STIGQter: STIG Summary: Kubernetes Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

Kubernetes must remove old components after updated versions have been installed.

DISA Rule

SV-242442r712682_rule

Vulnerability Number

V-242442

Group Title

SRG-APP-000454-CTR-001110

Rule Version

CNTR-K8-002700

Severity

CAT II

CCI(s)

• CCI-002617 - The organization removes organization-defined software components (e.g., previous versions) after updated versions have been installed.

Weight

10

Fix Recommendation

Remove any old pods that are using older images. On the Master node, run the command:

kubectl delete pod podname
(Note: "podname" is the name of the pod to delete.)

Check Contents

To view all pods and the images used to create the pods, from the Master node, run the following command:

kubectl get pods --all-namespaces -o jsonpath="{..image}" | \
tr -s '[[:space:]]' '\n' | \
sort | \
uniq -c

Review the images used for pods running within Kubernetes.

If there are multiple versions of the same image, this is a finding.

Vulnerability Number

V-242442

Documentable

False

Rule Version

CNTR-K8-002700

Severity Override Guidance

To view all pods and the images used to create the pods, from the Master node, run the following command:

kubectl get pods --all-namespaces -o jsonpath="{..image}" | \
tr -s '[[:space:]]' '\n' | \
sort | \
uniq -c

Review the images used for pods running within Kubernetes.

If there are multiple versions of the same image, this is a finding.

Check Content Reference

M

Target Key

5376

Comments