Check: CNTR-K8-000470
Kubernetes STIG:
CNTR-K8-000470
(in versions v2 r2 through v1 r11)
Title
The Kubernetes API server must have Alpha APIs disabled. (Cat II impact)
Discussion
Kubernetes allows alpha API calls within the API server. The alpha features are disabled by default since they are not ready for production and likely to change without notice. These features may also contain security issues that are rectified as the feature matures. To keep the Kubernetes cluster secure and stable, these alpha features must not be used.
Check Content
On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command: grep -i feature-gates * Review the "--feature-gates" setting, if one is returned. If the "--feature-gate"s setting is available and contains the "AllAlpha" flag set to "true", this is a finding.
Fix Text
Edit any manifest file that contains the "--feature-gates" setting with "AllAlpha" set to "true". Set the value of "AllAlpha" to "false" or remove the setting completely. (AllAlpha - default=false)
Additional Identifiers
Rule ID: SV-242400r960792_rule
Vulnerability ID: V-242400
Group Title: SRG-APP-000033-CTR-000090
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |