Check: CNTR-K8-002620
Kubernetes STIG:
CNTR-K8-002620
(in versions v1 r11 through v1 r7)
Title
Kubernetes API Server must disable basic authentication to protect information in transit. (Cat I impact)
Discussion
Kubernetes basic authentication sends and receives request containing username, uid, groups, and other fields over a clear text HTTP communication. Basic authentication does not provide any security mechanisms using encryption standards. PKI certificate-based authentication must be set over a secure channel to ensure confidentiality and integrity. Basic authentication must not be set in the manifest file.
Check Content
Change to the /etc/kubernetes/manifests/ directory on the Kubernetes Control Plane. Run the command: grep -i basic-auth-file * If "basic-auth-file" is set in the Kubernetes API server manifest file this is a finding.
Fix Text
Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane. Remove the setting "--basic-auth-file".
Additional Identifiers
Rule ID: SV-245542r918141_rule
Vulnerability ID: V-245542
Group Title: SRG-APP-000439-CTR-001080
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-002448 |
The organization distributes asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; or approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user^s private key. |
Controls
| Number | Title |
|---|---|
| SC-12 (3) |
Asymmetric Keys |