Details

Kubernetes allows a user to configure kubelets with dynamic configurations. When dynamic configuration is used, the kubelet will watch for changes to the configuration file. When changes are made, the kubelet will automatically restart. Allowing this capability bypasses access restrictions and authorizations. Using this capability, an attacker can lower the security posture of the kubelet, which includes allowing the ability to run arbitrary commands in any container running on that node.

Solution

Edit any manifest file or kubelet config file that does not contain a feature-gates setting or has DynamicKubeletConfig set to ‘true’.

An omission of DynamicKubeletConfig within the feature-gates defaults to true. Set DynamicKubeletConfig to ‘false’. Restart the kubelet service if the kubelet config file is changed.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R4_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-3
• CAT|II
• CCI|CCI-000213
• Rule-ID|SV-242399r717021_rule
• STIG-ID|CNTR-K8-000460
• Vuln-ID|V-242399

Source

• Tenable.com/audits