2.1.9 Ensure that the --keep-terminated-pod-volumes argument is set to false

Information

Unmount volumes from the nodes on pod termination.

Rationale:

On pod termination, you should unmount the volumes. Those volumes might have sensitive data that might be exposed if kept mounted on the node without any use. Additionally, such mounted volumes could be modified and later could be mounted on pods. Also, if you retain all mounted volumes for a long time, it might exhaust system resources and you might not be able to mount any more volumes on new pods.

Solution

Edit the `/etc/kubernetes/kubelet` file on each node and set the `KUBELET_ARGS` parameter to `'--keep-terminated-pod-volumes=false'`: `KUBELET_ARGS='--keep-terminated-pod-volumes=false'`

Based on your system, restart the `kubelet` service. For example: `systemctl restart kubelet.service`

Impact:

Volumes will not be available for debugging.

See Also

https://workbench.cisecurity.org/files/1738

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CSCv6|14

Plugin: Unix

Control ID: 502465c8f5fcbec82f9210f24e0ac3783d72c196af69049a6d42ea2363ee7549