################################################################################
DOCUMENT         : Kubernetes_STIG
VERSION          : 002.003.002
CHECKSUM         : 1a89584544543ceaffc00933ca3ed5fdb80e0d13051049a7a6c0fadf1c1eb17d
MANUAL QUESTIONS : 32

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 32
TITLE            : CAT I, V-242383, SV-242383r960801, SRG-APP-000038-CTR-000105
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:1501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:1501
RULE             : User-managed resources must be created in dedicated namespaces.
QUESTION_TEXT    : To view the available namespaces, run the command:

kubectl get namespaces

The default namespaces to be validated are default, kube-public, and kube-node-lease if it is created.

For the default namespace, execute the commands:

kubectl config set-context --current --namespace=default
kubectl get all

For the kube-public namespace, execute the commands:

kubectl config set-context --current --namespace=kube-public
kubectl get all

For the kube-node-lease namespace, execute the commands:

kubectl config set-context --current --namespace=kube-node-lease
kubectl get all

The only valid return values are the kubernetes service (i.e., service/kubernetes) and nothing at all.

If a return value is returned from the "kubectl get all" command and it is not the kubernetes service (i.e., service/kubernetes), this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 32
TITLE            : CAT I, V-242387, SV-242387r960792, SRG-APP-000033-CTR-000095
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:2301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:2301
RULE             : The Kubernetes Kubelet must have the "readOnlyPort" flag disabled.
QUESTION_TEXT    : On each Control Plane and Worker Node, run the command:
ps -ef | grep kubelet

If the "--read-only-port" option exists, this is a finding. 

Note the path to the config file (identified by --config).

Run the command:
grep -i readOnlyPort <path_to_config_file>

If the setting "readOnlyPort" exists and is not set to "0", this is a finding.

References:
CCI-000213
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 32
TITLE            : CAT I, V-242391, SV-242391r960792, SRG-APP-000033-CTR-000090
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:3101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:3101
RULE             : The Kubernetes Kubelet must have anonymous authentication disabled.
QUESTION_TEXT    : On each Control Plane and Worker Node, run the command:
ps -ef | grep kubelet

If the "--anonymous-auth" option exists, this is a finding. 

Note the path to the config file (identified by --config).

Inspect the content of the config file:
Locate the "anonymous" section under "authentication".  In this section, if the field "enabled" does not exist or is set to "true", this is a finding.

References:
CCI-000213
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

QUESTION         : 4 of 32
TITLE            : CAT I, V-242392, SV-242392r1069461, SRG-APP-000033-CTR-000095
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:3301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:3301
RULE             : The Kubernetes kubelet must enable explicit authorization.
QUESTION_TEXT    : Run the following command on each Worker Node:
ps -ef | grep kubelet
Verify that the --authorization-mode exists and is set to "Webhook".

If the --authorization-mode argument is not set to "Webhook" or doesn't exist, this is a finding.

References:
CCI-000213
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 4 *******************************

QUESTION         : 5 of 32
TITLE            : CAT I, V-242397, SV-242397r1069464, SRG-APP-000033-CTR-000090
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:4301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:4301
RULE             : The Kubernetes kubelet staticPodPath must not enable static pods.
QUESTION_TEXT    : If staticPodPath is missing in the Kubelet config and in the systemd arguments, the node does not support static pods.

1. To find the staticPodPath setting on Kubernetes worker nodes, follow these steps:

 a. On the Worker nodes, run the command:
     ps -ef | grep kubelet

b. Note the path to the Kubelet configuration file (identified by --config).
    (ls /var/lib/kubelet/config.yaml is the common location.)

c. Run the command:
    grep -i staticPodPath <path_to_config_file>

If any of the Worker nodes return a value for "staticPodPath", this is a finding.

If staticPodPath is not in the config file, check if it is set as a command-line argument.

2. Check Kubelet Systemd Service Arguments.

a. Run the following command to check the Kubelet service:
    sudo systemctl cat kubelet | grep pod-manifest-path

If there is no output, staticPodPath is not set in systemd arguments.

If there is any return, this is a finding.

(Example Return:ExecStart=/usr/bin/kubelet --pod-manifest-path=/etc/kubernetes/manifests
This means static pods are defined in /etc/kubernetes/manifests.)

References:
CCI-000213
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

QUESTION         : 6 of 32
TITLE            : CAT I, V-242415, SV-242415r1069466, SRG-APP-000171-CTR-000435
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:7701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:7701
RULE             : Secrets in Kubernetes must not be stored as environment variables.
QUESTION_TEXT    : Follow these steps to check, from the Kubernetes control plane, if secrets are stored as environment variables.

1. Find All Pods Using Secrets in Environment Variables.

To list all pods using secrets as environment variables, execute:

kubectl get pods --all-namespaces -o yaml | grep -A5 "secretKeyRef"

If any of the values returned reference environment variables, this is a finding.

2. Check Environment Variables in a Specific Pod.

To check if a specific pod is using secrets as environment variables, execute:

kubectl get pods -n <namespace>
(Replace <namespace> with the actual namespace, or omit -n <namespace> to check in the default namespace.)
kubectl describe pod <pod-name> -n <namespace> | grep -A5 "Environment:"

If secrets are used, output like the following will be displayed:

Environment:
  SECRET_USERNAME:   <set from secret: my-secret key: username>
  SECRET_PASSWORD:   <set from secret: my-secret key: password>

If the output is similar to this, the pod is using Kubernetes secrets as environment variables, and this is a finding.

3. Check the Pod YAML for Secret Usage.

To check the full YAML definition for environment variables, execute:

kubectl get pod <pod-name> -n <namespace> -o yaml | grep -A5 "env:"

Example output:
yaml
CopyEdit
env:
  - name: SECRET_USERNAME
    valueFrom:
      secretKeyRef:
        name: my-secret
        key: username

This means the pod is pulling the secret named my-secret and setting SECRET_USERNAME from its username key.

If the pod is pulling a secret and setting an environment variable in the "env:", this is a finding.

4. Check Secrets in a Deployment, StatefulSet, or DaemonSet.

If the pod is managed by a Deployment, StatefulSet, or DaemonSet, check their configurations:

kubectl get deployment <deployment-name> -n <namespace> -o yaml | grep -A5 "env:"

or

For all Deployments in all namespaces:

kubectl get deployments --all-namespaces -o yaml | grep -A5 "env:"

If the pod is pulling a secret and setting an environment variable in the "env:", this is a finding.

5. Check Environment Variables Inside a Running Pod.

If needed, check the environment variables inside a running pod:

kubectl exec -it <pod-name> -n <namespace> -- env | grep SECRET

If any of the values returned reference environment variables, this is a finding.

References:
CCI-004062
CCI-000196
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 6 *******************************

QUESTION         : 7 of 32
TITLE            : CAT I, V-242436, SV-242436r961359, SRG-APP-000342-CTR-000775
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:11501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:11501
RULE             : The Kubernetes API server must have the ValidatingAdmissionWebhook enabled.
QUESTION_TEXT    : Prior to version 1.21, to enforce security policiesPod Security Policies (psp) were used. Those are now deprecated and will be removed from version 1.25.

Migrate from PSP to PSA:
https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/ 

Pre-version 1.25 Check:
Change to the /etc/kubernetes/manifests directory on the Kubernetes Control Plane. Run the command:
grep -i ValidatingAdmissionWebhook * 

If a line is not returned that includes enable-admission-plugins and ValidatingAdmissionWebhook, this is a finding.

References:
CCI-002263
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 7 *******************************

QUESTION         : 8 of 32
TITLE            : CAT I, V-242437, SV-242437r961359, SRG-APP-000342-CTR-000775
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:11701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:11701
RULE             : Kubernetes must have a pod security policy set.
QUESTION_TEXT    : Prior to version 1.21, to enforce security policiesPod Security Policies (psp) were used. Those are now deprecated and will be removed from version 1.25.

Migrate from PSP to PSA:
https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/ 

Pre-version 1.25 Check:
On the Control Plane, run the command:
kubectl get podsecuritypolicy

If there is no pod security policy configured, this is a finding. 

For any pod security policies listed, edit the policy with the command:
kubectl edit podsecuritypolicy policyname
(Note: "policyname" is the name of the policy.)

Review the runAsUser, supplementalGroups and fsGroup sections of the policy.

If any of these sections are missing, this is a finding.

If the rule within the runAsUser section is not set to "MustRunAsNonRoot", this is a finding.

If the ranges within the supplementalGroups section has min set to "0" or min is missing, this is a finding.

If the ranges within the fsGroup section has a min set to "0" or the min is missing, this is a finding.

References:
CCI-002263
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 8 *******************************

QUESTION         : 9 of 32
TITLE            : CAT I, V-254800, SV-254800r961359, SRG-APP-000342-CTR-000775
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:17901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:17901
RULE             : Kubernetes must have a Pod Security Admission control file configured.
QUESTION_TEXT    : Change to the /etc/kubernetes/manifests directory on the Kubernetes Control Plane. Run the command:

"grep -i admission-control-config-file *"

If the setting "--admission-control-config-file" is not configured in the Kubernetes API Server manifest file, this is a finding.

Inspect the .yaml file defined by the --admission-control-config-file. Verify PodSecurity is properly configured. 
If least privilege is not represented, this is a finding.

References:
CCI-002263
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 9 *******************************

QUESTION         : 10 of 32
TITLE            : CAT I, V-254801, SV-254801r961359, SRG-APP-000342-CTR-000775
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:18101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:18101
RULE             : Kubernetes must enable PodSecurity admission controller on static pods and Kubelets.
QUESTION_TEXT    : On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command:
grep -i feature-gates *

For each manifest file, if the "--feature-gates" setting does not exist, does not contain the "--PodSecurity" flag, or sets the flag to "false", this is a finding.

On each Control Plane and Worker Node, run the command:
ps -ef | grep kubelet

If the "--feature-gates" option exists, this is a finding. 

Note the path to the config file (identified by --config).

Inspect the content of the config file:
If the "featureGates" setting is not present, does not contain the "PodSecurity" flag, or sets the flag to "false", this is a finding.

References:
CCI-002263
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 10 *******************************

QUESTION         : 11 of 32
TITLE            : CAT I, V-274882, SV-274882r1107233, SRG-APP-000033-CTR-000100
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:18301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:18301
RULE             : Kubernetes Secrets must be encrypted at rest.
QUESTION_TEXT    : Change to the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Run the command:
grep -i encryption-provider-config *

If the setting "encryption-provider-config" is not configured, this is a finding.

If the setting is configured, check the contents of the file specified by its argument. 

If the file does not specify the Secret's resource, this is a finding. 

If the identity provider is specified as the first provider for the resource, this is also a finding.

References:
CCI-000213
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 11 *******************************

QUESTION         : 12 of 32
TITLE            : CAT I, V-274883, SV-274883r1107230, SRG-APP-000171-CTR-000435
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:18501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:18501
RULE             : Sensitive information must be stored using Kubernetes Secrets or an external Secret store provider.
QUESTION_TEXT    : On the Kubernetes Master node, run the following command:
kubectl get all,cm -A -o yaml 

Manually review the output for sensitive information.

If any sensitive information is found, this is a finding.

References:
CCI-004062
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 12 *******************************

QUESTION         : 13 of 32
TITLE            : CAT II, V-242394, SV-242394r960792, SRG-APP-000033-CTR-000095
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:3701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:3701
RULE             : Kubernetes Worker Nodes must not have the sshd service enabled.
QUESTION_TEXT    : Log in to each worker node. Verify that the sshd service is not enabled. To validate the service is not enabled, run the command:

systemctl is-enabled sshd.service

If the service sshd is enabled, this is a finding.

Note: If console access is not available, SSH access can be attempted. If the worker nodes cannot be reached, this requirement is "not a finding".

References:
CCI-000213
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 13 *******************************

QUESTION         : 14 of 32
TITLE            : CAT II, V-242395, SV-242395r960792, SRG-APP-000033-CTR-000095
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:3901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:3901
RULE             : Kubernetes dashboard must not be enabled.
QUESTION_TEXT    : From the Control Plane, run the command:

kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard

If any resources are returned, this is a finding.

References:
CCI-000213
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 14 *******************************

QUESTION         : 15 of 32
TITLE            : CAT II, V-242396, SV-242396r960792, SRG-APP-000033-CTR-000090
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:4101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:4101
RULE             : Kubernetes Kubectl cp command must give expected access and results.
QUESTION_TEXT    : From the Control Plane and each Worker node, check the version of kubectl by executing the command:

kubectl version --client

If the Control Plane or any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding.

References:
CCI-000213
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 15 *******************************

QUESTION         : 16 of 32
TITLE            : CAT II, V-242398, SV-242398r960792, SRG-APP-000033-CTR-000100
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:4501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:4501
RULE             : Kubernetes DynamicAuditing must not be enabled.
QUESTION_TEXT    : On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command:
grep -i feature-gates *

Review the feature-gates setting, if one is returned.

If the feature-gates setting is available and contains the DynamicAuditing flag set to "true", this is a finding.

On each Control Plane and Worker node, run the command:
ps -ef | grep kubelet

If the "--feature-gates" option exists, this is a finding. 

Note the path to the config file (identified by: --config).

Inspect the content of the config file:
If the "featureGates" setting is present and has the "DynamicAuditing" flag set to "true", this is a finding.

References:
CCI-000213
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 16 *******************************

QUESTION         : 17 of 32
TITLE            : CAT II, V-242399, SV-242399r960792, SRG-APP-000033-CTR-000095
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:4701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:4701
RULE             : Kubernetes DynamicKubeletConfig must not be enabled.
QUESTION_TEXT    : This check is only applicable for Kubernetes versions 1.25 and older.  

On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command:
grep -i feature-gates *

In each manifest file, if the feature-gates does not exist, or does not contain the "DynamicKubeletConfig" flag, or sets the flag to "true", this is a finding.

On each Control Plane and Worker node, run the command:
ps -ef | grep kubelet

Verify the "feature-gates" option is not present.

Note the path to the config file (identified by --config).

Inspect the content of the config file:
If the "featureGates" setting is not present, or does not contain the "DynamicKubeletConfig", or sets the flag to "true", this is a finding.

References:
CCI-000213
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 17 *******************************

QUESTION         : 18 of 32
TITLE            : CAT II, V-242407, SV-242407r960960, SRG-APP-000133-CTR-000305
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:6101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:6101
RULE             : The Kubernetes KubeletConfiguration files must have file permissions set to 644 or more restrictive.
QUESTION_TEXT    :  On the Kubernetes Control Plane and Worker nodes, run the command:
ps -ef | grep kubelet

Check the config file (path identified by: --config):

Change to the directory identified by --config (example /etc/sysconfig/) and run the command:
ls -l kubelet

Each KubeletConfiguration file must have permissions of "644" or more restrictive.

If any KubeletConfiguration file is less restrictive than "644", this is a finding.

References:
CCI-001499
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 18 *******************************

QUESTION         : 19 of 32
TITLE            : CAT II, V-242410, SV-242410r1043177, SRG-APP-000142-CTR-000325
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:6701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:6701
RULE             : The Kubernetes API Server must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
QUESTION_TEXT    : Change to the /etc/kubernetes/manifests/ directory on the Kubernetes Control Plane. Run the command:
grep kube-apiserver.manifest -I -secure-port *
grep kube-apiserver.manifest -I -etcd-servers *
-edit manifest file:
VIM <Manifest Name>
Review livenessProbe:
HttpGet:
Port:
Review ports:
- containerPort:
hostPort:
- containerPort:
hostPort:

Run command: 
kubectl describe services --all-namespaces 
Search labels for any apiserver namespaces.
Port:

Any manifest and namespace PPS or services configuration not in compliance with PPSM CAL is a finding.

Review the information systems documentation and interview the team, gain an understanding of the API Server architecture, and determine applicable PPS. If there are any PPS in the system documentation not in compliance with the CAL PPSM, this is a finding. Any PPS not set in the system documentation is a finding.

Review findings against the most recent PPSM CAL:
https://cyber.mil/ppsm/cal/

Verify API Server network boundary with the PPS associated with the CAL Assurance Categories. Any PPS not in compliance with the CAL Assurance Category requirements is a finding.

References:
CCI-000382
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 19 *******************************

QUESTION         : 20 of 32
TITLE            : CAT II, V-242411, SV-242411r1043177, SRG-APP-000142-CTR-000325
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:6901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:6901
RULE             : The Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
QUESTION_TEXT    : Change to the /etc/kubernetes/manifests/ directory on the Kubernetes Control Plane. Run the command:
grep kube-scheduler.manifest -I -insecure-port
                grep kube-scheduler.manifest -I -secure-port
-edit manifest file:
VIM <Manifest Name>
Review  livenessProbe:
HttpGet:
Port:
Review ports:
- containerPort:
       hostPort:
- containerPort:
       hostPort:

Run Command: 
kubectl describe services --all-namespaces 
Search labels for any scheduler namespaces.
Port:

Any manifest and namespace PPS configuration not in compliance with PPSM CAL is a finding.

Review the information systems documentation and interview the team, gain an understanding of the Scheduler architecture, and determine applicable PPS. Any PPS in the system documentation not in compliance with the CAL PPSM is a finding. Any PPSs not set in the system documentation is a finding.

Review findings against the most recent PPSM CAL:
https://cyber.mil/ppsm/cal/

Verify Scheduler network boundary with the PPS associated with the CAL Assurance Categories. Any PPS not in compliance with the CAL Assurance Category requirements is a finding.

References:
CCI-000382
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 20 *******************************

QUESTION         : 21 of 32
TITLE            : CAT II, V-242412, SV-242412r1043177, SRG-APP-000142-CTR-000330
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:7101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:7101
RULE             : The Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
QUESTION_TEXT    : Change to the /etc/kubernetes/manifests/ directory on the Kubernetes Control Plane. Run the command: 
grep kube-conntroller-manager.manifest -I -secure-port

-Review manifest file by executing the following:
VIM <Manifest Name>:
Review  livenessProbe:
HttpGet:
Port:
Review ports:
- containerPort:
       hostPort:
- containerPort:
       hostPort:

Run Command: 
kubectl describe services --all-namespaces 
Search labels for any controller namespaces.

Any manifest and namespace PPS or services configuration not in compliance with PPSM CAL is a finding.

Review the information systems documentation and interview the team, gain an understanding of the Controller architecture, and determine applicable PPS. Any PPS in the system documentation not in compliance with the CAL PPSM is a finding. Any PPS not set in the system documentation is a finding.

Review findings against the most recent PPSM CAL:
https://cyber.mil/ppsm/cal/

Verify Controller network boundary with the PPS associated with the Controller for Assurance Categories. Any PPS not in compliance with the CAL Assurance Category requirements is a finding.

References:
CCI-000382
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 21 *******************************

QUESTION         : 22 of 32
TITLE            : CAT II, V-242413, SV-242413r1043177, SRG-APP-000142-CTR-000325
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:7301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:7301
RULE             : The Kubernetes etcd must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
QUESTION_TEXT    : Change to the /etc/kubernetes/manifests/ directory on the Kubernetes Control Plane. Run the command:
grep kube-apiserver.manifest -I -etcd-servers *
-edit etcd-main.manifest file:
VIM <Manifest Name:
Review  livenessProbe:
HttpGet:
Port:
Review ports:
- containerPort:
       hostPort:
- containerPort:
       hostPort:
Run Command:
kubectl describe services –all-namespace
Search labels for any apiserver names spaces.
Port:

Any manifest and namespace PPS configuration not in compliance with PPSM CAL is a finding.

Review the information systems documentation and interview the team, gain an understanding of the etcd architecture, and determine applicable PPS. Any PPS in the system documentation not in compliance with the CAL PPSM is a finding. Any PPS not set in the system documentation is a finding.

Review findings against the most recent PPSM CAL:
https://cyber.mil/ppsm/cal/

Verify etcd network boundary with the PPS associated with the CAL Assurance Categories. Any PPS not in compliance with the CAL Assurance Category requirements is a finding.

References:
CCI-000382
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 22 *******************************

QUESTION         : 23 of 32
TITLE            : CAT II, V-242414, SV-242414r1043177, SRG-APP-000142-CTR-000330
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:7501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:7501
RULE             : The Kubernetes cluster must use non-privileged host ports for user pods.
QUESTION_TEXT    : On the Control Plane, run the command:
kubectl get pods --all-namespaces

The list returned is all pods running within the Kubernetes cluster. For those pods running within the user namespaces (System namespaces are kube-system, kube-node-lease and kube-public), run the command:
kubectl get pod podname -o yaml | grep -i port

Note: In the above command, "podname" is the name of the pod. For the command to work correctly, the current context must be changed to the namespace for the pod. The command to do this is:

kubectl config set-context --current --namespace=namespace-name
(Note: "namespace-name" is the name of the namespace.)

Review the ports that are returned for the pod.

If any host-privileged ports are returned for any of the pods, this is a finding.

References:
CCI-000382
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 23 *******************************

QUESTION         : 24 of 32
TITLE            : CAT II, V-242417, SV-242417r961095, SRG-APP-000211-CTR-000530
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:7901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:7901
RULE             : Kubernetes must separate user functionality.
QUESTION_TEXT    : On the Control Plane, run the command:
kubectl get pods --all-namespaces

Review the namespaces and pods that are returned. Kubernetes system namespaces are kube-node-lease, kube-public, and kube-system.

If any user pods are present in the Kubernetes system namespaces, this is a finding.

References:
CCI-001082
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 24 *******************************

QUESTION         : 25 of 32
TITLE            : CAT II, V-242442, SV-242442r961677, SRG-APP-000454-CTR-001110
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:12101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:12101
RULE             : Kubernetes must remove old components after updated versions have been installed.
QUESTION_TEXT    : To view all pods and the images used to create the pods, from the Control Plane, run the following command:
kubectl get pods --all-namespaces -o jsonpath="{..image}" | \
tr -s '[[:space:]]' '\n' | \
sort | \
uniq -c

Review the images used for pods running within Kubernetes.

If there are multiple versions of the same image, this is a finding.

References:
CCI-002647
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 25 *******************************

QUESTION         : 26 of 32
TITLE            : CAT II, V-242443, SV-242443r961683, SRG-APP-000456-CTR-001125
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:12301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:12301
RULE             : Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs.
QUESTION_TEXT    : Authenticate on the Kubernetes Control Plane. Run the command:
kubectl version --short

If kubectl version has a setting not supporting Kubernetes skew policy, this is a finding.

Note: Kubernetes Skew Policy can be found at: https://kubernetes.io/docs/setup/release/version-skew-policy/#supported-versions

References:
CCI-002635
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 26 *******************************

QUESTION         : 27 of 32
TITLE            : CAT II, V-242447, SV-242447r961863, SRG-APP-000516-CTR-001325
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:13101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:13101
RULE             : The Kubernetes Kube Proxy kubeconfig must have file permissions set to 644 or more restrictive.
QUESTION_TEXT    : Check if Kube-Proxy is running and obtain --kubeconfig parameter use the following command:
ps -ef | grep kube-proxy

If Kube-Proxy exists:
Review the permissions of the Kubernetes Kube Proxy by using the command:
stat -c %a <location from --kubeconfig>

If the file has permissions more permissive than "644", this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 27 *******************************

QUESTION         : 28 of 32
TITLE            : CAT II, V-242448, SV-242448r961863, SRG-APP-000516-CTR-001325
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:13301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:13301
RULE             : The Kubernetes Kube Proxy kubeconfig must be owned by root.
QUESTION_TEXT    : Check if Kube-Proxy is running use the following command:
ps -ef | grep kube-proxy

If Kube-Proxy exists:
Review the permissions of the Kubernetes Kube Proxy by using the command:
stat -c   %U:%G <location from --kubeconfig>| grep -v root:root

If the command returns any non root:root file permissions, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 28 *******************************

QUESTION         : 29 of 32
TITLE            : CAT II, V-242454, SV-242454r961863, SRG-APP-000516-CTR-001325
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:14501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:14501
RULE             : The Kubernetes kubeadm.conf must be owned by root.
QUESTION_TEXT    : Review the Kubeadm.conf file :

Get the path for Kubeadm.conf by running: 
sytstemctl status kubelet

Note the configuration file installed by the kubeadm is written to 
(Default Location: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf)
stat -c %U:%G <kubeadm.conf path> | grep -v root:root

If the command returns any non root:root file permissions, this is a finding. 

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 29 *******************************

QUESTION         : 30 of 32
TITLE            : CAT II, V-242455, SV-242455r961863, SRG-APP-000516-CTR-001325
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:14701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:14701
RULE             : The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive.
QUESTION_TEXT    : Review the kubeadm.conf file :

Get the path for kubeadm.conf by running:
systemctl status kubelet

Note the configuration file installed by the kubeadm is written to
(Default Location: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf)
stat -c %a  <kubeadm.conf path>

If the file has permissions more permissive than "644", this is a finding. 

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 30 *******************************

QUESTION         : 31 of 32
TITLE            : CAT II, V-242467, SV-242467r961863, SRG-APP-000516-CTR-001335
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:16901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:16901
RULE             : The Kubernetes PKI keys must have file permissions set to 600 or more restrictive.
QUESTION_TEXT    : Review the permissions of the Kubernetes PKI key files by using the command:

sudo find /etc/kubernetes/pki -name "*.key" | xargs stat -c '%n %a'

If any of the files have permissions more permissive than "600", this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 31 *******************************

QUESTION         : 32 of 32
TITLE            : CAT II, V-274884, SV-274884r1107236, SRG-APP-000429-CTR-001060
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.kubernetes:testaction:18701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.kubernetes:question:18701
RULE             : Kubernetes must limit Secret access on a need-to-know basis.
QUESTION_TEXT    : Review the Kubernetes accounts and their corresponding roles. 

If any accounts have read (list, watch, get) access to Secrets without a documented organizational requirement, this is a finding. 

Run the below command to list the workload resources for applications deployed to Kubernetes:
kubectl get all -A -o yaml 

If Secrets are attached to applications without a documented requirement, this is a finding.

References:
CCI-002476
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 32 *******************************

