Check: CNTR-K8-001400
Kubernetes STIG:
CNTR-K8-001400
(in versions v2 r2 through v1 r7)
Title
The Kubernetes API server must use approved cipher suites. (Cat II impact)
Discussion
The Kubernetes API server communicates to the kubelet service on the nodes to deploy, update, and delete resources. If an attacker were able to get between this communication and modify the request, the Kubernetes cluster could be compromised. Using approved cypher suites for the communication ensures the protection of the transmitted information, confidentiality, and integrity so that the attacker cannot read or alter this communication.
Check Content
Change to the /etc/kubernetes/manifests/ directory on the Kubernetes Control Plane. Run the command: grep -i tls-cipher-suites * If the setting feature tls-cipher-suites is not set in the Kubernetes API server manifest file or contains no value or does not contain TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, this is a finding.
Fix Text
Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane. Set the value of "--tls-cipher-suites" to: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
Additional Identifiers
Rule ID: SV-242418r961110_rule
Vulnerability ID: V-242418
Group Title: SRG-APP-000219-CTR-000550
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001184 |
Protect the authenticity of communications sessions. |
Controls
Number | Title |
---|---|
SC-23 |
Session Authenticity |