Skip to content

Kubernetes Kubelet must deny hostname override.

An XCCDF Rule

Description

<VulnDiscussion>Kubernetes allows for the overriding of hostnames. Allowing this feature to be implemented within the kubelets may break the TLS setup between the kubelet service and the API server. This setting also can make it difficult to associate logs with nodes if security analytics needs to take place. The better practice is to setup nodes with resolvable FQDNs and avoid overriding the hostnames.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-242404r960960_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

Run the command:  
systemctl status kubelet.  
Note the path to the drop-in file.

Determine the path to the environment file(s) with the command: 
grep -i EnvironmentFile <path_to_drop_in_file>.