Kubernetes Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Kubernetes API Server audit logs must be enabled.
Kubernetes API Server validates and configures pods and services for the API object. The REST operation provides frontend functionality to the cluster share state. Enabling audit logs provides a wa...Rule Medium Severity -
Kubernetes must have a Pod Security Admission control file configured.
An admission controller intercepts and processes requests to the Kubernetes API prior to persistence of the object, but after the request is authenticated and authorized. Kubernetes (> v1.23)offer...Rule High Severity -
The Kubernetes etcd must have file permissions set to 644 or more restrictive.
The Kubernetes etcd key-value store provides a way to store data to the Control Plane. If these files can be changed, data to API object and Control Plane would be compromised.Rule Medium Severity -
SRG-APP-000516-CTR-001335
Group -
The Kubernetes admin kubeconfig must have file permissions set to 644 or more restrictive.
The Kubernetes admin kubeconfig files contain the arguments and settings for the Control Plane services. These services are controller and scheduler. If these files can be changed, the scheduler wi...Rule Medium Severity -
SRG-APP-000516-CTR-001335
Group -
SRG-APP-000190-CTR-000500
Group -
SRG-APP-000014-CTR-000035
Group -
The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
The Kubernetes Scheduler will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication. The use of unsupported protocol exposes vulnerabilities to the Ku...Rule Medium Severity -
SRG-APP-000014-CTR-000040
Group -
The Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
The Kubernetes API Server will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication. The use of unsupported protocol exposes vulnerabilities to the K...Rule Medium Severity -
SRG-APP-000014-CTR-000035
Group -
The Kubernetes etcd must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
Kubernetes etcd PPS must be controlled and conform to the PPSM CAL. Those PPS that fall outside the PPSM CAL must be blocked. Instructions on the PPSM can be found in DoD Instruction 8551.01 Policy.Rule Medium Severity -
The Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
Kubernetes Scheduler PPS must be controlled and conform to the PPSM CAL. Those ports, protocols, and services that fall outside the PPSM CAL must be blocked. Instructions on the PPSM can be found i...Rule Medium Severity -
The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
Kubernetes etcd will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication. The use of unsupported protocol exposes vulnerabilities to the Kubernetes ...Rule Medium Severity -
SRG-APP-000014-CTR-000035
Group -
SRG-APP-000142-CTR-000330
Group -
SRG-APP-000142-CTR-000330
Group -
SRG-APP-000023-CTR-000055
Group -
The Kubernetes Controller Manager must create unique service accounts for each work payload.
The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state through the API Server. Every process executed in a pod has an associated se...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.