An error occurred:

Check: CNTR-K8-002011

Kubernetes STIG: CNTR-K8-002011 (in version v1 r11)

Title

Kubernetes must have a Pod Security Admission control file configured. (Cat I impact)

Discussion

An admission controller intercepts and processes requests to the Kubernetes API prior to persistence of the object, but after the request is authenticated and authorized. Kubernetes (> v1.23)offers a built-in Pod Security admission controller to enforce the Pod Security Standards. Pod security restrictions are applied at the namespace level when pods are created. The Kubernetes Pod Security Standards define different isolation levels for Pods. These standards define how to restrict the behavior of pods in a clear, consistent fashion.

Check Content

Change to the /etc/kubernetes/manifests directory on the Kubernetes Control Plane. Run the command: "grep -i admission-control-config-file *" If the setting "--admission-control-config-file" is not configured in the Kubernetes API Server manifest file, this is a finding. Inspect the .yaml file defined by the --admission-control-config-file. Verify PodSecurity is properly configured. If least privilege is not represented, this is a finding.

Fix Text

Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane. Set the value of "--admission-control-config-file" to a valid path for the file. Create an admission controller config file: Example File: ```yaml apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: apiVersion: pod-security.admission.config.k8s.io/v1beta1 kind: PodSecurityConfiguration # Defaults applied when a mode label is not set. defaults: enforce: "privileged" enforce-version: "latest" exemptions: # Don't forget to exempt namespaces or users that are responsible for deploying # cluster components, because they need to run privileged containers usernames: ["admin"] namespaces: ["kube-system"] See for more details: Migrate from PSP to PSA: https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/ Best Practice: https://kubernetes.io/docs/concepts/security/pod-security-policy/#recommended-practice.

Additional Identifiers

Rule ID: SV-254800r927257_rule

Vulnerability ID: V-254800

Group Title: SRG-APP-000342-CTR-000775

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002263

The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in process.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-16

Security Attributes