Configure "Kubernetes" to organizational standards.
CONTROL ID 14528
CONTROL TYPE Configuration
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain system hardening procedures., CC ID: 12001
This Control has the following implementation support Control(s):
Configure the "ImagePolicyWebhook" admission controller to organizational standards., CC ID: 14657
Configure the "allowedCapabilities" to organizational standards., CC ID: 14653
Configure the "allowPrivilegeEscalation" flag to organizational standards., CC ID: 14645
Configure the "Security Context" to organizational standards., CC ID: 14656
Configure the "cluster-admin" role to organizational standards., CC ID: 14642
Configure the "automountServiceAccountToken" to organizational standards., CC ID: 14639
Configure the "audit-log-maxsize" argument to organizational standards., CC ID: 14624
Configure the "seccomp" profile to organizational standards., CC ID: 14652
Configure the "securityContext.privileged" flag to organizational standards., CC ID: 14641
Configure the "audit-log-path" argument to organizational standards., CC ID: 14622
Configure the "audit-log-maxbackup" argument to organizational standards., CC ID: 14613
Configure the "audit-policy-file" to organizational standards., CC ID: 14610
Configure the "audit-log-maxage" argument to organizational standards., CC ID: 14605
Configure the "bind-address" argument to organizational standards., CC ID: 14601
Configure the "request-timeout" argument to organizational standards., CC ID: 14583
Configure the "secure-port" argument to organizational standards., CC ID: 14582
Configure the "service-account-key-file" argument to organizational standards., CC ID: 14581
Configure the "insecure-bind-address" argument to organizational standards., CC ID: 14580
Configure the "service-account-lookup" argument to organizational standards., CC ID: 14579
Configure the "admission control plugin PodSecurityPolicy" to organizational standards., CC ID: 14578
Configure the "profiling" argument to organizational standards., CC ID: 14577
Configure the "hostNetwork" flag to organizational standards., CC ID: 14649
Configure the "hostPID" flag to organizational standards., CC ID: 14648
Configure the "etcd-certfile" argument to organizational standards., CC ID: 14584
Configure the "runAsUser.rule" to organizational standards., CC ID: 14651
Configure the "requiredDropCapabilities" to organizational standards., CC ID: 14650
Configure the "hostIPC" flag to organizational standards., CC ID: 14643
Configure the "admission control plugin ServiceAccount" to organizational standards., CC ID: 14576
Configure the "insecure-port" argument to organizational standards., CC ID: 14575
Configure the "admission control plugin AlwaysPullImages" to organizational standards., CC ID: 14574
Configure the "pod" to organizational standards., CC ID: 14644
Configure the "ClusterRoles" to organizational standards., CC ID: 14637
Configure the "event-qps" argument to organizational standards., CC ID: 14633
Configure the "Kubelet" to organizational standards., CC ID: 14635
Configure the "NET_RAW" to organizational standards., CC ID: 14647
Configure the "make-iptables-util-chains" argument to organizational standards., CC ID: 14638
Configure the "hostname-override" argument to organizational standards., CC ID: 14631
Configure the "admission control plugin NodeRestriction" to organizational standards., CC ID: 14573
Configure the "admission control plugin AlwaysAdmit" to organizational standards., CC ID: 14572
Configure the "etcd-cafile" argument to organizational standards., CC ID: 14592
Configure the "encryption-provider-config" argument to organizational standards., CC ID: 14587
Configure the "rotate-certificates" argument to organizational standards., CC ID: 14640
Configure the "etcd-keyfile" argument to organizational standards., CC ID: 14586
Configure the "client-ca-file" argument to organizational standards., CC ID: 14585
Configure the "kube-apiserver" to organizational standards., CC ID: 14589
Configure the "tls-private-key-file" argument to organizational standards., CC ID: 14590
Configure the "streaming-connection-idle-timeout" argument to organizational standards., CC ID: 14634
Configure the "RotateKubeletServerCertificate" argument to organizational standards., CC ID: 14626
Configure the "protect-kernel-defaults" argument to organizational standards., CC ID: 14629
Configure the "read-only-port" argument to organizational standards., CC ID: 14627
Configure the "admission control plugin NamespaceLifecycle" to organizational standards., CC ID: 14571
Configure the "terminated-pod-gc-threshold" argument to organizational standards., CC ID: 14593
Configure the "tls-cert-file" argument to organizational standards., CC ID: 14588
Configure the "kubelet-certificate-authority" argument to organizational standards., CC ID: 14570
Configure the "service-account-private-key-file" argument to organizational standards., CC ID: 14607
Configure the "admission control plugin SecurityContextDeny" to organizational standards., CC ID: 14569
Configure the "kubelet-client-certificate" argument to organizational standards., CC ID: 14568
Configure the "root-ca-file" argument to organizational standards., CC ID: 14599
Configure the "admission control plugin EventRateLimit" to organizational standards., CC ID: 14567
Configure the "use-service-account-credentials" argument to organizational standards., CC ID: 14594
Configure the "token-auth-file" argument to organizational standards., CC ID: 14566
Configure the "authorization-mode" argument to organizational standards., CC ID: 14565
Configure the "anonymous-auth" argument to organizational standards., CC ID: 14564
Configure the "kubelet-client-key" argument to organizational standards., CC ID: 14563
Configure the "kubelet-https" argument to organizational standards., CC ID: 14561
Configure the "basic-auth-file" argument to organizational standards., CC ID: 14559
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Orchestration platforms should be configured to provide features that create a secure environment for all the apps they run. Orchestrators should ensure that nodes are securely introduced to the cluster, have a persistent identity throughout their lifecycle, and can also provide an accurate inventor… (4.3.5 ΒΆ 1, NIST SP 800-190, Application Container Security Guide)