Title

The network ports on all running containers must be limited to required ports. (Cat II impact)

Discussion

To validate that the services are using only the approved ports and protocols, the organization must perform a periodic scan/review of MKE and disable functions, ports, protocols, and services deemed to be unneeded or nonsecure.

Check Content

Verify that only needed ports are open on all running containers. If an ingress controller is configured for the cluster, this check is not applicable. Via CLI: As a remote MKE admin, execute the following command using a client bundle: docker ps -q | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}' Review the list and ensure that the ports mapped are the ones really needed for the containers per the requirements set forth by the System Security Plan (SSP). If ports are not documented and approved in the SSP, this is a finding.

Fix Text

Configuring an ingress controller is the preferred method to manage external ports. If an ingress controller is not used and unnecessary ports are in use, the container or pod network configurations must be updated. To update a pod's configuration, log in to the MKE UI as an administrator. Navigate to Kubernetes >> Pods and click the pod with an open port that is not allowed. Click the three dots in the upper right corner (edit). Modify the .yaml file to remove the port. Example: spec: container: - name: [pod name] ports: - containerPort: 80 [replace with 443] Click "Save". For a Swarm service, navigate to Swarm >> Services and click on the service with unauthorized port. Click the three dots in the top left corner. Select "Network" in the pop-up and remove the unauthorized port. Click "Save".

Additional Identifiers

Rule ID: SV-260941r966180_rule

Vulnerability ID: V-260941

Group Title: SRG-APP-000383-CTR-000910

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.