STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

Mirantis Kubernetes Engine Security Technical Implementation Guide

Version

V2R1

Benchmark ID

Mirantis_Kubernetes_Engine_STIG

Total Checks

44

Tags

container
CAT I: 3CAT II: 40CAT III: 1

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSON

Checks (44)

V-260903MEDIUMThe Lifetime Minutes and Renewal Threshold Minutes Login Session Controls on MKE must be set.V-260904MEDIUMIn an MSR organization, user permissions and repositories must be configured.V-260905MEDIUMUser-managed resources must be created in dedicated namespaces.V-260906HIGHLeast privilege access and need to know must be required to access MKE runtime and instantiate container images.V-260907HIGHOnly required ports must be open on containers in MKE.V-260908HIGHFIPS mode must be enabled.V-260909MEDIUMMKE must be configured to integrate with an Enterprise Identity Provider.V-260910MEDIUMSSH must not run within Linux containers.V-260911MEDIUMSwarm Secrets or Kubernetes Secrets must be used.V-260912MEDIUMMKE must have Grants created to control authorization to cluster resources.V-260913MEDIUMMKE host network namespace must not be shared.V-260914MEDIUMAudit logging must be enabled on MKE.V-260915MEDIUMMKE must be configured to send audit data to a centralized log server.V-260916MEDIUMMSR's self-signed certificates must be replaced with DOD trusted, signed certificates.V-260917MEDIUMAllowing users and administrators to schedule containers on all nodes must be disabled.V-260918MEDIUMMKE telemetry must be disabled.V-260919MEDIUMMSR telemetry must be disabled.V-260920MEDIUMFor MKE's deployed on an Ubuntu host operating system, the AppArmor profile must be enabled.V-260921MEDIUMIf MKE is deployed on a Red Hat or CentOS system, SELinux security must be enabled.V-260922MEDIUMThe Docker socket must not be mounted inside any containers.V-260923MEDIUMLinux Kernel capabilities must be restricted within containers.V-260924MEDIUMIncoming container traffic must be bound to a specific host interface.V-260925MEDIUMCPU priority must be set appropriately on all containers.V-260926MEDIUMMKE must use a non-AUFS storage driver.V-260927MEDIUMMKE's self-signed certificates must be replaced with DOD trusted, signed certificates.V-260928MEDIUMThe "Create repository on push" option in MSR must be disabled.V-260929MEDIUMContainers must not map to privileged ports.V-260930MEDIUMMKE must not permit users to create pods that share host process namespace.V-260931MEDIUMIPSec network encryption must be configured.V-260932MEDIUMMKE must preserve any information necessary to determine the cause of the disruption or failure.V-260933MEDIUMMKE must enable kernel protection.V-260934MEDIUMAll containers must be restricted from acquiring additional privileges.V-260935MEDIUMHost IPC namespace must not be shared.V-260936MEDIUMAll containers must be restricted to mounting the root filesystem as read only.V-260937MEDIUMThe default seccomp profile must not be disabled.V-260938MEDIUMDocker CLI commands must be run with an MKE client trust bundle and without unnecessary permissions.V-260939MEDIUMMKE users must not have permissions to create containers or pods that share the host user namespace.V-260940MEDIUMUse of privileged Linux containers must be limited to system containers.V-260941MEDIUMThe network ports on all running containers must be limited to required ports.V-260942MEDIUMMKE must only run signed images.V-260943MEDIUMVulnerability scanning must be enabled for all repositories in MSR.V-260944MEDIUMOlder Universal Control Plane (MKE) and Docker Trusted Registry (DTR) images must be removed from all cluster nodes upon upgrading.V-260945MEDIUMMKE must contain the latest updates.V-260946LOWMKE must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components.