Check: CNTR-K8-000850
Kubernetes STIG:
CNTR-K8-000850
(in versions v2 r2 through v1 r10)
Title
Kubernetes Kubelet must deny hostname override. (Cat II impact)
Discussion
Kubernetes allows for the overriding of hostnames. Allowing this feature to be implemented within the kubelets may break the TLS setup between the kubelet service and the API server. This setting also can make it difficult to associate logs with nodes if security analytics needs to take place. The better practice is to setup nodes with resolvable FQDNs and avoid overriding the hostnames.
Check Content
On the Control Plane and Worker nodes, run the command: ps -ef | grep kubelet If the option "--hostname-override" is present, this is a finding.
Fix Text
Run the command: systemctl status kubelet. Note the path to the drop-in file. Determine the path to the environment file(s) with the command: grep -i EnvironmentFile <path_to_drop_in_file>. Remove the "--hostname-override" option from any environment file where it is present. Restart the kubelet service using the following command: systemctl daemon-reload && systemctl restart kubelet
Additional Identifiers
Rule ID: SV-242404r960960_rule
Vulnerability ID: V-242404
Group Title: SRG-APP-000133-CTR-000290
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001499 |
Limit privileges to change software resident within software libraries. |
Controls
Number | Title |
---|---|
CM-5(6) |
Limit Library Privileges |