Kubernetes STIG vV2R4
DoD Security Technical Implementation Guide for Kubernetes container orchestration
This is a reference tool, not an authoritative source. For official documentation, visit public.cyber.mil.
api-server — API Server (28 findings)
V-242378The Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
V-242382The Kubernetes API Server must enable Node,RBAC as the authorization mode.
V-242386The Kubernetes API server must have the insecure port flag disabled.
V-242388The Kubernetes API server must have the insecure bind address not set.
V-242389The Kubernetes API server must have the secure port set.
V-242390The Kubernetes API server must have anonymous authentication disabled.
V-242400The Kubernetes API server must have Alpha APIs disabled.
V-242402The Kubernetes API Server must have an audit log path set.
V-242403Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event.
V-242410The Kubernetes API Server must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
V-242413The Kubernetes etcd must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
V-242418The Kubernetes API server must use approved cipher suites.
V-242419Kubernetes API Server must have the SSL Certificate Authority set.
V-242422Kubernetes API Server must have a certificate for communication.
V-242429Kubernetes etcd must have the SSL Certificate Authority set.
V-242430Kubernetes etcd must have a certificate for communication.
V-242431Kubernetes etcd must have a key file for secure communication.
V-242436The Kubernetes API server must have the ValidatingAdmissionWebhook enabled.
V-242438Kubernetes API Server must configure timeouts to limit attack surface.
V-242461Kubernetes API Server audit logs must be enabled.
V-242462The Kubernetes API Server must be set to audit log max size.
V-242463The Kubernetes API Server must be set to audit log maximum backup.
V-242464The Kubernetes API Server audit log retention must be set.
V-242465The Kubernetes API Server audit log path must be set.
V-245542Kubernetes API Server must disable basic authentication to protect information in transit.
V-245543Kubernetes API Server must disable token authentication to protect information in transit.
V-245544Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit.
V-254800Kubernetes must have a Pod Security Admission control file configured.
controller-manager — Controller Manager (7 findings)
V-242376The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
V-242381The Kubernetes Controller Manager must create unique service accounts for each work payload.
V-242385The Kubernetes Controller Manager must have secure binding.
V-242409Kubernetes Controller Manager must disable profiling.
V-242421Kubernetes Controller Manager must have the SSL Certificate Authority set.
V-242446The Kubernetes conf files must be owned by root.
V-242460The Kubernetes admin kubeconfig must have file permissions set to 644 or more restrictive.
etcd — etcd (10 findings)
V-242379The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
V-242380The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
V-242423Kubernetes etcd must enable client authentication to secure service.
V-242426Kubernetes etcd must enable client authentication to secure service.
V-242427Kubernetes etcd must have a key file for secure communication.
V-242428Kubernetes etcd must have a certificate for communication.
V-242432Kubernetes etcd must have peer-cert-file set for secure communication.
V-242433Kubernetes etcd must have a peer-key-file set for secure communication.
V-242445The Kubernetes component etcd must be owned by etcd.
V-242459The Kubernetes etcd must have file permissions set to 644 or more restrictive.
general — General (15 findings)
V-242383User-managed resources must be created in dedicated namespaces.
V-242393Kubernetes Worker Nodes must not have sshd service running.
V-242394Kubernetes Worker Nodes must not have the sshd service enabled.
V-242395Kubernetes dashboard must not be enabled.
V-242396Kubernetes Kubectl cp command must give expected access and results.
V-242405The Kubernetes manifests must be owned by root.
V-242408The Kubernetes manifest files must have least privileges.
V-242412The Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
V-242417Kubernetes must separate user functionality.
V-242442Kubernetes must remove old components after updated versions have been installed.
V-242443Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs.
V-242444The Kubernetes component manifests must be owned by root.
V-242451The Kubernetes component PKI must be owned by root.
V-242466The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive.
V-242467The Kubernetes PKI keys must have file permissions set to 600 or more restrictive.
kubelet — Kubelet (23 findings)
V-242387The Kubernetes Kubelet must have the "readOnlyPort" flag disabled.
V-242391The Kubernetes Kubelet must have anonymous authentication disabled.
V-242392The Kubernetes kubelet must enable explicit authorization.
V-242397The Kubernetes kubelet staticPodPath must not enable static pods.
V-242398Kubernetes DynamicAuditing must not be enabled.
V-242399Kubernetes DynamicKubeletConfig must not be enabled.
V-242404Kubernetes Kubelet must deny hostname override.
V-242406The Kubernetes KubeletConfiguration file must be owned by root.
V-242407The Kubernetes KubeletConfiguration files must have file permissions set to 644 or more restrictive.
V-242420Kubernetes Kubelet must have the SSL Certificate Authority set.
V-242424Kubernetes Kubelet must enable tlsPrivateKeyFile for client authentication to secure service.
V-242425Kubernetes Kubelet must enable tlsCertFile for client authentication to secure service.
V-242434Kubernetes Kubelet must enable kernel protection.
V-242449The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive.
V-242450The Kubernetes Kubelet certificate authority must be owned by root.
V-242452The Kubernetes kubelet KubeConfig must have file permissions set to 644 or more restrictive.
V-242453The Kubernetes kubelet KubeConfig file must be owned by root.
V-242454The Kubernetes kubeadm.conf must be owned by root.
V-242455The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive.
V-242456The Kubernetes kubelet config must have file permissions set to 644 or more restrictive.
V-242457The Kubernetes kubelet config must be owned by root.
V-245541Kubernetes Kubelet must not disable timeouts.
V-254801Kubernetes must enable PodSecurity admission controller on static pods and Kubelets.
pod-security — Pod Security (2 findings)
proxy — Proxy (2 findings)
scheduler — Scheduler (3 findings)
V-242377The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
V-242384The Kubernetes Scheduler must have secure binding.
V-242411The Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
secrets — Secrets (4 findings)
V-242415Secrets in Kubernetes must not be stored as environment variables.
V-274882Kubernetes Secrets must be encrypted at rest.
V-274883Sensitive information must be stored using Kubernetes Secrets or an external Secret store provider.
V-274884Kubernetes must limit Secret access on a need-to-know basis.