The network ports on all running containers must be limited to required ports.

An XCCDF Rule

Description

<VulnDiscussion>To validate that the services are using only the approved ports and protocols, the organization must perform a periodic scan/review of MKE and disable functions, ports, protocols, and services deemed to be unneeded or nonsecure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-260941r966180_rule
Severity: Medium
References: CCI-001762
Updated: 19 days ago

Configuring an ingress controller is the preferred method to manage external ports. If an ingress controller is not used and unnecessary ports are in use, the container or pod network configurations must be updated.

To update a pod's configuration, log in to the MKE UI as an administrator. 

Navigate to Kubernetes >> Pods and click the pod with an open port that is not allowed.
Click the three dots in the upper right corner (edit).

Modify the .yaml file to remove the port. Example:

spec: 
   container:
   - name: [pod name]
     ports:
      - containerPort: 80 [replace with 443]

Click "Save".

For a Swarm service, navigate to Swarm >> Services and click on the service with unauthorized port.

Click the three dots in the top left corner.

Select "Network" in the pop-up and remove the unauthorized port.

Click "Save".

The network ports on all running containers must be limited to required ports.

Description

Remediation - Manual Procedure