그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그
10 minute read
Overview
The Gardener team takes security seriously, which is why we mandate the Security Technical Implementation Guide (STIG) for Kubernetes as published by the Defense Information Systems Agency (DISA) here. We offer Gardener adopters the opportunity to show compliance with DISA Kubernetes STIG via the compliance checker tool diki. The latest release in machine readable format can be found in the STIGs Document Library by searching for Kubernetes.
Kubernetes Clusters Security Requirements
DISA Kubernetes STIG version 1 release 11 contains 91 rules overall. Only the following rules, however, apply to you. Some of them are secure-by-default, so your responsibility is to make sure that they are not changed. For your convenience, the requirements are grouped logically and per role:
Rules Relevant for Cluster Admins
Control Plane Configuration
| ID | Description | Secure By Default | Comments |
|---|---|---|---|
| 242390 | Kubernetes API server must have anonymous authentication disabled | ✅ | Disabled unless you enable it via enableAnnonymousAuthentication |
| 245543 | Kubernetes API Server must disable token authentication to protect information in transit | ✅ | Disabled unless you enable it via enableStaticTokenKubeconfig |
| 242400 | Kubernetes API server must have Alpha APIs disabled | ✅ | Disabled unless you enable it via featureGates |
| 242436 | Kubernetes API server must have the ValidatingAdmissionWebhook enabled | ✅ | Enabled unless you disable it explicitly via admissionPlugins |
| 242398 | Kubernetes DynamicAuditing must not be enabled | ✅ | Disabled unless you enable it via featureGates |
| 242399 | Kubernetes DynamicKubeletConfig must not be enabled | ✅ | Disabled unless you enable it via featureGates |
| 242393 | Kubernetes Worker Nodes must not have sshd service running | ❌ | Active to allow debugging of network issues, but it is possible to deactivate via the sshAccess setting |
| 242394 | Kubernetes Worker Nodes must not have the sshd service enabled | ❌ | Enabled to allow debugging of network issues, but it is possible to deactivate via the sshAccess setting |
| 242434 | Kubernetes Kubelet must enable kernel protection | ✅ | Enabled for Kubernetes v1.26 or later unless disabled explicitly via protectKernalDefaults |
| 245541 | Kubernetes Kubelet must not disable timeouts | ✅ | Enabled for Kubernetes v1.26 or later unless disabled explicitly via streamingConnectionIdleTimeout |
Audit Configuration
| ID | Description | Secure By Default | Comments |
|---|---|---|---|
| 242402 | The Kubernetes API Server must have an audit log path set | ❌ | It is the user’s responsibility to configure an audit extension that meets the requirements of their organization. Depending on the audit extension implementation the audit logs do not always need to be written on the filesystem, i.e. when --audit-webhook-config-file is set and logs are sent to an audit backend. |
| 242403 | Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event | ❌ | Users should set an audit policy that meets the requirements of their organization. Please consult the Shoot Audit Policy documentation. |
| 242461 | Kubernetes API Server audit logs must be enabled | ❌ | Users should set an audit policy that meets the requirements of their organization. Please consult the Shoot Audit Policy documentation. |
| 242462 | The Kubernetes API Server must be set to audit log max size | ❌ | It is the user’s responsibility to configure an audit extension that meets the requirements of their organization. Depending on the audit extension implementation the audit logs do not always need to be written on the filesystem, i.e. when --audit-webhook-config-file is set and logs are sent to an audit backend. |
| 242463 | The Kubernetes API Server must be set to audit log maximum backup | ❌ | It is the user’s responsibility to configure an audit extension that meets the requirements of their organization. Depending on the audit extension implementation the audit logs do not always need to be written on the filesystem, i.e. when --audit-webhook-config-file is set and logs are sent to an audit backend. |
| 242464 | The Kubernetes API Server audit log retention must be set | ❌ | It is the user’s responsibility to configure an audit extension that meets the requirements of their organization. Depending on the audit extension implementation the audit logs do not always need to be written on the filesystem, i.e. when --audit-webhook-config-file is set and logs are sent to an audit backend. |
| 242465 | The Kubernetes API Server audit log path must be set | ❌ | It is the user’s responsibility to configure an audit extension that meets the requirements of their organization. Depending on the audit extension implementation the audit logs do not always need to be written on the filesystem, i.e. when --audit-webhook-config-file is set and logs are sent to an audit backend. |
End User Workload
| ID | Description | Secure By Default | Comments |
|---|---|---|---|
| 242395 | Kubernetes dashboard must not be enabled | ✅ | Not installed unless you install it via kubernetesDashboard. |
| 242414 | Kubernetes cluster must use non-privileged host ports for user pods | ❌ | Do not use any ports below 1024 for your own workload. |
| 242415 | Secrets in Kubernetes must not be stored as environment variables | ❌ | Always mount secrets as volumes and never as environment variables. |
| 242383 | User-managed resources must be created in dedicated namespaces | ❌ | Create and use your own/dedicated namespaces and never place anything into the default, kube-system, kube-public, or kube-node-lease namespace. The default namespace is never to be used while the other above listed namespaces are only to be used by the Kubernetes provider (here Gardener). |
| 242417 | Kubernetes must separate user functionality | ❌ | While 242383 is about all resources, this rule is specifically about pods. Create and use your own/dedicated namespaces and never place pods into the default, kube-system, kube-public, or kube-node-lease namespace. The default namespace is never to be used while the other above listed namespaces are only to be used by the Kubernetes provider (here Gardener). |
| 242437 | Kubernetes must have a pod security policy set | ✅ | Set, but Gardener can only set default pod security policies (PSP) and does so only until v1.24 as with v1.25 PSPs were removed (deprecated since v1.21) and replaced with Pod Security Standards (see this blog for more information). Whatever the technology, you are responsible to configure custom-tailured appropriate PSPs respectively use them or PSSs, depending on your own workload and security needs (only you know what a pod should be allowed to do). |
| 242442 | Kubernetes must remove old components after updated versions have been installed | ❌ | While Gardener manages all its components in its system namespaces (automated), you are naturally responsible for your own workload. |
| 254800 | Kubernetes must have a Pod Security Admission control file configured | ❌ | Gardener ensures that the pod security configuration allows system components to be deployed in the kube-system namespace but does not set configurations that can affect user namespaces. It is recommended that users enforce a minimum of baseline pod security level for their workload via PodSecurity admission plugin. |
Rules Relevant for Service Providers
| ID | Description |
|---|---|
| 242376 | The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination. |
| 242377 | The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination. |
| 242378 | The Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination. |
| 242379 | The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination. |
| 242380 | The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination. |
| 242381 | The Kubernetes Controller Manager must create unique service accounts for each work payload. |
| 242382 | The Kubernetes API Server must enable Node,RBAC as the authorization mode. |
| 242384 | The Kubernetes Scheduler must have secure binding. |
| 242385 | The Kubernetes Controller Manager must have secure binding. |
| 242386 | The Kubernetes API server must have the insecure port flag disabled. |
| 242387 | The Kubernetes Kubelet must have the “readOnlyPort” flag disabled. |
| 242388 | The Kubernetes API server must have the insecure bind address not set. |
| 242389 | The Kubernetes API server must have the secure port set. |
| 242391 | The Kubernetes Kubelet must have anonymous authentication disabled. |
| 242392 | The Kubernetes kubelet must enable explicit authorization. |
| 242396 | Kubernetes Kubectl cp command must give expected access and results. |
| 242397 | The Kubernetes kubelet staticPodPath must not enable static pods. |
| 242404 | Kubernetes Kubelet must deny hostname override. |
| 242405 | The Kubernetes manifests must be owned by root. |
| 242406 | The Kubernetes KubeletConfiguration file must be owned by root. |
| 242407 | The Kubernetes KubeletConfiguration files must have file permissions set to 644 or more restrictive. |
| 242408 | The Kubernetes manifest files must have least privileges. |
| 242409 | Kubernetes Controller Manager must disable profiling. |
| 242410 | The Kubernetes API Server must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL). |
| 242411 | The Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL). |
| 242412 | The Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL). |
| 242413 | The Kubernetes etcd must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL). |
| 242418 | The Kubernetes API server must use approved cipher suites. |
| 242419 | Kubernetes API Server must have the SSL Certificate Authority set. |
| 242420 | Kubernetes Kubelet must have the SSL Certificate Authority set. |
| 242421 | Kubernetes Controller Manager must have the SSL Certificate Authority set. |
| 242422 | Kubernetes API Server must have a certificate for communication. |
| 242423 | Kubernetes etcd must enable client authentication to secure service. |
| 242424 | Kubernetes Kubelet must enable tlsPrivateKeyFile for client authentication to secure service. |
| 242425 | Kubernetes Kubelet must enable tlsCertFile for client authentication to secure service. |
| 242426 | Kubernetes etcd must enable client authentication to secure service. |
| 242427 | Kubernetes etcd must have a key file for secure communication. |
| 242428 | Kubernetes etcd must have a certificate for communication. |
| 242429 | Kubernetes etcd must have the SSL Certificate Authority set. |
| 242430 | Kubernetes etcd must have a certificate for communication. |
| 242431 | Kubernetes etcd must have a key file for secure communication. |
| 242432 | Kubernetes etcd must have peer-cert-file set for secure communication. |
| 242433 | Kubernetes etcd must have a peer-key-file set for secure communication. |
| 242438 | Kubernetes API Server must configure timeouts to limit attack surface. |
| 242443 | Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. |
| 242444 | The Kubernetes component manifests must be owned by root. |
| 242445 | The Kubernetes component etcd must be owned by etcd. |
| 242446 | The Kubernetes conf files must be owned by root. |
| 242447 | The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive. |
| 242448 | The Kubernetes Kube Proxy must be owned by root. |
| 242449 | The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive. |
| 242450 | The Kubernetes Kubelet certificate authority must be owned by root. |
| 242451 | The Kubernetes component PKI must be owned by root. |
| 242452 | The Kubernetes kubelet KubeConfig must have file permissions set to 644 or more restrictive. |
| 242453 | The Kubernetes kubelet KubeConfig file must be owned by root. |
| 242454 | The Kubernetes kubeadm.conf must be owned by root. |
| 242455 | The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive. |
| 242456 | The Kubernetes kubelet config must have file permissions set to 644 or more restrictive. |
| 242457 | The Kubernetes kubelet config must be owned by root. |
| 242459 | The Kubernetes etcd must have file permissions set to 644 or more restrictive. |
| 242460 | The Kubernetes admin.conf must have file permissions set to 644 or more restrictive. |
| 242466 | The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive. |
| 242467 | The Kubernetes PKI keys must have file permissions set to 600 or more restrictive. |
| 245542 | Kubernetes API Server must disable basic authentication to protect information in transit. |
| 245544 | Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit. |
| 254801 | Kubernetes must enable PodSecurity admission controller on static pods and Kubelets. |