Checklist Summary:

The Kubernetes Security Technical Implementation Guide (STIG) provides technical requirements for securing a basic Kubernetes platform version 1.16.7 and newer. A basic Kubernetes cluster is composed of a Kubernetes master, application programming interface (API) server, scheduler, controllers, etcd, and the worker nodes. There can be other components within a Kubernetes installation; however, those listed here are the basic components within every installation and are the ones covered in this STIG. Other components, such as a runtime and a container network interface (CNI), act differently depending on the installed software (runtime examples are Docker, containerd, rkt, and lxd) or plugin (CNI plugin examples are Flannel, Calico, Canal, and Weave Net). The component also determines what additional security can be implemented for Kubernetes. For instance, the CNI installed can determine if network policies can be implemented and what type of policies they are. Because of the differences in capacities, features of Kubernetes components are outside the scope of the Kubernetes STIG, but the components do need to be secured. To secure the components outside the scope of this document, use the specific vendor STIG or technology Security Requirements Guide (SRG). Kubernetes is also a portable, extensible, open-source platform for managing containerized workloads and services that facilitates both declarative configuration and automation. With the platform, services such as a DNS, firewall, router, and web console may also be deployed. These services are also outside the scope of this document and must follow the appropriate vendor-specific STIG, if one exists. If a vendor-specific STIG does not exist, the more generic technology SRG must be used. Services must also follow any guidance that pertains to the way the services are implemented.

Checklist Role:

• Operating System

Known Issues:

Not provided.

Target Audience:

Not provided.

Target Operational Environment:

• Managed
• Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

DoD Instruction (DoDI) 8500.01

Comments/Warnings/Miscellaneous:

Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. DISA will coordinate all change requests with the relevant DoD organizations before inclusion in this document. Approved changes will be made in accordance with the DISA maintenance release schedule.

Disclaimer:

Not provided.

Product Support:

Parties within the DoD and Federal Government’s computing environments can obtain the applicable STIG from the Cyber Exchange website at https://cyber.mil/. This site contains the latest copies of STIGs, SRGs, and other related security information. Those without a Common Access Card (CAC) that has DoD Certificates can obtain the STIG from https://public.cyber.mil/.

Point of Contact:

disa.stig_spt@mail.mil

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

updated to FINAL - 6/17/2021
Updated resource per DISA - 7/29/21
updated URLs - 10/27/2021
updated URLs - 1/26/2022
Updated resource per DISA  - 4/24/22
Updated resource per DISA - 8/1/22
Updated resource per DISA - 10/26/22
updated URLs per DISA - 1/17/2023
Updated resource per DISA - 4/26/23
added benchmark - 5/19/2023
Updated URLs per DISA - 7/25/23
Updated resource per DISA - 10/26/23

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 10/26/2023