Mirantis Kubernetes Engine Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Lifetime Minutes and Renewal Threshold Minutes Login Session Controls on MKE must be set.
The "Lifetime Minutes" and "Renewal Threshold Minutes" login session controls in MKE are part of security features that help manage user sessions within the MKE environment. Setting these controls ...Rule Medium Severity -
User-managed resources must be created in dedicated namespaces.
Dedicated namespaces act as security boundaries, limiting the blast radius in case of security incidents or misconfigurations. If an issue arises within a specific namespace, it is contained within...Rule Medium Severity -
FIPS mode must be enabled.
During any user authentication, MKE must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process. FIPS mode enforces the use of cryptographic alg...Rule High Severity -
SSH must not run within Linux containers.
To limit the attack surface of MKE, it is important that the nonessential services are not installed. Containers are designed to be lightweight and isolated, and introducing SSH can add attack vect...Rule Medium Severity -
MKE host network namespace must not be shared.
MKE can be built with privileges that are not approved within the organization. To limit the attack surface of MKE, it is essential that privileges meet organization requirements. The networking m...Rule Medium Severity -
For MKE's deployed on an Ubuntu host operating system, the AppArmor profile must be enabled.
AppArmor protects the Ubuntu OS and applications from various threats by enforcing security policy which is also known as AppArmor profile. The user can either create their own AppArmor profile for...Rule Medium Severity -
Incoming container traffic must be bound to a specific host interface.
Privileged ports are those ports below 1024 and that require system privileges for their use. If containers are able to use these ports, the container must be run as a privileged user. MKE must sto...Rule Medium Severity -
CPU priority must be set appropriately on all containers.
All containers on a Docker host share the resources equally. By using the resource management capabilities of Docker host, such as CPU shares, the user controls the host CPU resources that a contai...Rule Medium Severity -
Containers must not map to privileged ports.
Privileged ports are those ports below 1024 and that require system privileges for their use. If containers are able to use these ports, the container must be run as a privileged user. MKE must sto...Rule Medium Severity -
IPSec network encryption must be configured.
IPsec encrypts the data traffic between nodes in a Kubernetes cluster, ensuring that the information exchanged is confidential and protected from unauthorized access. This is particularly important...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.