V-242411—The Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
CAT II - Medium
CNTR-K8-000930
>Control Description
Kubernetes Scheduler PPS must be controlled and conform to the PPSM CAL. Those ports, protocols, and services that fall outside the PPSM CAL must be blocked. Instructions on the PPSM can be found in DoD Instruction 8551.01 Policy.
>Check Content
Change to the /etc/kubernetes/manifests/ directory on the Kubernetes Control Plane.
$grep kube-scheduler.manifest -I -insecure-port grep kube-scheduler.manifest -I -secure-port -edit manifest file: VIM <Manifest Name> Review livenessProbe: HttpGet: Port: Review ports: - containerPort: hostPort: - containerPort: hostPort: Run Command: kubectl describe services --all-namespaces Search labels for any scheduler namespaces. Port: Any manifest and namespace PPS configuration not in compliance with PPSM CAL is a finding. Review the information systems documentation and interview the team, gain an understanding of the Scheduler architecture, and determine applicable PPS. Any PPS in the system documentation not in compliance with the CAL PPSM is a finding. Any PPSs not set in the system documentation is a finding. Review findings against the most recent PPSM CAL: https://cyber.mil/ppsm/cal/Verify Scheduler network boundary with the PPS associated with the CAL Assurance Categories. Any PPS not in compliance with the CAL Assurance Category requirements is a finding.
>Remediation
Amend any system documentation requiring revision to comply with the PPSM CAL. Update Kubernetes Scheduler manifest and namespace PPS configuration to comply with the PPSM CAL.
>CCI References
Control Correlation Identifiers (CCIs) map STIG findings to NIST 800-53 controls.
>Cross-Framework Mappings
NIST SP 800-53 r5
via DISA CCI ListAsk AI
Configure your API key to use AI features.