STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Kubernetes Security Technical Implementation Guide

V-242434

CAT I (High)

Kubernetes Kubelet must enable kernel protection.

Rule ID

SV-242434r961131_rule

STIG

Kubernetes Security Technical Implementation Guide

Version

V2R6

CCIs

CCI-001084

Discussion

System kernel is responsible for memory, disk, and task management. The kernel provides a gateway between the system hardware and software. Kubernetes requires kernel access to allocate resources to the Control Plane. Threat actors that penetrate the system kernel can inject malicious code or hijack the Kubernetes architecture. It is vital to implement protections through Kubernetes components to reduce the attack surface.

Check Content

On the Control Plane, run the command:
ps -ef | grep kubelet

If the "--protect-kernel-defaults" option exists, this is a finding.

Note the path to the config file (identified by --config).

Run the command:
grep -i protectKernelDefaults <path_to_config_file>

If the setting "protectKernelDefaults" is not set or is set to false, this is a finding.

Fix Text

On the Control Plane, run the command:
ps -ef | grep kubelet

Remove the "--protect-kernel-defaults" option if present.

Note the path to the Kubernetes Kubelet config file (identified by --config).

Edit the Kubernetes Kubelet config file: 
Set "protectKernelDefaults" to "true". 

Restart the kubelet service using the following command:
systemctl daemon-reload && systemctl restart kubelet