Kubernetes STIG Ver 1, Rel 9 Checklist Details (Checklist Revisions)
SCAP 1.2 Content:
Download SCAP 1.2 Content - Kubernetes STIG Benchmark - Ver 1, Rel 1
- Author: Defense Information Systems Agency
Download Standalone XCCDF 1.1.4 - Kubernetes STIG - Ver 1, Rel 9
- Defense Information Systems Agency
|Kubernetes||cpe:/o:kubernetes:kubernetes:- (View CVEs)|
- Checklist Name:
- Kubernetes STIG
- Checklist ID:
- Ver 1, Rel 9
- Review Status:
- Governmental Authority: Defense Information Systems Agency
- Original Publication Date:
The Kubernetes Security Technical Implementation Guide (STIG) provides technical requirements for securing a basic Kubernetes platform version 1.16.7 and newer. A basic Kubernetes cluster is composed of a Kubernetes master, application programming interface (API) server, scheduler, controllers, etcd, and the worker nodes. There can be other components within a Kubernetes installation; however, those listed here are the basic components within every installation and are the ones covered in this STIG. Other components, such as a runtime and a container network interface (CNI), act differently depending on the installed software (runtime examples are Docker, containerd, rkt, and lxd) or plugin (CNI plugin examples are Flannel, Calico, Canal, and Weave Net). The component also determines what additional security can be implemented for Kubernetes. For instance, the CNI installed can determine if network policies can be implemented and what type of policies they are. Because of the differences in capacities, features of Kubernetes components are outside the scope of the Kubernetes STIG, but the components do need to be secured. To secure the components outside the scope of this document, use the specific vendor STIG or technology Security Requirements Guide (SRG). Kubernetes is also a portable, extensible, open-source platform for managing containerized workloads and services that facilitates both declarative configuration and automation. With the platform, services such as a DNS, firewall, router, and web console may also be deployed. These services are also outside the scope of this document and must follow the appropriate vendor-specific STIG, if one exists. If a vendor-specific STIG does not exist, the more generic technology SRG must be used. Services must also follow any guidance that pertains to the way the services are implemented.
- Operating System
Target Operational Environment:
- Specialized Security-Limited Functionality (SSLF)
DoD Instruction (DoDI) 8500.01
Comments or proposed revisions to this document should be sent via email to the following address: firstname.lastname@example.org. DISA will coordinate all change requests with the relevant DoD organizations before inclusion in this document. Approved changes will be made in accordance with the DISA maintenance release schedule.
Parties within the DoD and Federal Government’s computing environments can obtain the applicable STIG from the Cyber Exchange website at https://cyber.mil/. This site contains the latest copies of STIGs, SRGs, and other related security information. Those without a Common Access Card (CAC) that has DoD Certificates can obtain the STIG from https://public.cyber.mil/.
Point of Contact:
updated to FINAL - 6/17/2021 Updated resource per DISA - 7/29/21 updated URLs - 10/27/2021 updated URLs - 1/26/2022 Updated resource per DISA - 4/24/22 Updated resource per DISA - 8/1/22 Updated resource per DISA - 10/26/22 updated URLs per DISA - 1/17/2023 Updated resource per DISA - 4/26/23 added benchmark - 5/19/2023