Skip to content

kubelet - Allow Automatic Firewall Configuration

An XCCDF Rule

Description

The kubelet has the ability to automatically configure the firewall to allow the containers required ports and connections to networking resources and destinations parameters potentially creating a security incident. To allow the kubelet to modify the firewall, edit the kubelet configuration file /etc/kubernetes/kubelet.conf on the kubelet node(s) and set the below parameter:

makeIPTablesUtilChains: true

Rationale

The kubelet should automatically configure the firewall settings to allow access and networking traffic through. This ensures that when a pod or container is running that the correct ports are configured as well as removing the ports when a pod or container is no longer in existence.

ID
xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains
Severity
Medium
References
Updated



Remediation - Kubernetes Patch

---
apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
spec:
  kubeletConfig:
    makeIPTablesUtilChains: true