DISA STIG example configuration files

During the installation of a DISA STIG hardened cluster, Canonical Kubernetes provides default configuration files for cluster formation, control plane join and worker join that automatically apply the following DISA STIG recommendations.

Example control plane configuration files

/var/snap/k8s/common/etc/configurations/disa-stig/bootstrap.yaml is the configuration file for bootstrapping the first node of a cluster.

/var/snap/k8s/common/etc/configurations/disa-stig/control-plane.yaml is the control plane node join configuration file for joining additional control plane nodes.

Both of these configuration files apply settings to align with the following recommendations:

STIG

Summary

V-242384

The Kubernetes Scheduler must have secure binding

V-242385

The Kubernetes Controller Manager must have secure binding

V-242400

The Kubernetes API server must have Alpha APIs disabled

V-242402, V-242403, V-242461, V-242462, V-242463, V-242464, V-242465

The Kubernetes API Server must have an audit log configured

V-242434

Kubernetes Kubelet must enable kernel protection

V-245541

Kubernetes Kubelet must not disable timeouts

V-254800

Kubernetes must have a Pod Security Admission control file configured

Example worker node join configuration file

/var/snap/k8s/common/etc/configurations/disa-stig/worker.yaml is the worker node join configuration file for joining worker nodes.

It applies settings to align with the following recommendations:

STIG

Summary

V-242434

Kubernetes Kubelet must enable kernel protection

V-245541

Kubernetes Kubelet must not disable timeouts