Kubernetes Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000014-CTR-000035
<GroupDescription></GroupDescription>Group -
The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
<VulnDiscussion>The Kubernetes Scheduler will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communica...Rule Medium Severity -
SRG-APP-000014-CTR-000040
<GroupDescription></GroupDescription>Group -
The Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
<VulnDiscussion>The Kubernetes API Server will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communic...Rule Medium Severity -
SRG-APP-000014-CTR-000035
<GroupDescription></GroupDescription>Group -
The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
<VulnDiscussion>Kubernetes etcd will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication. Th...Rule Medium Severity -
SRG-APP-000014-CTR-000035
<GroupDescription></GroupDescription>Group -
The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
<VulnDiscussion>The Kubernetes API Server will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communic...Rule Medium Severity -
SRG-APP-000023-CTR-000055
<GroupDescription></GroupDescription>Group -
The Kubernetes Controller Manager must create unique service accounts for each work payload.
<VulnDiscussion>The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state thro...Rule High Severity -
SRG-APP-000033-CTR-000090
<GroupDescription></GroupDescription>Group -
The Kubernetes API Server must enable Node,RBAC as the authorization mode.
<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-ap...Rule Medium Severity -
SRG-APP-000038-CTR-000105
<GroupDescription></GroupDescription>Group -
User-managed resources must be created in dedicated namespaces.
<VulnDiscussion>Creating namespaces for user-managed resources is important when implementing Role-Based Access Controls (RBAC). RBAC allows ...Rule High Severity -
SRG-APP-000033-CTR-000090
<GroupDescription></GroupDescription>Group -
The Kubernetes Scheduler must have secure binding.
<VulnDiscussion>Limiting the number of attack vectors and implementing authentication and encryption on the endpoints available to external s...Rule Medium Severity -
SRG-APP-000033-CTR-000090
<GroupDescription></GroupDescription>Group -
The Kubernetes Controller Manager must have secure binding.
<VulnDiscussion>Limiting the number of attack vectors and implementing authentication and encryption on the endpoints available to external s...Rule Medium Severity -
SRG-APP-000033-CTR-000095
<GroupDescription></GroupDescription>Group -
The Kubernetes API server must have the insecure port flag disabled.
<VulnDiscussion>By default, the API server will listen on two ports. One port is the secure port and the other port is called the "localhost ...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.