Kubernetes Kubectl cp command must give expected access and results.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-242396	CNTR-K8-000430	SV-242396r712544_rule		Medium

Description
One of the tools heavily used to interact with containers in the Kubernetes cluster is kubectl. The command is the tool System Administrators used to create, modify, and delete resources. One of the capabilities of the tool is to copy files to and from running containers (i.e., kubectl cp). The command uses the "tar" command of the container to copy files from the container to the host executing the "kubectl cp" command. If the "tar" command on the container has been replaced by a malicious user, the command can copy files anywhere on the host machine. This flaw has been fixed in later versions of the tool. It is recommended to use kubectl versions newer than 1.12.9.

Description

One of the tools heavily used to interact with containers in the Kubernetes cluster is kubectl. The command is the tool System Administrators used to create, modify, and delete resources. One of the capabilities of the tool is to copy files to and from running containers (i.e., kubectl cp). The command uses the "tar" command of the container to copy files from the container to the host executing the "kubectl cp" command. If the "tar" command on the container has been replaced by a malicious user, the command can copy files anywhere on the host machine. This flaw has been fixed in later versions of the tool. It is recommended to use kubectl versions newer than 1.12.9.

STIG	Date
Kubernetes Security Technical Implementation Guide	2021-04-14

Details

Check Text ( C-45671r712542_chk )
From the Master and each Worker node, check the version of kubectl by executing the command: kubectl version --client If the Master or any Work nodes are not using kubectl version 1.12.9 or newer, this is a finding.

Fix Text (F-45629r712543_fix)
Upgrade the Master and Worker nodes to the latest version of kubectl.