Rule ID
SV-260912r966093_rule
Version
V2R1
CCIs
MKE uses Role-Based Access Controls (RBAC) to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. Using an IDP (per this STIG) still requires configure mapping. Refer to the following for more information: https://docs.mirantis.com/mke/3.7/ops/authorize-rolebased-access/rbac-tutorials/access-control-standard.html#access-control-standard.
Verify the applied RBAC policies set in MKE are configured per the requirements set forth by the System Security Plan (SSP). Log in to the MKE web UI as an MKE Admin and navigate to Access Control >> Grants. When using Kubernetes orchestration, select the "Kubernetes" tab and verify that cluster role bindings are configured per the requirements set forth by the SSP. When using Swarm orchestration, select the "Swarm" tabs. Verify that all grants are configured per the requirements set forth by the SSP. If the grants are not configured per the requirements set forth by the SSP, then this is a finding.
Create Role Bindings/Grants by logging in to the MKE web UI as an MKE Admin. Navigate to Access Control >> Grants. Using Kubernetes orchestration: - Select the "Kubernetes" tab and click "Create Role Binding". - Add Users, Organizations or Service Accounts as needed and click "Next". - Under "Resource Set", enable "Apply Role Binding to all namespaces", and then click "Next". - Under "Role" select a cluster role. - Click "Create". Using Swarm orchestration: - Select the "Swarm" tab and click "Create Grant". - Add Users, Organizations, or Service Accounts as needed and click "Next". - Under "Resource Set", click "View Children" until the required Swarm collection displays, and then click "Next". - Under "Role" select a cluster role. - Click "Create".