>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

V-242442Kubernetes must remove old components after updated versions have been installed.

CAT II - Medium
CNTR-K8-002700

>Control Description

Previous versions of Kubernetes components that are not removed after updates have been installed may be exploited by adversaries by allowing the vulnerabilities to still exist within the cluster. It is important for Kubernetes to remove old pods when newer pods are created using new images to always be at the desired security state.

>Check Content

To view all pods and the images used to create the pods, from the Control Plane, run the following command: kubectl get pods --all-namespaces -o jsonpath="{..image}" | \ tr -s '[[:space:]]' '\n' | \ sort | \ uniq -c Review the images used for pods running within Kubernetes. If there are multiple versions of the same image, this is a finding.

>Remediation

Remove any old pods that are using older images. On the Control Plane,

$kubectl delete pod podname (Note: "podname" is the name of the pod to delete.)

>CCI References

CCI-002647

Control Correlation Identifiers (CCIs) map STIG findings to NIST 800-53 controls.

>Cross-Framework Mappings

NIST SP 800-53 r5

via DISA CCI List
SI-4(12)
Compare

Ask AI

Configure your API key to use AI features.