CNTR-K8-000850 - Kubernetes Kubelet must deny hostname override.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Kubernetes allows for the overriding of hostnames. Allowing this feature to be implemented within the kubelets may break the TLS setup between the kubelet service and the API server. This setting also can make it difficult to associate logs with nodes if security analytics needs to take place. The better practice is to setup nodes with resolvable FQDNs and avoid overriding the hostnames.

Solution

Edit the Kubernetes Kubelet file in the /etc/sysconfig directory on the Master and Worker nodes and remove the '--hostname-override' setting. Restart the service after the change is made by running:

service kubelet restart

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R6_STIG.zip

Item Details

References: CAT|II, CCI|CCI-001499, Rule-ID|SV-242404r712568_rule, STIG-ID|CNTR-K8-000850, Vuln-ID|V-242404

Plugin: Unix

Control ID: 962ff1e692688d723cc82499783bc40633ddff3ad0141c521d3161f110035b4a