TickYouOff
Sign in
Back
🔒

Kubernetes STIG Checklist

Hard 24 items · 1 day
testuser's avatar
testuser Published 1 month ago
Security

This checklist translates key DISA Kubernetes STIG guidance into practical, actionable steps for cluster owners and security teams. It’s intended for Kubernetes administrators, DevOps, and security engineers who need to harden clusters, implement STIG controls, and verify compliance.

Source: https://ncp.nist.gov/checklist/996

Progress
0 / 24
  1. Inventory cluster components — List control plane, API server, controller-manager, scheduler, etcd, kubelets, runtime, and CNI plugins.
  2. Download Kubernetes STIG resources — Fetch SCAP/XCCDF and automated content from DISA (cyber.mil) for your version.
  3. Review vendor-specific STIGs for runtimes and CNIs — Check vendor or SRG guidance for Docker, containerd, Flannel, Calico, etc.
  4. Harden API server
  5. Enforce TLS and secure ciphers for API server — Require TLS, strong ciphers, and valid certs for all API connections.
  6. Enable recommended admission controllers — Enable controllers like NodeRestriction, PodSecurity, and NamespaceLifecycle.
  7. Restrict API server network access to management plane — Limit API access to trusted management networks and bastion hosts.
  8. Encrypt etcd data at rest — Enable encryption-provider for secrets and sensitive resources in etcd.
  9. Configure automated etcd backups — Schedule regular, encrypted backups and verify backup integrity and retention.
  10. Enable audit logging on API server — Configure audit policy, retention, and secure storage for audit logs.
  11. Configure RBAC and apply least privilege — Create roles, rolebindings, and service accounts with minimal permissions.
  12. Restrict anonymous access and disable insecure ports — Disable anonymous requests and close insecure kubelet/API ports.
  13. Harden kubelet on worker nodes
  14. Enable kubelet auth, authorization, and certificate rotation — Require client certs, enable authz, and enable rotation where supported.
  15. Disable kubelet read-only port and restrict access — Close read-only ports and firewall kubelet to management networks.
  16. Apply Pod Security Standards or Pod Security Admission — Enforce baseline/privileged restrictions per namespaces or workloads.
  17. Implement network policies via CNI — Define ingress/egress rules to isolate workloads and limit lateral movement.
  18. Ensure TLS for all cluster component communication — Use mutual TLS for etcd, kubelet, kube-controller-manager, scheduler, etc.
  19. Scan container images and nodes for vulnerabilities — Integrate image scanners and run regular node vulnerability scans.
  20. Enforce signed images and image provenance — Use image signing tools (e.g., cosign, Notary) and enforce policies.
  21. Disable unused APIs and cluster features — Remove/disable admission plugins and deprecated API groups not in use.
  22. Apply regular updates and patching schedule — Define and follow a patch cycle for Kubernetes components and OS images.
  23. Document configurations and change control — Record settings, baselines, and change approvals for STIG compliance.
  24. Test recovery and incident response procedures — Perform restore drills and tabletop exercises to validate backups and IR.
Sign in to save
📝 My Notes