STIGQter: STIG Summary: Kubernetes Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

The Kubernetes kubelet must enable explicit authorization.

DISA Rule

SV-242392r712532_rule

Vulnerability Number

V-242392

Group Title

SRG-APP-000033-CTR-000095

Rule Version

CNTR-K8-000380

Severity

CAT I

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

Edit the Kubernetes Kubelet file in the/etc/sysconfig/ directory on the Kubernetes Master and Worker nodes.

Set the argument --authorization-mode to "Webhook".

Restart each kubelet service after the change is made using the command:
service kubelet restart

Check Contents

Change to the /etc/sysconfig/ directory on the Kubernetes Master Node. Run the command:

grep -i authorization-mode kubelet

On each Worker node, change to the /etc/sysconfig/ directory. Run the command:

grep -i authorization-mode kubelet

If authorization-mode is missing or is set to "AllowAlways" on the Master node or any of the Worker nodes, this is a finding.

Vulnerability Number

V-242392

Documentable

False

Rule Version

CNTR-K8-000380

Severity Override Guidance

Change to the /etc/sysconfig/ directory on the Kubernetes Master Node. Run the command:

grep -i authorization-mode kubelet

On each Worker node, change to the /etc/sysconfig/ directory. Run the command:

grep -i authorization-mode kubelet

If authorization-mode is missing or is set to "AllowAlways" on the Master node or any of the Worker nodes, this is a finding.

Check Content Reference

M

Target Key

5376

Comments