>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

V-242397The Kubernetes kubelet staticPodPath must not enable static pods.

CAT I - High
CNTR-K8-000440

>Control Description

Allowing kubelet to set a staticPodPath gives containers with root access permissions to traverse the hosting filesystem. The danger comes when the container can create a manifest file within the /etc/kubernetes/manifests directory. When a manifest is created within this directory, containers are entirely governed by the Kubelet not the API Server. The container is not susceptible to admission control at all. Any containers or pods instantiated in this manner are called "static pods" and are meant to be used for pods such as the API server, scheduler, controller, etc., not workload pods that need to be governed by the API Server.

>Check Content

If staticPodPath is missing in the Kubelet config and in the systemd arguments, the node does not support static pods. 1. To find the staticPodPath setting on Kubernetes worker nodes, follow these steps: a. On the Worker nodes,

$ps -ef | grep kubelet b.

Note the path to the Kubelet configuration file (identified by --config). (ls /var/lib/kubelet/config.yaml is the common location.) c.

$grep -i staticPodPath <path_to_config_file>

If any of the Worker nodes return a value for "staticPodPath", this is a finding. If staticPodPath is not in the config file, check if it is set as a command-line argument. 2. Check Kubelet Systemd Service Arguments. a. Run the following command to check the Kubelet service: sudo systemctl cat kubelet | grep pod-manifest-path If there is no output, staticPodPath is not set in systemd arguments. If there is any return, this is a finding. (Example Return:ExecStart=/usr/bin/kubelet --pod-manifest-path=/etc/kubernetes/manifests This means static pods are defined in /etc/kubernetes/manifests.)

>Remediation

1. Remove staticPodPath setting on Kubernetes worker nodes: a. On each Worker node,

$ps -ef | grep kubelet b.

Note the path to the config file (identified by --config). c. Edit the Kubernetes kubelet file in the --config directory on the Worker nodes. Remove the setting "staticPodPath". d. Restart the kubelet service

$systemctl daemon-reload && systemctl restart kubelet 2.

Remove Kubelet Systemd Service Arguments: a. Modify the systemd Service File.

$sudo systemctl edit --full kubelet (Example Return:ExecStart=/usr/bin/kubelet --pod-manifest-path=/etc/kubernetes/manifests) b. Find and remove --pod-manifest-path. c. Save and exit the editor. d.

Restart the kubelet service

$systemctl daemon-reload && systemctl restart kubelet

>CCI References

CCI-000213

Control Correlation Identifiers (CCIs) map STIG findings to NIST 800-53 controls.

>Cross-Framework Mappings

NIST SP 800-53 r5

via DISA CCI List
AC-3
Compare

Ask AI

Configure your API key to use AI features.