MSR's self-signed certificates must be replaced with DOD trusted, signed certificates.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-260916 | CNTR-MK-000480 | SV-260916r966105_rule | CCI-000381 | medium |
| Description | ||||
| Self-signed certificates pose security risks, as they are not issued by a trusted third party. DOD trusted, signed certificates have undergone a validation process by a trusted CA, reducing the risk of man-in-the-middle attacks and unauthorized access. Using these certificates enhances the trust and authenticity of the communication between clients and the MSR server. | ||||
| STIG | Date | |||
| Mirantis Kubernetes Engine Security Technical Implementation Guide | 2024-08-27 | |||
Details
Check Text (C-260916r966105_chk)
If MSR is not being utilized, this is Not Applicable.
Check that MSR has been integrated with a trusted certificate authority (CA).
1. In one terminal window execute the following:
kubectl port-forward service/msr 8443:443
2. In a second terminal window execute the following:
openssl s_client -connect localhost:8443 -showcerts </dev/null
If the certificate chain in the output is not valid and does not match that of the trusted CA, then this is a finding.
Fix Text (F-64553r966104_fix)
If MSR is not being utilized, this is Not Applicable.
Ensure the certificates are from a trusted DOD CA.
1. Add the secret to the cluster by executing the following:
kubectl create secret tls <secret-name> --key <keyfile>.pem --cert <certfile>.pem
2. Update MSR with the custom certificate by executing the following:
helm upgrade msr [REPO_NAME]/msr --version <helm-chart-version> --set-file license=path/to/file/license.lic --set
nginx.webtls.create=false --set nginx.webtls.secretName="<secret-name>"