Check: CNTR-K8-002700
Kubernetes STIG:
CNTR-K8-002700
(in versions v1 r6 through v1 r0.1)
Title
Kubernetes must remove old components after updated versions have been installed. (Cat II impact)
Discussion
Previous versions of Kubernetes components that are not removed after updates have been installed may be exploited by adversaries by allowing the vulnerabilities to still exist within the cluster. It is important for Kubernetes to remove old pods when newer pods are created using new images to always be at the desired security state.
Check Content
To view all pods and the images used to create the pods, from the Master node, run the following command: kubectl get pods --all-namespaces -o jsonpath="{..image}" | \ tr -s '[[:space:]]' '\n' | \ sort | \ uniq -c Review the images used for pods running within Kubernetes. If there are multiple versions of the same image, this is a finding.
Fix Text
Remove any old pods that are using older images. On the Master node, run the command: kubectl delete pod podname (Note: "podname" is the name of the pod to delete.)
Additional Identifiers
Rule ID: SV-242442r712682_rule
Vulnerability ID: V-242442
Group Title: SRG-APP-000454-CTR-001110
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002617 |
The organization removes organization-defined software components (e.g., previous versions) after updated versions have been installed. |
Controls
Number | Title |
---|---|
SI-2 (6) |
Removal Of Previous Versions Of Software / Firmware |