TickYouOff
Sign in
Back
🔒

Kubernetes STIG Compliance Checklist

Hard 25 items · 1 day
testuser's avatar
testuser Published 1 month ago
Security

This checklist helps system and security teams align a Kubernetes cluster with the DISA Kubernetes STIG (Ver 2, Rel 5). It’s for administrators and auditors who need a practical, prioritized set of actions to secure control plane components, etcd, nodes, runtimes, networking, and logging.

Source: https://ncp.nist.gov/checklist/996

Progress
0 / 25
  1. Download the official Kubernetes STIG (Ver 2, Rel 5) — Get the DISA STIG from cyber.mil or public.cyber.mil for authoritative guidance.
  2. Inventory cluster components — List API server, controller manager, scheduler, etcd, nodes, CNI, and runtimes.
  3. Verify Kubernetes version meets STIG baseline (>= 1.16.7) — Confirm control plane and node kubelet versions match policy requirements.
  4. Harden API server configuration
  5. Enable RBAC and disable ABAC on the API server — Use role-based access control for fine-grained permissions.
  6. Require TLS for all API server connections — Enforce TLS certs and disable insecure ports (e.g., --insecure-port).
  7. Disable anonymous access and insecure API options — Turn off anonymous auth and insecure-bind-address/ports.
  8. Secure etcd storage and access
  9. Enable encryption at rest for etcd — Configure Kubernetes encryption providers for secrets stored in etcd.
  10. Restrict etcd network access and require TLS — Limit etcd to control plane networks and enforce client/server TLS.
  11. Harden worker nodes
  12. Restrict kubelet access and disable unused services — Require kubelet authentication/authorization and close unnecessary ports.
  13. Install OS-level security updates and disable root SSH login — Apply patches and follow host-baseline hardening practices.
  14. Secure the container runtime
  15. Use a supported, patched runtime and minimize privileges — Run containerd/docker versions with security fixes and drop capabilities.
  16. Implement network policies and review the CNI — Ensure CNI supports required policies and apply namespace/pod rules.
  17. Configure logging and auditing
  18. Enable API server auditing with appropriate policy — Capture relevant request data and store logs securely.
  19. Centralize logs and set retention and access controls — Ship logs to a secure central store and enforce retention.
  20. Run automated SCAP/XCCDF scans and remediate findings — Use provided SCAP 1.3/1.2 or XCCDF content to test compliance.
  21. Review and remediate known CVEs — Track component CVEs and apply patches or mitigations promptly.
  22. Backup etcd and cluster configuration regularly — Store encrypted backups offsite and test restores frequently.
  23. Rotate and manage TLS certificates — Establish cert rotation schedules and automated renewal processes.
  24. Document configurations, deviations, and accepted exceptions — Keep an audit trail for changes and authority waivers.
  25. Schedule periodic compliance reviews and subscribe to DISA updates — Review STIG changes and update the cluster to stay compliant.
Sign in to save
📝 My Notes