CNTR-K8-001400 - The Kubernetes API server must use approved cipher suites.

Information

The Kubernetes API server communicates to the kubelet service on the nodes to deploy, update, and delete resources. If an attacker were able to get between this communication and modify the request, the Kubernetes cluster could be compromised. Using approved cypher suites for the communication ensures the protection of the transmitted information, confidentiality, and integrity so that the attacker cannot read or alter this communication.

Solution

Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane.

Set the value of '--tls-cipher-suites' to:
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V2R2_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23, CAT|II, CCI|CCI-001184, Rule-ID|SV-242418r961110_rule, STIG-ID|CNTR-K8-001400, Vuln-ID|V-242418

Plugin: Unix

Control ID: 9c196de7a98959f283085cbc7ee4b39a20acd39b31c5205a210dd5787deb572b