1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
documentation_complete: true
{{%- if product == "eks" %}}
{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
{{%- else %}}
{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
{{%- endif %}}
platform: {{{ product }}}-node
title: 'kubelet - Allow Automatic Firewall Configuration'
description: |-
The kubelet has the ability to automatically configure the firewall to allow
the containers required ports and connections to networking resources and destinations
parameters potentially creating a security incident.
To allow the kubelet to modify the firewall, edit the kubelet configuration
file <tt>{{{ kubeletconf_path }}}</tt>
on the kubelet node(s) and set the below parameter:
<pre>makeIPTablesUtilChains: true</pre>
rationale: |-
The kubelet should automatically configure the firewall settings to allow access and
networking traffic through. This ensures that when a pod or container is running that
the correct ports are configured as well as removing the ports when a pod or
container is no longer in existence.
severity: medium
ocil_clause: 'the kubelet cannot modify the firewall settings'
ocil: |-
Run the following command on the kubelet node(s):
<pre>$ oc get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep makeIPTablesUtilChains </pre>
The output should return <tt>true</tt>.
identifiers:
cce@ocp4: CCE-83775-7
references:
cis@eks: 3.2.7
cis@ocp4: 4.2.7
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
template:
name: yamlfile_value
vars:
filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
yamlpath: ".kubeletconfig.makeIPTablesUtilChains"
values:
- value: "true"
operation: "equals"
|
