>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

V-242436The Kubernetes API server must have the ValidatingAdmissionWebhook enabled.

CAT I - High
CNTR-K8-002000

>Control Description

Enabling the admissions webhook allows for Kubernetes to apply policies against objects that are to be created, read, updated, or deleted. By applying a pod security policy, control can be given to not allow images to be instantiated that run as the root user. If pods run as the root user, the pod then has root privileges to the host system and all the resources it has. An attacker can use this to attack the Kubernetes cluster. By implementing a policy that does not allow root or privileged pods, the pod users are limited in what the pod can do and access.

>Check Content

Prior to version 1.21, to enforce security policiesPod Security Policies (psp) were used. Those are now deprecated and will be removed from version 1.25. Migrate from PSP to PSA: https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/ Pre-version 1.25 Check: Change to the /etc/kubernetes/manifests directory on the Kubernetes Control Plane.

$grep -i ValidatingAdmissionWebhook *

If a line is not returned that includes enable-admission-plugins and ValidatingAdmissionWebhook, this is a finding.

>Remediation

Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane. Set the argument "--enable-admission-plugins" to include "ValidatingAdmissionWebhook". Each enabled plugin is separated by commas. Note: It is best to implement policies first and then enable the webhook, otherwise a denial of service may occur.

>CCI References

CCI-002263

Control Correlation Identifiers (CCIs) map STIG findings to NIST 800-53 controls.

>Cross-Framework Mappings

NIST SP 800-53 r5

via DISA CCI List
AC-17(9)
Compare

Ask AI

Configure your API key to use AI features.