>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

V-242399Kubernetes DynamicKubeletConfig must not be enabled.

CAT II - Medium
CNTR-K8-000460

>Control Description

Kubernetes allows a user to configure kubelets with dynamic configurations. When dynamic configuration is used, the kubelet will watch for changes to the configuration file. When changes are made, the kubelet will automatically restart. Allowing this capability bypasses access restrictions and authorizations. Using this capability, an attacker can lower the security posture of the kubelet, which includes allowing the ability to run arbitrary commands in any container running on that node.

>Check Content

This check is only applicable for Kubernetes versions 1.25 and older. On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and

$grep -i feature-gates * In each manifest file, if the feature-gates does not exist, or does not contain the "DynamicKubeletConfig" flag, or sets the flag to "true", this is a finding. On each Control Plane and Worker node,
$ps -ef | grep kubelet

Verify the "feature-gates" option is not present. Note the path to the config file (identified by --config). Inspect the content of the config file: If the "featureGates" setting is not present, or does not contain the "DynamicKubeletConfig", or sets the flag to "true", this is a finding.

>Remediation

This fix is only applicable to Kubernetes version 1.25 and older. On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and

$grep -i feature-gates *

Edit the manifest files so that every manifest has a "--feature-gates" setting with "DynamicKubeletConfig=false". On each Control Plane and Worker Node,

$ps -ef | grep kubelet

Remove the "feature-gates" option if present. Note the path to the config file (identified by --config). Edit the config file: Add a "featureGates" setting if one does not yet exist. Add the feature gate "DynamicKubeletConfig=false". Restart the kubelet service

$systemctl daemon-reload && systemctl restart kubelet

>CCI References

CCI-000213

Control Correlation Identifiers (CCIs) map STIG findings to NIST 800-53 controls.

>Cross-Framework Mappings

NIST SP 800-53 r5

via DISA CCI List
AC-3
Compare

Ask AI

Configure your API key to use AI features.