STIGQter: STIG Summary: Kubernetes Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021: STIGQter: STIG Summary: Kubernetes Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:SV-242437r712667_rule
V-242437
SRG-APP-000342-CTR-000775
CNTR-K8-002010
CAT I
10
From the Master node, save the following policy to a file called restricted.yml.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
To implement the policy, run the command:
kubectl create -f restricted.yml
On the Master Node, run the command:
kubectl get podsecuritypolicy
If there is no pod security policy configured, this is a finding.
For any pod security policies listed, edit the policy with the command:
kubectl edit podsecuritypolicy policyname
(Note: "policyname" is the name of the policy.)
Review the runAsUser, supplementalGroups and fsGroup sections of the policy.
If any of these sections are missing, this is a finding.
If the rule within the runAsUser section is not set to "MustRunAsNonRoot", this is a finding.
If the ranges within the supplementalGroups section has min set to "0" or min is missing, this is a finding.
If the ranges within the fsGroup section has a min set to "0" or the min is missing, this is a finding.
V-242437
False
CNTR-K8-002010
On the Master Node, run the command:
kubectl get podsecuritypolicy
If there is no pod security policy configured, this is a finding.
For any pod security policies listed, edit the policy with the command:
kubectl edit podsecuritypolicy policyname
(Note: "policyname" is the name of the policy.)
Review the runAsUser, supplementalGroups and fsGroup sections of the policy.
If any of these sections are missing, this is a finding.
If the rule within the runAsUser section is not set to "MustRunAsNonRoot", this is a finding.
If the ranges within the supplementalGroups section has min set to "0" or min is missing, this is a finding.
If the ranges within the fsGroup section has a min set to "0" or the min is missing, this is a finding.
M
5376