Check: CNTR-K8-002620
Kubernetes STIG:
CNTR-K8-002620
(in versions v2 r2 through v1 r7)
Title
Kubernetes API Server must disable basic authentication to protect information in transit. (Cat I impact)
Discussion
Kubernetes basic authentication sends and receives request containing username, uid, groups, and other fields over a clear text HTTP communication. Basic authentication does not provide any security mechanisms using encryption standards. PKI certificate-based authentication must be set over a secure channel to ensure confidentiality and integrity. Basic authentication must not be set in the manifest file.
Check Content
Change to the /etc/kubernetes/manifests/ directory on the Kubernetes Control Plane. Run the command: grep -i basic-auth-file * If "basic-auth-file" is set in the Kubernetes API server manifest file this is a finding.
Fix Text
Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane. Remove the setting "--basic-auth-file".
Additional Identifiers
Rule ID: SV-245542r961632_rule
Vulnerability ID: V-245542
Group Title: SRG-APP-000439-CTR-001080
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-002448 |
Distribute asymmetric cryptographic keys using: NSA-approved key management technology and processes; prepositioned keying material; DoD-approved or DoD-issued Medium Assurance PKI certificates; DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user's private key; or certificates issued in accordance with organization-defined requirements. |
Controls
| Number | Title |
|---|---|
| SC-12(3) |
Asymmetric Keys |