CNTR-K8-000960 - The Kubernetes cluster must use non-privileged host ports for user pods.

Information

Privileged ports are those ports below 1024 and that require system privileges for their use. If containers can use these ports, the container must be run as a privileged user. Kubernetes must stop containers that try to map to these ports directly. Allowing non-privileged ports to be mapped to the container-privileged port is the allowable method when a certain port is needed. An example is mapping port 8080 externally to port 80 in the container.

Solution

For any of the pods that are using host-privileged ports, reconfigure the pod to use a service to map a host non-privileged port to the pod port or reconfigure the image to use non-privileged ports.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., CAT|II, CCI|CCI-000382, Rule-ID|SV-242414r960966_rule, STIG-ID|CNTR-K8-000960, Vuln-ID|V-242414

Plugin: Unix

Control ID: 47f973eabb6a250ef4d4db74911a5f35b474d21fffd79aeb948889e2f12acff3