그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그

  10 minute read  

Overview

The Gardener team takes security seriously, which is why we mandate the Security Technical Implementation Guide (STIG) for Kubernetes as published by the Defense Information Systems Agency (DISA) here. We offer Gardener adopters the opportunity to show compliance with DISA Kubernetes STIG via the compliance checker tool diki. The latest release in machine readable format can be found in the STIGs Document Library by searching for Kubernetes.

Kubernetes Clusters Security Requirements

DISA Kubernetes STIG version 1 release 11 contains 91 rules overall. Only the following rules, however, apply to you. Some of them are secure-by-default, so your responsibility is to make sure that they are not changed. For your convenience, the requirements are grouped logically and per role:

Rules Relevant for Cluster Admins

Control Plane Configuration

IDDescriptionSecure By DefaultComments
242390Kubernetes API server must have anonymous authentication disabledDisabled unless you enable it via enableAnnonymousAuthentication
245543Kubernetes API Server must disable token authentication to protect information in transitDisabled unless you enable it via enableStaticTokenKubeconfig
242400Kubernetes API server must have Alpha APIs disabledDisabled unless you enable it via featureGates
242436Kubernetes API server must have the ValidatingAdmissionWebhook enabledEnabled unless you disable it explicitly via admissionPlugins
242393Kubernetes Worker Nodes must not have sshd service runningActive to allow debugging of network issues, but it is possible to deactivate via the sshAccess setting
242394Kubernetes Worker Nodes must not have the sshd service enabledEnabled to allow debugging of network issues, but it is possible to deactivate via the sshAccess setting
242434Kubernetes Kubelet must enable kernel protectionEnabled for Kubernetes v1.26 or later unless disabled explicitly via protectKernalDefaults
245541Kubernetes Kubelet must not disable timeoutsEnabled for Kubernetes v1.26 or later unless disabled explicitly via streamingConnectionIdleTimeout

Audit Configuration

IDDescriptionSecure By DefaultComments
242402The Kubernetes API Server must have an audit log path setIt is the user’s responsibility to configure an audit extension that meets the requirements of their organization. Depending on the audit extension implementation the audit logs do not always need to be written on the filesystem, i.e. when --audit-webhook-config-file is set and logs are sent to an audit backend.
242403Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the eventUsers should set an audit policy that meets the requirements of their organization. Please consult the Shoot Audit Policy documentation.
242461Kubernetes API Server audit logs must be enabledUsers should set an audit policy that meets the requirements of their organization. Please consult the Shoot Audit Policy documentation.
242462The Kubernetes API Server must be set to audit log max sizeIt is the user’s responsibility to configure an audit extension that meets the requirements of their organization. Depending on the audit extension implementation the audit logs do not always need to be written on the filesystem, i.e. when --audit-webhook-config-file is set and logs are sent to an audit backend.
242463The Kubernetes API Server must be set to audit log maximum backupIt is the user’s responsibility to configure an audit extension that meets the requirements of their organization. Depending on the audit extension implementation the audit logs do not always need to be written on the filesystem, i.e. when --audit-webhook-config-file is set and logs are sent to an audit backend.
242464The Kubernetes API Server audit log retention must be setIt is the user’s responsibility to configure an audit extension that meets the requirements of their organization. Depending on the audit extension implementation the audit logs do not always need to be written on the filesystem, i.e. when --audit-webhook-config-file is set and logs are sent to an audit backend.
242465The Kubernetes API Server audit log path must be setIt is the user’s responsibility to configure an audit extension that meets the requirements of their organization. Depending on the audit extension implementation the audit logs do not always need to be written on the filesystem, i.e. when --audit-webhook-config-file is set and logs are sent to an audit backend.

End User Workload

IDDescriptionSecure By DefaultComments
242395Kubernetes dashboard must not be enabledNot installed unless you install it via kubernetesDashboard.
242414Kubernetes cluster must use non-privileged host ports for user podsDo not use any ports below 1024 for your own workload.
242415Secrets in Kubernetes must not be stored as environment variablesAlways mount secrets as volumes and never as environment variables.
242383User-managed resources must be created in dedicated namespacesCreate and use your own/dedicated namespaces and never place anything into the default, kube-system, kube-public, or kube-node-lease namespace. The default namespace is never to be used while the other above listed namespaces are only to be used by the Kubernetes provider (here Gardener).
242417Kubernetes must separate user functionalityWhile 242383 is about all resources, this rule is specifically about pods. Create and use your own/dedicated namespaces and never place pods into the default, kube-system, kube-public, or kube-node-lease namespace. The default namespace is never to be used while the other above listed namespaces are only to be used by the Kubernetes provider (here Gardener).
242437Kubernetes must have a pod security policy setSet, but Gardener can only set default pod security policies (PSP) and does so only until v1.24 as with v1.25 PSPs were removed (deprecated since v1.21) and replaced with Pod Security Standards (see this blog for more information). Whatever the technology, you are responsible to configure custom-tailured appropriate PSPs respectively use them or PSSs, depending on your own workload and security needs (only you know what a pod should be allowed to do).
242442Kubernetes must remove old components after updated versions have been installedWhile Gardener manages all its components in its system namespaces (automated), you are naturally responsible for your own workload.
254800Kubernetes must have a Pod Security Admission control file configuredGardener ensures that the pod security configuration allows system components to be deployed in the kube-system namespace but does not set configurations that can affect user namespaces. It is recommended that users enforce a minimum of baseline pod security level for their workload via PodSecurity admission plugin.

Rules Relevant for Service Providers

IDDescription
242376The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
242377The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
242378The Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
242379The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
242380The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
242381The Kubernetes Controller Manager must create unique service accounts for each work payload.
242382The Kubernetes API Server must enable Node,RBAC as the authorization mode.
242384The Kubernetes Scheduler must have secure binding.
242385The Kubernetes Controller Manager must have secure binding.
242386The Kubernetes API server must have the insecure port flag disabled.
242387The Kubernetes Kubelet must have the “readOnlyPort” flag disabled.
242388The Kubernetes API server must have the insecure bind address not set.
242389The Kubernetes API server must have the secure port set.
242391The Kubernetes Kubelet must have anonymous authentication disabled.
242392The Kubernetes kubelet must enable explicit authorization.
242396Kubernetes Kubectl cp command must give expected access and results.
242397The Kubernetes kubelet staticPodPath must not enable static pods.
242398Kubernetes DynamicAuditing must not be enabled.
242399Kubernetes DynamicKubeletConfig must not be enabled.
242404Kubernetes Kubelet must deny hostname override.
242405The Kubernetes manifests must be owned by root.
242406The Kubernetes KubeletConfiguration file must be owned by root.
242407The Kubernetes KubeletConfiguration files must have file permissions set to 644 or more restrictive.
242408The Kubernetes manifest files must have least privileges.
242409Kubernetes Controller Manager must disable profiling.
242410The Kubernetes API Server must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
242411The Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
242412The Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
242413The Kubernetes etcd must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
242418The Kubernetes API server must use approved cipher suites.
242419Kubernetes API Server must have the SSL Certificate Authority set.
242420Kubernetes Kubelet must have the SSL Certificate Authority set.
242421Kubernetes Controller Manager must have the SSL Certificate Authority set.
242422Kubernetes API Server must have a certificate for communication.
242423Kubernetes etcd must enable client authentication to secure service.
242424Kubernetes Kubelet must enable tlsPrivateKeyFile for client authentication to secure service.
242425Kubernetes Kubelet must enable tlsCertFile for client authentication to secure service.
242426Kubernetes etcd must enable client authentication to secure service.
242427Kubernetes etcd must have a key file for secure communication.
242428Kubernetes etcd must have a certificate for communication.
242429Kubernetes etcd must have the SSL Certificate Authority set.
242430Kubernetes etcd must have a certificate for communication.
242431Kubernetes etcd must have a key file for secure communication.
242432Kubernetes etcd must have peer-cert-file set for secure communication.
242433Kubernetes etcd must have a peer-key-file set for secure communication.
242438Kubernetes API Server must configure timeouts to limit attack surface.
242443Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs.
242444The Kubernetes component manifests must be owned by root.
242445The Kubernetes component etcd must be owned by etcd.
242446The Kubernetes conf files must be owned by root.
242447The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive.
242448The Kubernetes Kube Proxy must be owned by root.
242449The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive.
242450The Kubernetes Kubelet certificate authority must be owned by root.
242451The Kubernetes component PKI must be owned by root.
242452The Kubernetes kubelet KubeConfig must have file permissions set to 644 or more restrictive.
242453The Kubernetes kubelet KubeConfig file must be owned by root.
242454The Kubernetes kubeadm.conf must be owned by root.
242455The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive.
242456The Kubernetes kubelet config must have file permissions set to 644 or more restrictive.
242457The Kubernetes kubelet config must be owned by root.
242459The Kubernetes etcd must have file permissions set to 644 or more restrictive.
242460The Kubernetes admin.conf must have file permissions set to 644 or more restrictive.
242466The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive.
242467The Kubernetes PKI keys must have file permissions set to 600 or more restrictive.
245542Kubernetes API Server must disable basic authentication to protect information in transit.
245544Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit.
254801Kubernetes must enable PodSecurity admission controller on static pods and Kubelets.