STIGQter: STIG Summary: Kubernetes Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

Kubernetes DynamicKubeletConfig must not be enabled.

DISA Rule

SV-242399r717021_rule

Vulnerability Number

V-242399

Group Title

SRG-APP-000033-CTR-000095

Rule Version

CNTR-K8-000460

Severity

CAT II

CCI(s)

CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

Fix Recommendation

Edit any manifest file or kubelet config file that does not contain a feature-gates setting or has DynamicKubeletConfig set to "true".

An omission of DynamicKubeletConfig within the feature-gates defaults to true. Set DynamicKubeletConfig to "false". Restart the kubelet service if the kubelet config file is changed.

Check Contents

On the Master node, change to the manifests' directory at /etc/kubernetes/manifests and run the command:

grep -i feature-gates *

Review the feature-gates setting if one is returned.

If the feature-gates setting does not exist or feature-gates does not contain the DynamicKubeletConfig flag or the "DynamicKubletConfig" flag is set to "true", this is a finding.

Change to the directory /etc/sysconfig on the Master and each Worker node and execute the command:

grep -i feature-gates kubelet

Review every feature-gates setting if one is returned.

If the feature-gates setting does not exist or feature-gates does not contain the DynamicKubeletConfig flag or the DynamicKubletConfig flag is set to "true", this is a finding.

Kubernetes DynamicKubeletConfig must not be enabled.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments