Detections
Analytics
CNTR-K8-001620 - Kubernetes Kubelet must enable kernel protection.
Information
System kernel is responsible for memory, disk, and task management. The kernel provides a gateway between the system hardware and software. Kubernetes requires kernel access to allocate resources to the Control Plane. Threat actors that penetrate the system kernel can inject malicious code or hijack the Kubernetes architecture. It is vital to implement protections through Kubernetes components to reduce the attack surface.Solution
On the Control Plane, run the command:ps -ef | grep kubelet
Remove the '--protect-kernel-defaults' option if present.
Note the path to the Kubernetes Kubelet config file (identified by --config).
Edit the Kubernetes Kubelet config file:
Set 'protectKernelDefaults' to 'true'.
Restart the kubelet service using the following command:
systemctl daemon-reload && systemctl restart kubelet
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V2R5_STIG.zip
Item Details
Audit Name: DISA STIG Kubernetes v2r5
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-3, CAT|I, CCI|CCI-001084, Rule-ID|SV-242434r961131_rule, STIG-ID|CNTR-K8-001620, Vuln-ID|V-242434
Plugin: Unix
Control ID: eb51c559892e848ab515406da965222ce684bae50a3dd264631580b9d64ba239