>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

V-242414The Kubernetes cluster must use non-privileged host ports for user pods.

CAT II - Medium
CNTR-K8-000960

>Control Description

Privileged ports are those ports below 1024 and that require system privileges for their use. If containers can use these ports, the container must be run as a privileged user. Kubernetes must stop containers that try to map to these ports directly. Allowing non-privileged ports to be mapped to the container-privileged port is the allowable method when a certain port is needed. An example is mapping port 8080 externally to port 80 in the container.

>Check Content

On the Control Plane,

$kubectl get pods --all-namespaces

The list returned is all pods running within the Kubernetes cluster. For those pods running within the user namespaces (System namespaces are kube-system, kube-node-lease and kube-public),

$kubectl get pod podname -o yaml | grep -i port Note: In the above command, "podname" is the name of the pod.

For the command to work correctly, the current context must be changed to the namespace for the pod. The command to do this is: kubectl config set-context --current --namespace=namespace-name (Note: "namespace-name" is the name of the namespace.) Review the ports that are returned for the pod. If any host-privileged ports are returned for any of the pods, this is a finding.

>Remediation

For any of the pods that are using host-privileged ports, reconfigure the pod to use a service to map a host non-privileged port to the pod port or reconfigure the image to use non-privileged ports.

>CCI References

CCI-000382

Control Correlation Identifiers (CCIs) map STIG findings to NIST 800-53 controls.

>Cross-Framework Mappings

NIST SP 800-53 r5

via DISA CCI List
CM-7
Compare

Ask AI

Configure your API key to use AI features.