STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Kubernetes Security Technical Implementation Guide

Version

V2R6

Benchmark ID

Kubernetes_STIG

Total Checks

92

Tags

container

CAT I: 18CAT II: 74CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (92)

V-242376MEDIUMThe Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.V-242377MEDIUMThe Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.V-242378MEDIUMThe Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.V-242379MEDIUMThe Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.V-242380MEDIUMThe Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.V-242381HIGHThe Kubernetes Controller Manager must create unique service accounts for each work payload.V-242382MEDIUMThe Kubernetes API Server must enable Node,RBAC as the authorization mode.V-242383HIGHUser-managed resources must be created in dedicated namespaces.V-242384MEDIUMThe Kubernetes Scheduler must have secure binding.V-242385MEDIUMThe Kubernetes Controller Manager must have secure binding.V-242387HIGHThe Kubernetes Kubelet must have the "readOnlyPort" flag disabled.V-242389MEDIUMThe Kubernetes API server must have the secure port set.V-242390HIGHThe Kubernetes API server must have anonymous authentication disabled.V-242391HIGHThe Kubernetes Kubelet must have anonymous authentication disabled.V-242392HIGHThe Kubernetes kubelet must enable explicit authorization.V-242393MEDIUMKubernetes Worker Nodes must not have sshd service running.V-242394MEDIUMKubernetes Worker Nodes must not have the sshd service enabled.V-242395MEDIUMKubernetes dashboard must not be enabled.V-242396MEDIUMKubernetes Kubectl cp command must give expected access and results.V-242397HIGHThe Kubernetes kubelet staticPodPath must not enable static pods.V-242398MEDIUMKubernetes DynamicAuditing must not be enabled.V-242399MEDIUMKubernetes DynamicKubeletConfig must not be enabled.V-242400MEDIUMThe Kubernetes API server must have Alpha APIs disabled.V-242402MEDIUMThe Kubernetes API Server must have an audit log path set.V-242403MEDIUMKubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event.V-242404MEDIUMKubernetes Kubelet must deny hostname override.V-242405MEDIUMThe Kubernetes manifests must be owned by root.V-242406MEDIUMThe Kubernetes KubeletConfiguration file must be owned by root.V-242407MEDIUMThe Kubernetes KubeletConfiguration files must have file permissions set to 644 or more restrictive.V-242408MEDIUMThe Kubernetes manifest files must have least privileges.V-242409MEDIUMKubernetes Controller Manager must disable profiling.V-242410MEDIUMThe Kubernetes API Server must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).V-242411MEDIUMThe Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).V-242412MEDIUMThe Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).V-242413MEDIUMThe Kubernetes etcd must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).V-242414MEDIUMThe Kubernetes cluster must use non-privileged host ports for user pods.V-242415HIGHSecrets in Kubernetes must not be stored as environment variables.V-242417MEDIUMKubernetes must separate user functionality.V-242418MEDIUMThe Kubernetes API server must use approved cipher suites.V-242419MEDIUMKubernetes API Server must have the SSL Certificate Authority set.V-242420MEDIUMKubernetes Kubelet must have the SSL Certificate Authority set.V-242421MEDIUMKubernetes Controller Manager must have the SSL Certificate Authority set.V-242422MEDIUMKubernetes API Server must have a certificate for communication.V-242423MEDIUMKubernetes etcd must enable client authentication to secure service.V-242424MEDIUMKubernetes Kubelet must enable tlsPrivateKeyFile for client authentication to secure service.V-242425MEDIUMKubernetes Kubelet must enable tlsCertFile for client authentication to secure service.V-242426MEDIUMKubernetes etcd must enable client authentication to secure service.V-242427MEDIUMKubernetes etcd must have a key file for secure communication.V-242428MEDIUMKubernetes etcd must have a certificate for communication.V-242429MEDIUMKubernetes etcd must have the SSL Certificate Authority set.V-242430MEDIUMKubernetes etcd must have a certificate for communication.V-242431MEDIUMKubernetes etcd must have a key file for secure communication.V-242432MEDIUMKubernetes etcd must have peer-cert-file set for secure communication.V-242433MEDIUMKubernetes etcd must have a peer-key-file set for secure communication.V-242434HIGHKubernetes Kubelet must enable kernel protection.V-242436HIGHThe Kubernetes API server must have the ValidatingAdmissionWebhook enabled.V-242437HIGHKubernetes must have a pod security policy set.V-242438MEDIUMKubernetes API Server must configure timeouts to limit attack surface.V-242442MEDIUMKubernetes must remove old components after updated versions have been installed.V-242443MEDIUMKubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs.V-242444MEDIUMThe Kubernetes component manifests must be owned by root.V-242445MEDIUMThe Kubernetes component etcd must be owned by etcd.V-242446MEDIUMThe Kubernetes conf files must be owned by root.V-242447MEDIUMThe Kubernetes Kube Proxy kubeconfig must have file permissions set to 644 or more restrictive.V-242448MEDIUMThe Kubernetes Kube Proxy kubeconfig must be owned by root.V-242449MEDIUMThe Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive.V-242450MEDIUMThe Kubernetes Kubelet certificate authority must be owned by root.V-242451MEDIUMThe Kubernetes component PKI must be owned by root.V-242452MEDIUMThe Kubernetes kubelet KubeConfig must have file permissions set to 644 or more restrictive.V-242453MEDIUMThe Kubernetes kubelet KubeConfig file must be owned by root.V-242454MEDIUMThe Kubernetes kubeadm.conf must be owned by root.V-242455MEDIUMThe Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive.V-242456MEDIUMThe Kubernetes kubelet config must have file permissions set to 644 or more restrictive.V-242457MEDIUMThe Kubernetes kubelet config must be owned by root.V-242459MEDIUMThe Kubernetes etcd must have file permissions set to 644 or more restrictive.V-242460MEDIUMThe Kubernetes admin kubeconfig must have file permissions set to 644 or more restrictive.V-242461MEDIUMKubernetes API Server audit logs must be enabled.V-242462MEDIUMThe Kubernetes API Server must be set to audit log max size.V-242463MEDIUMThe Kubernetes API Server must be set to audit log maximum backup.V-242464MEDIUMThe Kubernetes API Server audit log retention must be set.V-242465MEDIUMThe Kubernetes API Server audit log path must be set.V-242466MEDIUMThe Kubernetes PKI CRT must have file permissions set to 644 or more restrictive.V-242467MEDIUMThe Kubernetes PKI keys must have file permissions set to 600 or more restrictive.V-245541MEDIUMKubernetes Kubelet must not disable timeouts.V-245542HIGHKubernetes API Server must disable basic authentication to protect information in transit.V-245543HIGHKubernetes API Server must disable token authentication to protect information in transit.V-245544HIGHKubernetes endpoints must use approved organizational certificate and key pair to protect information in transit.V-254800HIGHKubernetes must have a Pod Security Admission control file configured.V-254801HIGHKubernetes must enable PodSecurity admission controller on static pods and Kubelets.V-274882HIGHKubernetes Secrets must be encrypted at rest.V-274883HIGHSensitive information must be stored using Kubernetes Secrets or an external Secret store provider.V-274884MEDIUMKubernetes must limit Secret access on a need-to-know basis.