STIGQter STIGQter: STIG Summary: Kubernetes Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

User-managed resources must be created in dedicated namespaces.

DISA Rule

SV-242383r712505_rule

Vulnerability Number

V-242383

Group Title

SRG-APP-000038-CTR-000105

Rule Version

CNTR-K8-000290

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces.

Check Contents

To view the available namespaces, run the command:

kubectl get namespaces

The default namespaces to be validated are default, kube-public and kube-node-lease if it is created.

For the default namespace, execute the commands:

kubectl config set-context --current --namespace=default
kubectl get all

For the kube-public namespace, execute the commands:

kubectl config set-context --current --namespace=kube-public
kubectl get all

For the kube-node-lease namespace, execute the commands:

kubectl config set-context --current --namespace=kube-node-lease
kubectl get all

The only valid return values are the kubernetes service (i.e., service/kubernetes) and nothing at all.

If a return value is returned from the "kubectl get all" command and it is not the kubernetes service (i.e., service/kubernetes), this is a finding.

Vulnerability Number

V-242383

Documentable

False

Rule Version

CNTR-K8-000290

Severity Override Guidance

To view the available namespaces, run the command:

kubectl get namespaces

The default namespaces to be validated are default, kube-public and kube-node-lease if it is created.

For the default namespace, execute the commands:

kubectl config set-context --current --namespace=default
kubectl get all

For the kube-public namespace, execute the commands:

kubectl config set-context --current --namespace=kube-public
kubectl get all

For the kube-node-lease namespace, execute the commands:

kubectl config set-context --current --namespace=kube-node-lease
kubectl get all

The only valid return values are the kubernetes service (i.e., service/kubernetes) and nothing at all.

If a return value is returned from the "kubectl get all" command and it is not the kubernetes service (i.e., service/kubernetes), this is a finding.

Check Content Reference

M

Target Key

5376

Comments