CNTR-K8-001620 - Kubernetes Kubelet must enable kernel protection.

Information

System kernel is responsible for memory, disk, and task management. The kernel provides a gateway between the system hardware and software. Kubernetes requires kernel access to allocate resources to the Control Plane. Threat actors that penetrate the system kernel can inject malicious code or hijack the Kubernetes architecture. It is vital to implement protections through Kubernetes components to reduce the attack surface.

Solution

On the Control Plane, run the command:
ps -ef | grep kubelet

Remove the '--protect-kernel-defaults' option if present.

Note the path to the Kubernetes Kubelet config file (identified by --config).

Edit the Kubernetes Kubelet config file:
Set 'protectKernelDefaults' to 'true'.

Restart the kubelet service using the following command:
systemctl daemon-reload && systemctl restart kubelet

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V2R2_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-3, CAT|I, CCI|CCI-001084, Rule-ID|SV-242434r961131_rule, STIG-ID|CNTR-K8-001620, Vuln-ID|V-242434

Plugin: Unix

Control ID: eb51c559892e848ab515406da965222ce684bae50a3dd264631580b9d64ba239