>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

V-242404Kubernetes Kubelet must deny hostname override.

CAT II - Medium
CNTR-K8-000850

>Control Description

Kubernetes allows for the overriding of hostnames. Allowing this feature to be implemented within the kubelets may break the TLS setup between the kubelet service and the API server. This setting also can make it difficult to associate logs with nodes if security analytics needs to take place. The better practice is to setup nodes with resolvable FQDNs and avoid overriding the hostnames.

>Check Content

On the Control Plane and Worker nodes,

$ps -ef | grep kubelet

If the option "--hostname-override" is present, this is a finding.

>Remediation

$systemctl status kubelet.

Note the path to the drop-in file. Determine the path to the environment file(s) with the command: grep -i EnvironmentFile <path_to_drop_in_file>. Remove the "--hostname-override" option from any environment file where it is present. Restart the kubelet service

$systemctl daemon-reload && systemctl restart kubelet

>CCI References

CCI-001499

Control Correlation Identifiers (CCIs) map STIG findings to NIST 800-53 controls.

>Cross-Framework Mappings

NIST SP 800-53 r5

via DISA CCI List
CM-5(6)
Compare

Ask AI

Configure your API key to use AI features.