Kubernetes must have a Pod Security Admission feature gate set.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-254801	CNTR-K8-002001	SV-254801r864044_rule		High

Description
"In order to implement Pod Security Admission controller feature gates must be enabled. Feature gates are a set of key=value pairs that describe Kubernetes features. You can turn these features on or off using the --feature-gates command line flag on each Kubernetes component."

STIG	Date
Kubernetes Security Technical Implementation Guide	2022-12-02

Details

Check Text ( C-58412r863729_chk )
Check Static Pods: On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command: grep -i PodSecurity=true * Ensure the argument "--feature-gates=PodSecurity=true" is present in each manifest file. If kube-apiserver, kube-controller-manager or kube-schedule is missing the argument "--feature-gates=PodSecurity=true", this is a finding. Check Kubelet: Run the following command on each Worker Node: ps -ef \| grep kubelet Verify that the "--feature-gates=PodSecurity=true" argument exists. If it doesn't exisit, this is a finding. Check Control Plane Kubelet config file: On the Kubernetes Control Plane, run the command: ps -ef \| grep kubelet Check the config file (path identified by: --config). Verify that the "--feature-gates=PodSecurity=true" argument exists. If it doesn't exisit, this is a finding.

Check Text ( C-58412r863729_chk )

Check Static Pods:
On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command:

grep -i PodSecurity=true *

Ensure the argument "--feature-gates=PodSecurity=true" is present in each manifest file.

If kube-apiserver, kube-controller-manager or kube-schedule is missing the argument "--feature-gates=PodSecurity=true", this is a finding.

Check Kubelet:
Run the following command on each Worker Node:
ps -ef | grep kubelet

Verify that the "--feature-gates=PodSecurity=true" argument exists. If it doesn't exisit, this is a finding.

Check Control Plane Kubelet config file:
On the Kubernetes Control Plane, run the command:
ps -ef | grep kubelet
Check the config file (path identified by: --config).

Verify that the "--feature-gates=PodSecurity=true" argument exists. If it doesn't exisit, this is a finding.

Fix Text (F-58358r863730_fix)
Add the "--feature-gates=PodSecurity=true" argument to every component of Kubernetes. kube-apiserver, kube-controller-manager and kube-scheduler: These components are started as static pods, you can find their manifests in the /etc/kubernetes/manifests/ folder. add "--feature-gates=PodSecurity=true" argument in each of the files. Kubelet: Edit the Kubernetes Kubelet file in the --config directory on the Kubernetes Control Plane: Add "--feature-gates=PodSecurity=true" Reset Kubelet service using the following command: service kubelet restart Note: if your cluster has multiple nodes you will need to make the changes on every node where the components are deployed.

Fix Text (F-58358r863730_fix)

Add the "--feature-gates=PodSecurity=true" argument to every component of Kubernetes.

kube-apiserver, kube-controller-manager and kube-scheduler:
These components are started as static pods, you can find their manifests in the /etc/kubernetes/manifests/ folder.
add "--feature-gates=PodSecurity=true" argument in each of the files.

Kubelet:
Edit the Kubernetes Kubelet file in the --config directory on the Kubernetes Control Plane:
Add "--feature-gates=PodSecurity=true"

Reset Kubelet service using the following command:
service kubelet restart

Note: if your cluster has multiple nodes you will need to make the changes on every node where the components are deployed.