| CNTR-K8-000150 - The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination. | ACCESS CONTROL |
| CNTR-K8-000160 - The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination. | ACCESS CONTROL |
| CNTR-K8-000170 - The Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination. | ACCESS CONTROL |
| CNTR-K8-000180 - The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination. | ACCESS CONTROL |
| CNTR-K8-000190 - The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination. | ACCESS CONTROL |
| CNTR-K8-000220 - The Kubernetes Controller Manager must create unique service accounts for each work payload. | ACCESS CONTROL |
| CNTR-K8-000270 - The Kubernetes API Server must enable Node,RBAC as the authorization mode. | ACCESS CONTROL |
| CNTR-K8-000290 - User-managed resources must be created in dedicated namespaces. | CONFIGURATION MANAGEMENT |
| CNTR-K8-000300 - The Kubernetes Scheduler must have secure binding. | ACCESS CONTROL |
| CNTR-K8-000310 - The Kubernetes Controller Manager must have secure binding. | ACCESS CONTROL |
| CNTR-K8-000320 - The Kubernetes API server must have the insecure port flag disabled. | ACCESS CONTROL |
| CNTR-K8-000330 - The Kubernetes Kubelet must have the 'readOnlyPort' flag disabled - readOnlyPort flag disabled. | ACCESS CONTROL |
| CNTR-K8-000340 - The Kubernetes API server must have the insecure bind address not set. | ACCESS CONTROL |
| CNTR-K8-000350 - The Kubernetes API server must have the secure port set. | ACCESS CONTROL |
| CNTR-K8-000360 - The Kubernetes API server must have anonymous authentication disabled. | ACCESS CONTROL |
| CNTR-K8-000370 - The Kubernetes Kubelet must have anonymous authentication disabled. | ACCESS CONTROL |
| CNTR-K8-000380 - The Kubernetes kubelet must enable explicit authorization. | ACCESS CONTROL |
| CNTR-K8-000400 - Kubernetes Worker Nodes must not have sshd service running. | ACCESS CONTROL |
| CNTR-K8-000410 - Kubernetes Worker Nodes must not have the sshd service enabled. | ACCESS CONTROL |
| CNTR-K8-000420 - Kubernetes dashboard must not be enabled. | ACCESS CONTROL |
| CNTR-K8-000430 - Kubernetes Kubectl cp command must give expected access and results. | ACCESS CONTROL |
| CNTR-K8-000440 - The Kubernetes kubelet staticPodPath must not enable static pods. | ACCESS CONTROL |
| CNTR-K8-000450 - Kubernetes DynamicAuditing must not be enabled - kubelet | ACCESS CONTROL |
| CNTR-K8-000450 - Kubernetes DynamicAuditing must not be enabled - manifest | ACCESS CONTROL |
| CNTR-K8-000460 - Kubernetes DynamicKubeletConfig must not be enabled - kubelet | ACCESS CONTROL |
| CNTR-K8-000460 - Kubernetes DynamicKubeletConfig must not be enabled - manifest | ACCESS CONTROL |
| CNTR-K8-000470 - The Kubernetes API server must have Alpha APIs disabled. | ACCESS CONTROL |
| CNTR-K8-000610 - The Kubernetes API Server must have an audit log path set. | AUDIT AND ACCOUNTABILITY |
| CNTR-K8-000700 - Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event. | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| CNTR-K8-000850 - Kubernetes Kubelet must deny hostname override. | CONFIGURATION MANAGEMENT |
| CNTR-K8-000860 - The Kubernetes manifests must be owned by root. | CONFIGURATION MANAGEMENT |
| CNTR-K8-000880 - The Kubernetes KubeletConfiguration file must be owned by root. | CONFIGURATION MANAGEMENT |
| CNTR-K8-000890 - The Kubernetes KubeletConfiguration files must have file permissions set to 644 or more restrictive. | CONFIGURATION MANAGEMENT |
| CNTR-K8-000900 - The Kubernetes manifest files must have least privileges. | CONFIGURATION MANAGEMENT |
| CNTR-K8-000910 - Kubernetes Controller Manager must disable profiling. | CONFIGURATION MANAGEMENT |
| CNTR-K8-000920 - The Kubernetes API Server must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL). | CONFIGURATION MANAGEMENT |
| CNTR-K8-000930 - The Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL). | CONFIGURATION MANAGEMENT |
| CNTR-K8-000940 - The Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL). | CONFIGURATION MANAGEMENT |
| CNTR-K8-000950 - The Kubernetes etcd must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL). | CONFIGURATION MANAGEMENT |
| CNTR-K8-000960 - The Kubernetes cluster must use non-privileged host ports for user pods. | CONFIGURATION MANAGEMENT |
| CNTR-K8-001160 - Secrets in Kubernetes must not be stored as environment variables. | IDENTIFICATION AND AUTHENTICATION |
| CNTR-K8-001300 - Kubernetes Kubelet must not disable timeouts. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CNTR-K8-001360 - Kubernetes must separate user functionality. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CNTR-K8-001400 - The Kubernetes API server must use approved cipher suites. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CNTR-K8-001410 - Kubernetes API Server must have the SSL Certificate Authority set. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CNTR-K8-001420 - Kubernetes Kubelet must have the SSL Certificate Authority set. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CNTR-K8-001430 - Kubernetes Controller Manager must have the SSL Certificate Authority set. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CNTR-K8-001440 - Kubernetes API Server must have a certificate for communication. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CNTR-K8-001450 - Kubernetes etcd must enable client authentication to secure service. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CNTR-K8-001460 - Kubernetes Kubelet must enable tlsPrivateKeyFile for client authentication to secure service. | SYSTEM AND COMMUNICATIONS PROTECTION |
