Kubernetes Kubelet must enable kernel protection.

An XCCDF Rule

Description

<VulnDiscussion>System kernel is responsible for memory, disk, and task management. The kernel provides a gateway between the system hardware and software. Kubernetes requires kernel access to allocate resources to the Control Plane. Threat actors that penetrate the system kernel can inject malicious code or hijack the Kubernetes architecture. It is vital to implement protections through Kubernetes components to reduce the attack surface.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-242434r918188_rule
Severity: High
References: CCI-001084
Updated: 8 months ago

On the Control Plane, run the command:
ps -ef | grep kubelet

Remove the "--protect-kernel-defaults" option if present.

Note the path to the Kubernetes Kubelet config file (identified by --config).
Edit the Kubernetes Kubelet config file: 
Set "protectKernelDefaults" to "true". 

Restart the kubelet service using the following command:
systemctl daemon-reload && systemctl restart kubelet

Kubernetes Kubelet must enable kernel protection.

Description

Remediation - Manual Procedure