STIGQter: STIG Summary: Kubernetes Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

The Kubernetes API server must have the ValidatingAdmissionWebhook enabled.

DISA Rule

SV-242436r712664_rule

Vulnerability Number

V-242436

Group Title

SRG-APP-000342-CTR-000775

Rule Version

CNTR-K8-002000

Severity

CAT I

CCI(s)

• CCI-002233 - The information system prevents organization-defined software from executing at higher privilege levels than users executing the software.

Weight

10

Fix Recommendation

Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the argument "--enable-admission-plugins" to include "ValidatingAdmissionWebhook". Each enabled plugin is separated by commas.

Note: It is best to implement policies first and then enable the webhook, otherwise a denial of service may occur.

Check Contents

Change to the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Run the command:

grep -i ValidatingAdmissionWebhook *

If a line is not returned that includes enable-admission-plugins and ValidatingAdmissionWebhook, this is a finding.

Vulnerability Number

V-242436

Documentable

False

Rule Version

CNTR-K8-002000

Severity Override Guidance

Change to the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Run the command:

grep -i ValidatingAdmissionWebhook *

If a line is not returned that includes enable-admission-plugins and ValidatingAdmissionWebhook, this is a finding.

Check Content Reference

M

Target Key

5376

Comments