Security Requirements Guide - Kubernetes STIG V2R4

View as one page
STIG IDTitle
CNTR-K8-000150The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
CNTR-K8-000160The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
CNTR-K8-000170The Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
CNTR-K8-000180The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
CNTR-K8-000190The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
CNTR-K8-000220The Kubernetes Controller Manager must create unique service accounts for each work payload.
CNTR-K8-000270The Kubernetes API Server must enable Node,RBAC as the authorization mode.
CNTR-K8-000290User-managed resources must be created in dedicated namespaces.
CNTR-K8-000300The Kubernetes Scheduler must have secure binding.
CNTR-K8-000310The Kubernetes Controller Manager must have secure binding.
CNTR-K8-000320The Kubernetes API server must have the insecure port flag disabled.
CNTR-K8-000330The Kubernetes Kubelet must have the "readOnlyPort" flag disabled.
CNTR-K8-000340The Kubernetes API server must have the insecure bind address not set.
CNTR-K8-000350The Kubernetes API server must have the secure port set.
CNTR-K8-000360The Kubernetes API server must have anonymous authentication disabled.
CNTR-K8-000370The Kubernetes Kubelet must have anonymous authentication disabled.
CNTR-K8-000380The Kubernetes kubelet must enable explicit authorization.
CNTR-K8-000400Kubernetes Worker Nodes must not have sshd service running.
CNTR-K8-000410Kubernetes Worker Nodes must not have the sshd service enabled.
CNTR-K8-000420Kubernetes dashboard must not be enabled.
CNTR-K8-000430Kubernetes Kubectl cp command must give expected access and results.
CNTR-K8-000440The Kubernetes kubelet staticPodPath must not enable static pods.
CNTR-K8-000450Kubernetes DynamicAuditing must not be enabled.
CNTR-K8-000460Kubernetes DynamicKubeletConfig must not be enabled.
CNTR-K8-000470The Kubernetes API server must have Alpha APIs disabled.
CNTR-K8-000610The Kubernetes API Server must have an audit log path set.
CNTR-K8-000700Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event.
CNTR-K8-000850Kubernetes Kubelet must deny hostname override.
CNTR-K8-000860The Kubernetes manifests must be owned by root.
CNTR-K8-000880The Kubernetes KubeletConfiguration file must be owned by root.
CNTR-K8-000890The Kubernetes KubeletConfiguration files must have file permissions set to 644 or more restrictive.
CNTR-K8-000900The Kubernetes manifest files must have least privileges.
CNTR-K8-000910Kubernetes Controller Manager must disable profiling.
CNTR-K8-000920The Kubernetes API Server must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
CNTR-K8-000930The Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
CNTR-K8-000940The Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
CNTR-K8-000950The Kubernetes etcd must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
CNTR-K8-000960The Kubernetes cluster must use non-privileged host ports for user pods.
CNTR-K8-001160Secrets in Kubernetes must not be stored as environment variables.
CNTR-K8-001360Kubernetes must separate user functionality.
CNTR-K8-001400The Kubernetes API server must use approved cipher suites.
CNTR-K8-001410Kubernetes API Server must have the SSL Certificate Authority set.
CNTR-K8-001420Kubernetes Kubelet must have the SSL Certificate Authority set.
CNTR-K8-001430Kubernetes Controller Manager must have the SSL Certificate Authority set.
CNTR-K8-001440Kubernetes API Server must have a certificate for communication.
CNTR-K8-001450Kubernetes etcd must enable client authentication to secure service.
CNTR-K8-001460Kubernetes Kubelet must enable tlsPrivateKeyFile for client authentication to secure service.
CNTR-K8-001470Kubernetes Kubelet must enable tlsCertFile for client authentication to secure service.
CNTR-K8-001480Kubernetes etcd must enable client authentication to secure service.
CNTR-K8-001490Kubernetes etcd must have a key file for secure communication.
CNTR-K8-001500Kubernetes etcd must have a certificate for communication.
CNTR-K8-001510Kubernetes etcd must have the SSL Certificate Authority set.
CNTR-K8-001520Kubernetes etcd must have a certificate for communication.
CNTR-K8-001530Kubernetes etcd must have a key file for secure communication.
CNTR-K8-001540Kubernetes etcd must have peer-cert-file set for secure communication.
CNTR-K8-001550Kubernetes etcd must have a peer-key-file set for secure communication.
CNTR-K8-001620Kubernetes Kubelet must enable kernel protection.
CNTR-K8-002000The Kubernetes API server must have the ValidatingAdmissionWebhook enabled.
CNTR-K8-002010Kubernetes must have a pod security policy set.
CNTR-K8-002600Kubernetes API Server must configure timeouts to limit attack surface.
CNTR-K8-002700Kubernetes must remove old components after updated versions have been installed.
CNTR-K8-002720Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs.
CNTR-K8-003110The Kubernetes component manifests must be owned by root.
CNTR-K8-003120The Kubernetes component etcd must be owned by etcd.
CNTR-K8-003130The Kubernetes conf files must be owned by root.
CNTR-K8-003140The Kubernetes Kube Proxy kubeconfig must have file permissions set to 644 or more restrictive.
CNTR-K8-003150The Kubernetes Kube Proxy kubeconfig must be owned by root.
CNTR-K8-003160The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive.
CNTR-K8-003170The Kubernetes Kubelet certificate authority must be owned by root.
CNTR-K8-003180The Kubernetes component PKI must be owned by root.
CNTR-K8-003190The Kubernetes kubelet KubeConfig must have file permissions set to 644 or more restrictive.
CNTR-K8-003200The Kubernetes kubelet KubeConfig file must be owned by root.
CNTR-K8-003210The Kubernetes kubeadm.conf must be owned by root.
CNTR-K8-003220The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive.
CNTR-K8-003230The Kubernetes kubelet config must have file permissions set to 644 or more restrictive.
CNTR-K8-003240The Kubernetes kubelet config must be owned by root.
CNTR-K8-003260The Kubernetes etcd must have file permissions set to 644 or more restrictive.
CNTR-K8-003270The Kubernetes admin kubeconfig must have file permissions set to 644 or more restrictive.
CNTR-K8-003280Kubernetes API Server audit logs must be enabled.
CNTR-K8-003290The Kubernetes API Server must be set to audit log max size.
CNTR-K8-003300The Kubernetes API Server must be set to audit log maximum backup.
CNTR-K8-003310The Kubernetes API Server audit log retention must be set.
CNTR-K8-003320The Kubernetes API Server audit log path must be set.
CNTR-K8-003330The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive.
CNTR-K8-003340The Kubernetes PKI keys must have file permissions set to 600 or more restrictive.
CNTR-K8-001300Kubernetes Kubelet must not disable timeouts.
CNTR-K8-002620Kubernetes API Server must disable basic authentication to protect information in transit.
CNTR-K8-002630Kubernetes API Server must disable token authentication to protect information in transit.
CNTR-K8-002640Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit.
CNTR-K8-002011Kubernetes must have a Pod Security Admission control file configured.
CNTR-K8-002001Kubernetes must enable PodSecurity admission controller on static pods and Kubelets.
CNTR-K8-001162Kubernetes Secrets must be encrypted at rest.
CNTR-K8-001161Sensitive information must be stored using Kubernetes Secrets or an external Secret store provider.
CNTR-K8-001163Kubernetes must limit Secret access on a need-to-know basis.