Kubernetes DISA STIG

How to set up a Kubernetes system to follow DISA STIG standards.

This is based on the Kubernetes DISA STIG Version 1, Release 8 from January 26, 2023

Need Help?

Lockdown Enterprise

Ansible Support

Join the Community

Connect with us on our Discord Server for questions, feature discussions, or just to chat with other Ansible-Lockdown users.

Important Notes

This tool will change the system settings, which could lead to unexpected results. It's not for auditing but is used to fix issues after an audit has been done.

Check mode is not supported! Although the role can run without errors in check mode, it's not recommended.

This role was created for a fresh Kubernetes installation. If you're using it on an existing system, please review the role for any necessary adjustments.

To use the stable version, refer to the main branch and the relevant release for your STIG benchmark.

Security Levels for STIG Compliance

You can run checks based on specific security levels in STIG using tags:

• CAT1
• CAT2
• CAT3

The main control settings should also be set to true for the checks to run when launching the playbook.

Upgrading from a Previous Release

STIG updates often include changes, so it's best to review the new references and options available. There have been significant changes since the first version of ansible-lockdown.

This version is compatible with Python 3 if it's default on your system, but it has some setup requirements.

For further details, check the Changelog.

No Auditing Tool Available (New)

This release currently does not include any auditing tools.

Documentation

• Read The Docs
• Getting Started
• Customizing Roles
• Per-Host Configuration
• Maximizing Role Efficiency

Requirements

General:

• Basic knowledge of Ansible.

  • Main Ansible documentation
  • Getting Started with Ansible
  • Tower User Guide
  • Ansible Community Info

• Ansible and/or Tower should be installed and running, along with all necessary settings and packages.

• Review the tasks in this role to understand what each one does. Some could disrupt a live production system. Familiarize yourself with the variables in the defaults/main.yml file.

Technical Dependencies:

• Kubernetes 1.16.7 or newer - Older versions are not supported.
• Ansible/Tower setup (this role was tested with Ansible version 2.9.1 and up).
• Python 3 Ansible environment.
• Python dependencies (included in RHEL/CentOS 7) will be set up by the first task. These include:
  • libselinux-python
  • python3-rpm (used by Python 3 for RPM packages)

Role Variables

This role is designed so users generally don’t need to edit the tasks. Customizations should be done through the defaults/main.yml file or with extra variables.

Tags

Various tags are available for precise control. Each control has tags indicating its level, if it's scored or not, which OS element it targets, whether it's a patch or audit, and its rule number.

For example, if you set your run to skip controls tagged with "kernel," those tasks will not run. Conversely, you could choose to run only controls tagged with "kernel."

tags:
      - CNTR-K8-001620
      - CAT1
      - CCI-001084
      - SRG-APP-000233-CTR-000585
      - SV-242434r864009_rule
      - V-242434
      - kubelet
      - kernel

Community Contributions

We welcome community contributions to this role. Please follow these guidelines:

• Work on your own individual branch. Ensure all commits are signed-off and GPG signed before merging.
• Community Pull Requests go into the development branch.
• Pull Requests into development must have GPG signatures and pass a functional test before approval.
• Once approved, contributions will be merged into the main branch for a new release after a more detailed review.

Pipeline Testing

Uses:

• ansible-core 2.12
• Ansible collections pull in the latest version based on the requirements file.
• Runs audits using the development branch.
• This is an automated test that occurs on pull requests to the development branch.