Kubernetes Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 13 Apr 2021

Checked	Name	Title
☐	SV-242376r712484_rule	The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
☐	SV-242377r712487_rule	The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
☐	SV-242378r712490_rule	The Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
☐	SV-242379r712493_rule	The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
☐	SV-242380r712496_rule	The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
☐	SV-242381r712499_rule	The Kubernetes Controller Manager must create unique service accounts for each work payload.
☐	SV-242382r712502_rule	The Kubernetes API Server must enable Node,RBAC as the authorization mode.
☐	SV-242383r712505_rule	User-managed resources must be created in dedicated namespaces.
☐	SV-242384r712508_rule	The Kubernetes Scheduler must have secure binding.
☐	SV-242385r712511_rule	The Kubernetes Controller Manager must have secure binding.
☐	SV-242386r712514_rule	The Kubernetes API server must have the insecure port flag disabled.
☐	SV-242387r717013_rule	The Kubernetes Kubelet must have the read-only port flag disabled.
☐	SV-242388r712520_rule	The Kubernetes API server must have the insecure bind address not set.
☐	SV-242389r712523_rule	The Kubernetes API server must have the secure port set.
☐	SV-242390r712526_rule	The Kubernetes API server must have anonymous authentication disabled.
☐	SV-242391r712529_rule	The Kubernetes Kubelet must have anonymous authentication disabled.
☐	SV-242392r712532_rule	The Kubernetes kubelet must enable explicit authorization.
☐	SV-242393r717015_rule	Kubernetes Worker Nodes must not have sshd service running.
☐	SV-242394r717017_rule	Kubernetes Worker Nodes must not have the sshd service enabled.
☐	SV-242395r712541_rule	Kubernetes dashboard must not be enabled.
☐	SV-242396r712544_rule	Kubernetes Kubectl cp command must give expected access and results.
☐	SV-242397r712547_rule	The Kubernetes kubelet static PodPath must not enable static pods.
☐	SV-242398r717019_rule	Kubernetes DynamicAuditing must not be enabled.
☐	SV-242399r717021_rule	Kubernetes DynamicKubeletConfig must not be enabled.
☐	SV-242400r712556_rule	The Kubernetes API server must have Alpha APIs disabled.
☐	SV-242401r712559_rule	The Kubernetes API Server must have an audit policy set.
☐	SV-242402r712562_rule	The Kubernetes API Server must have an audit log path set.
☐	SV-242403r712565_rule	Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event.
☐	SV-242404r712568_rule	Kubernetes Kubelet must deny hostname override.
☐	SV-242405r712571_rule	The Kubernetes manifests must be owned by root.
☐	SV-242406r712574_rule	The Kubernetes kubelet configuration file must be owned by root.
☐	SV-242407r712577_rule	The Kubernetes kubelet configuration file must be owned by root.
☐	SV-242408r712580_rule	The Kubernetes manifests must have least privileges.
☐	SV-242409r712583_rule	Kubernetes Controller Manager must disable profiling.
☐	SV-242410r712586_rule	The Kubernetes API Server must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
☐	SV-242411r712589_rule	The Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
☐	SV-242412r712592_rule	The Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
☐	SV-242413r712595_rule	The Kubernetes etcd must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
☐	SV-242414r717030_rule	The Kubernetes cluster must use non-privileged host ports for user pods.
☐	SV-242415r712601_rule	Secrets in Kubernetes must not be stored as environment variables.
☐	SV-242416r712604_rule	Kubernetes Kubelet must not disable timeouts.
☐	SV-242417r712607_rule	Kubernetes must separate user functionality.
☐	SV-242418r712610_rule	The Kubernetes API server must use approved cipher suites.
☐	SV-242419r712613_rule	Kubernetes API Server must have the SSL Certificate Authority set.
☐	SV-242420r712616_rule	Kubernetes Kubelet must have the SSL Certificate Authority set.
☐	SV-242421r717033_rule	Kubernetes Controller Manager must have the SSL Certificate Authority set.
☐	SV-242422r712622_rule	Kubernetes API Server must have a certificate for communication.
☐	SV-242423r712625_rule	Kubernetes etcd must enable client authentication to secure service.
☐	SV-242424r712628_rule	Kubernetes Kubelet must enable tls-private-key-file for client authentication to secure service.
☐	SV-242425r712631_rule	Kubernetes Kubelet must enable tls-cert-file for client authentication to secure service.
☐	SV-242426r712634_rule	Kubernetes etcd must enable client authentication to secure service.
☐	SV-242427r712637_rule	Kubernetes etcd must have a key file for secure communication.
☐	SV-242428r712640_rule	Kubernetes etcd must have a certificate for communication.
☐	SV-242429r712643_rule	Kubernetes etcd must have the SSL Certificate Authority set.
☐	SV-242430r712646_rule	Kubernetes etcd must have a certificate for communication.
☐	SV-242431r712649_rule	Kubernetes etcd must have a key file for secure communication.
☐	SV-242432r712652_rule	Kubernetes etcd must have peer-cert-file set for secure communication.
☐	SV-242433r712655_rule	Kubernetes etcd must have a peer-key-file set for secure communication.
☐	SV-242434r712658_rule	Kubernetes Kubelet must enable kernel protection.
☐	SV-242435r712661_rule	Kubernetes must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures or the installation of patches and updates.
☐	SV-242436r712664_rule	The Kubernetes API server must have the ValidatingAdmissionWebhook enabled.
☐	SV-242437r712667_rule	Kubernetes must have a pod security policy set.
☐	SV-242438r712670_rule	Kubernetes API Server must configure timeouts to limit attack surface.
☐	SV-242439r712673_rule	Kubernetes API Server must disable basic authentication to protect information in transit.
☐	SV-242440r712676_rule	Kubernetes API Server must disable token authentication to protect information in transit.
☐	SV-242441r712679_rule	Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit.
☐	SV-242442r712682_rule	Kubernetes must remove old components after updated versions have been installed.
☐	SV-242443r712685_rule	Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs.
☐	SV-242444r712688_rule	The Kubernetes component manifests must be owned by root.
☐	SV-242445r712691_rule	The Kubernetes component etcd must be owned by etcd.
☐	SV-242446r712694_rule	The Kubernetes conf files must be owned by root.
☐	SV-242447r712697_rule	The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive.
☐	SV-242448r712700_rule	The Kubernetes Kube Proxy must be owned by root.
☐	SV-242449r712703_rule	The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive.
☐	SV-242450r712706_rule	The Kubernetes Kubelet certificate authority must be owned by root.
☐	SV-242451r712709_rule	The Kubernetes component PKI must be owned by root.
☐	SV-242452r712712_rule	The Kubernetes kubelet config must have file permissions set to 644 or more restrictive.
☐	SV-242453r712715_rule	The Kubernetes kubelet config must be owned by root.
☐	SV-242454r712718_rule	The Kubernetes kubeadm must be owned by root.
☐	SV-242455r712721_rule	The Kubernetes kubelet service must have file permissions set to 644 or more restrictive.
☐	SV-242456r712724_rule	The Kubernetes kubelet config must have file permissions set to 644 or more restrictive.
☐	SV-242457r712727_rule	The Kubernetes kubelet config must be owned by root.
☐	SV-242458r712730_rule	The Kubernetes API Server must have file permissions set to 644 or more restrictive.
☐	SV-242459r712733_rule	The Kubernetes etcd must have file permissions set to 644 or more restrictive.
☐	SV-242460r712736_rule	The Kubernetes admin.conf must have file permissions set to 644 or more restrictive.
☐	SV-242461r712739_rule	Kubernetes API Server audit logs must be enabled.
☐	SV-242462r712742_rule	The Kubernetes API Server must be set to audit log max size.
☐	SV-242463r712745_rule	The Kubernetes API Server must be set to audit log maximum backup.
☐	SV-242464r712748_rule	The Kubernetes API Server audit log retention must be set.
☐	SV-242465r712751_rule	The Kubernetes API Server audit log path must be set.
☐	SV-242466r712754_rule	The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive.
☐	SV-242467r712757_rule	The Kubernetes PKI keys must have file permissions set to 600 or more restrictive.
☐	SV-242468r712760_rule	The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0.