CNTR-K8-000400 – Kubernetes Worker Nodes must not have sshd service running.
Details Worker Nodes are maintained and monitored by the Master Node. Direct access and manipulation of the nodes should not...
- Home
- Security Hardening
- DISA STIG Kubernetes V1R4
DISA STIG Kubernetes V1R4
CNTR-K8-000410 – Kubernetes Worker Nodes must not have the sshd service enabled.
Details Worker Nodes are maintained and monitored by the Master Node. Direct access and manipulation of the nodes must not...CNTR-K8-000420 – Kubernetes dashboard must not be enabled.
Details While the Kubernetes dashboard is not inherently insecure on its own, it is often coupled with a misconfiguration of...CNTR-K8-000430 – Kubernetes Kubectl cp command must give expected access and results.
Details One of the tools heavily used to interact with containers in the Kubernetes cluster is kubectl. The command is...CNTR-K8-000440 – The Kubernetes kubelet static PodPath must not enable static pods.
Details Allowing kubelet to set a staticPodPath gives containers with root access permissions to traverse the hosting filesystem. The danger...CNTR-K8-000450 – Kubernetes DynamicAuditing must not be enabled – kubelet
Details Protecting the audit data from change or deletion is important when an attack occurs. One way an attacker can...CNTR-K8-000450 – Kubernetes DynamicAuditing must not be enabled – manifest
Details Protecting the audit data from change or deletion is important when an attack occurs. One way an attacker can...CNTR-K8-000300 – The Kubernetes Scheduler must have secure binding.
Details Limiting the number of attack vectors and implementing authentication and encryption on the endpoints available to external sources is...CNTR-K8-000460 – Kubernetes DynamicKubeletConfig must not be enabled – kubelet
Details Kubernetes allows a user to configure kubelets with dynamic configurations. When dynamic configuration is used, the kubelet will watch...CNTR-K8-000310 – The Kubernetes Controller Manager must have secure binding.
Details Limiting the number of attack vectors and implementing authentication and encryption on the endpoints available to external sources is...