Mirantis Kubernetes Engine Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000190-CTR-000500
<GroupDescription></GroupDescription>Group -
The Lifetime Minutes and Renewal Threshold Minutes Login Session Controls on MKE must be set.
<VulnDiscussion>The "Lifetime Minutes" and "Renewal Threshold Minutes" login session controls in MKE are part of security features that help ...Rule Medium Severity -
SRG-APP-000133-CTR-000290
<GroupDescription></GroupDescription>Group -
In an MSR organization, user permissions and repositories must be configured.
<VulnDiscussion>Configuring user permissions, organizations, and repositories in MSR is crucial for maintaining a secure, organized, and effi...Rule Medium Severity -
SRG-APP-000141-CTR-000315
<GroupDescription></GroupDescription>Group -
User-managed resources must be created in dedicated namespaces.
<VulnDiscussion>Dedicated namespaces act as security boundaries, limiting the blast radius in case of security incidents or misconfigurations...Rule Medium Severity -
SRG-APP-000033-CTR-000095
<GroupDescription></GroupDescription>Group -
Least privilege access and need to know must be required to access MKE runtime and instantiate container images.
<VulnDiscussion>To control what is instantiated within MKE, it is important to control access to the runtime. Without this control, container...Rule High Severity -
SRG-APP-000142-CTR-000325
<GroupDescription></GroupDescription>Group -
Only required ports must be open on containers in MKE.
<VulnDiscussion>Ports, protocols, and services within MKE runtime must be controlled and conform to the PPSM CAL. Those ports, protocols, and...Rule High Severity -
SRG-APP-000172-CTR-000440
<GroupDescription></GroupDescription>Group -
MSR telemetry must be disabled.
<VulnDiscussion>MSR provides a telemetry service that automatically records and transmits data to Mirantis through an encrypted channel for m...Rule Medium Severity -
SRG-APP-000141-CTR-000315
<GroupDescription></GroupDescription>Group -
SRG-APP-000158-CTR-000390
<GroupDescription></GroupDescription>Group -
FIPS mode must be enabled.
<VulnDiscussion>During any user authentication, MKE must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password ...Rule High Severity -
SRG-APP-000023-CTR-000055
<GroupDescription></GroupDescription>Group -
MKE must be configured to integrate with an Enterprise Identity Provider.
<VulnDiscussion>Configuring MKE to integrate with an Enterprise Identity Provider enhances security, simplifies user management, ensures comp...Rule Medium Severity -
SRG-APP-000033-CTR-000095
<GroupDescription></GroupDescription>Group -
SSH must not run within Linux containers.
<VulnDiscussion>To limit the attack surface of MKE, it is important that the nonessential services are not installed. Containers are designed...Rule Medium Severity -
SRG-APP-000033-CTR-000100
<GroupDescription></GroupDescription>Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.