject malicious code or hijack the Kubernetes architecture. It is vital to implement protections through Kubernetes components to reduce the attack surface.
Check Content
On the Control Plane, run the command: ps -ef | grep kubelet If the "--protect-kernel-defaults" option exists, this is a finding. Note the path to the config file (identified by --config). Run the command: grep -i protectKernelDefaults <path_to_config_file> If the setting "protectKernelDefaults" is not set or is set to false, this is a finding.
Fix Text
On the Control Plane, run the command: ps -ef | grep kubelet Remove the "--protect-kernel-defaults" option if present. Note the path to the Kubernetes Kubelet config file (identified by --config). Edit the Kubernetes Kubelet config file: Set "protectKernelDefaults" to "true". Restart the kubelet service using the following command: systemctl daemon-reload && systemctl restart kubelet
Additional Identifiers
Rule ID: SV-242434r961131_rule
Vulnerability ID: V-242434
Group Title: SRG-APP-000233-CTR-000585
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001084 |
Isolate security functions from nonsecurity functions. |
Controls
Number | Title |
---|---|
SC-3 |
Security Function Isolation |