Back

Configure "Kubernetes" to organizational standards.


CONTROL ID
14528
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Configure the "ImagePolicyWebhook" admission controller to organizational standards., CC ID: 14657
  • Configure the "allowedCapabilities" to organizational standards., CC ID: 14653
  • Configure the "allowPrivilegeEscalation" flag to organizational standards., CC ID: 14645
  • Configure the "Security Context" to organizational standards., CC ID: 14656
  • Configure the "cluster-admin" role to organizational standards., CC ID: 14642
  • Configure the "automountServiceAccountToken" to organizational standards., CC ID: 14639
  • Configure the "audit-log-maxsize" argument to organizational standards., CC ID: 14624
  • Configure the "seccomp" profile to organizational standards., CC ID: 14652
  • Configure the "securityContext.privileged" flag to organizational standards., CC ID: 14641
  • Configure the "audit-log-path" argument to organizational standards., CC ID: 14622
  • Configure the "audit-log-maxbackup" argument to organizational standards., CC ID: 14613
  • Configure the "audit-policy-file" to organizational standards., CC ID: 14610
  • Configure the "audit-log-maxage" argument to organizational standards., CC ID: 14605
  • Configure the "bind-address" argument to organizational standards., CC ID: 14601
  • Configure the "request-timeout" argument to organizational standards., CC ID: 14583
  • Configure the "secure-port" argument to organizational standards., CC ID: 14582
  • Configure the "service-account-key-file" argument to organizational standards., CC ID: 14581
  • Configure the "insecure-bind-address" argument to organizational standards., CC ID: 14580
  • Configure the "service-account-lookup" argument to organizational standards., CC ID: 14579
  • Configure the "admission control plugin PodSecurityPolicy" to organizational standards., CC ID: 14578
  • Configure the "profiling" argument to organizational standards., CC ID: 14577
  • Configure the "hostNetwork" flag to organizational standards., CC ID: 14649
  • Configure the "hostPID" flag to organizational standards., CC ID: 14648
  • Configure the "etcd-certfile" argument to organizational standards., CC ID: 14584
  • Configure the "runAsUser.rule" to organizational standards., CC ID: 14651
  • Configure the "requiredDropCapabilities" to organizational standards., CC ID: 14650
  • Configure the "hostIPC" flag to organizational standards., CC ID: 14643
  • Configure the "admission control plugin ServiceAccount" to organizational standards., CC ID: 14576
  • Configure the "insecure-port" argument to organizational standards., CC ID: 14575
  • Configure the "admission control plugin AlwaysPullImages" to organizational standards., CC ID: 14574
  • Configure the "pod" to organizational standards., CC ID: 14644
  • Configure the "ClusterRoles" to organizational standards., CC ID: 14637
  • Configure the "event-qps" argument to organizational standards., CC ID: 14633
  • Configure the "Kubelet" to organizational standards., CC ID: 14635
  • Configure the "NET_RAW" to organizational standards., CC ID: 14647
  • Configure the "make-iptables-util-chains" argument to organizational standards., CC ID: 14638
  • Configure the "hostname-override" argument to organizational standards., CC ID: 14631
  • Configure the "admission control plugin NodeRestriction" to organizational standards., CC ID: 14573
  • Configure the "admission control plugin AlwaysAdmit" to organizational standards., CC ID: 14572
  • Configure the "etcd-cafile" argument to organizational standards., CC ID: 14592
  • Configure the "encryption-provider-config" argument to organizational standards., CC ID: 14587
  • Configure the "rotate-certificates" argument to organizational standards., CC ID: 14640
  • Configure the "etcd-keyfile" argument to organizational standards., CC ID: 14586
  • Configure the "client-ca-file" argument to organizational standards., CC ID: 14585
  • Configure the "kube-apiserver" to organizational standards., CC ID: 14589
  • Configure the "tls-private-key-file" argument to organizational standards., CC ID: 14590
  • Configure the "streaming-connection-idle-timeout" argument to organizational standards., CC ID: 14634
  • Configure the "RotateKubeletServerCertificate" argument to organizational standards., CC ID: 14626
  • Configure the "protect-kernel-defaults" argument to organizational standards., CC ID: 14629
  • Configure the "read-only-port" argument to organizational standards., CC ID: 14627
  • Configure the "admission control plugin NamespaceLifecycle" to organizational standards., CC ID: 14571
  • Configure the "terminated-pod-gc-threshold" argument to organizational standards., CC ID: 14593
  • Configure the "tls-cert-file" argument to organizational standards., CC ID: 14588
  • Configure the "kubelet-certificate-authority" argument to organizational standards., CC ID: 14570
  • Configure the "service-account-private-key-file" argument to organizational standards., CC ID: 14607
  • Configure the "admission control plugin SecurityContextDeny" to organizational standards., CC ID: 14569
  • Configure the "kubelet-client-certificate" argument to organizational standards., CC ID: 14568
  • Configure the "root-ca-file" argument to organizational standards., CC ID: 14599
  • Configure the "admission control plugin EventRateLimit" to organizational standards., CC ID: 14567
  • Configure the "use-service-account-credentials" argument to organizational standards., CC ID: 14594
  • Configure the "token-auth-file" argument to organizational standards., CC ID: 14566
  • Configure the "authorization-mode" argument to organizational standards., CC ID: 14565
  • Configure the "anonymous-auth" argument to organizational standards., CC ID: 14564
  • Configure the "kubelet-client-key" argument to organizational standards., CC ID: 14563
  • Configure the "kubelet-https" argument to organizational standards., CC ID: 14561
  • Configure the "basic-auth-file" argument to organizational standards., CC ID: 14559


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Orchestration platforms should be configured to provide features that create a secure environment for all the apps they run. Orchestrators should ensure that nodes are securely introduced to the cluster, have a persistent identity throughout their lifecycle, and can also provide an accurate inventor… (4.3.5 ΒΆ 1, NIST SP 800-190, Application Container Security Guide)