Rule ID
SV-260941r966180_rule
Version
V2R1
CCIs
To validate that the services are using only the approved ports and protocols, the organization must perform a periodic scan/review of MKE and disable functions, ports, protocols, and services deemed to be unneeded or nonsecure.
Verify that only needed ports are open on all running containers. If an ingress controller is configured for the cluster, this check is not applicable.
Via CLI: As a remote MKE admin, execute the following command using a client bundle:
docker ps -q | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'
Review the list and ensure that the ports mapped are the ones really needed for the containers per the requirements set forth by the System Security Plan (SSP).
If ports are not documented and approved in the SSP, this is a finding.Configuring an ingress controller is the preferred method to manage external ports. If an ingress controller is not used and unnecessary ports are in use, the container or pod network configurations must be updated.
To update a pod's configuration, log in to the MKE UI as an administrator.
Navigate to Kubernetes >> Pods and click the pod with an open port that is not allowed.
Click the three dots in the upper right corner (edit).
Modify the .yaml file to remove the port. Example:
spec:
container:
- name: [pod name]
ports:
- containerPort: 80 [replace with 443]
Click "Save".
For a Swarm service, navigate to Swarm >> Services and click on the service with unauthorized port.
Click the three dots in the top left corner.
Select "Network" in the pop-up and remove the unauthorized port.
Click "Save".