MKE must enable kernel protection.

An XCCDF Rule

Description

System kernel is responsible for memory, disk, and task management. The kernel provides a gateway between the system hardware and software. Kubernetes requires kernel access to allocate resources to the Control Plane. Threat actors that penetrate the system kernel can inject malicious code or hijack the Kubernetes architecture. It is vital to implement protections through Kubernetes components to reduce the attack surface.

ID: SV-260933r966156_rule
Version: CNTR-MK-000990
Severity: Medium
References: CCI-001084
Updated: 26 days ago

Remediation Templates

When using Kubernetes orchestration, edit the Kubernetes Kubelet file in the /etc/sysconfig directory on the Kubernetes Control Plane. Set the argument "--protect-kernel-defaults" to "true".

Reset Kubelet service using the following command:

service kubelet restart
When using Swarm orchestration, review and remove nonsystem containers previously created by these users that allowed capabilities to be added or must be removed using:

docker container rm [container]

MKE must enable kernel protection.

Description

Remediation Templates

A Manual Procedure