Mirantis Kubernetes Engine Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Swarm Secrets or Kubernetes Secrets must be used.
<VulnDiscussion>Swarm Secrets in Docker Swarm and Kubernetes Secrets both provide mechanisms for encrypting sensitive data at rest. This adds...Rule Medium Severity -
SRG-APP-000038-CTR-000105
<GroupDescription></GroupDescription>Group -
MKE must have Grants created to control authorization to cluster resources.
<VulnDiscussion>MKE uses Role-Based Access Controls (RBAC) to enforce approved authorizations for logical access to information and system re...Rule Medium Severity -
SRG-APP-000039-CTR-000110
<GroupDescription></GroupDescription>Group -
The network ports on all running containers must be limited to required ports.
<VulnDiscussion>To validate that the services are using only the approved ports and protocols, the organization must perform a periodic scan/...Rule Medium Severity -
SRG-APP-000386-CTR-000920
<GroupDescription></GroupDescription>Group -
MKE host network namespace must not be shared.
<VulnDiscussion>MKE can be built with privileges that are not approved within the organization. To limit the attack surface of MKE, it is ess...Rule Medium Severity -
SRG-APP-000092-CTR-000165
<GroupDescription></GroupDescription>Group -
Audit logging must be enabled on MKE.
<VulnDiscussion>Enabling audit logging on MKE enhances security, supports compliance efforts, provides user accountability, and offers valuab...Rule Medium Severity -
SRG-APP-000109-CTR-000215
<GroupDescription></GroupDescription>Group -
MKE must be configured to send audit data to a centralized log server.
<VulnDiscussion>Sending audit data from MKE to a centralized log server enhances centralized monitoring, facilitates efficient incident respo...Rule Medium Severity -
SRG-APP-000141-CTR-000315
<GroupDescription></GroupDescription>Group -
MSR's self-signed certificates must be replaced with DOD trusted, signed certificates.
<VulnDiscussion>Self-signed certificates pose security risks, as they are not issued by a trusted third party. DOD trusted, signed certificat...Rule Medium Severity -
SRG-APP-000141-CTR-000315
<GroupDescription></GroupDescription>Group -
Allowing users and administrators to schedule containers on all nodes must be disabled.
<VulnDiscussion>MKE and MSR are set to disallow administrators and users to schedule containers. This setting must be checked for allowing ad...Rule Medium Severity -
SRG-APP-000141-CTR-000315
<GroupDescription></GroupDescription>Group -
MKE telemetry must be disabled.
<VulnDiscussion>MKE provides a telemetry service that automatically records and transmits data to Mirantis through an encrypted channel for m...Rule Medium Severity -
SRG-APP-000141-CTR-000315
<GroupDescription></GroupDescription>Group -
For MKE's deployed on an Ubuntu host operating system, the AppArmor profile must be enabled.
<VulnDiscussion>AppArmor protects the Ubuntu OS and applications from various threats by enforcing security policy which is also known as App...Rule Medium Severity -
SRG-APP-000141-CTR-000315
<GroupDescription></GroupDescription>Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.