Ensure that the --make-iptables-util-chains argument is set to true (Kubelet)

Allow Kubelet to manage iptables. Kubelets can automatically manage the required changes to iptables based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to iptables. This ensures that the iptables configuration remains in sync with pods networking configuration. Manually configuring iptables with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have iptables rules too restrictive or too open.

Risk Level: Medium
Cloud Entity: Node
CloudGuard Rule ID: D9.K8S.NET.04
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

KubernetesNode where not kubeletData isEmpty() should have kubeletData.kubeletconfig.makeIPTablesUtilChains= 'true'

REMEDIATION

  • If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true.

  • If using command line arguments, edit the kubelet service file
    $kubeletsvc on each worker node and
    remove the --make-iptables-util-chains argument from the
    KUBELET_SYSTEM_PODS_ARGS variable.
    Based on your system, restart the kubelet service. For example:
    systemctl daemon-reload
    systemctl restart kubelet.service.

  • If using the api configz endpoint consider searching for the status of
    makeIPTablesUtilChains by extracting the live configuration from the nodes running
    kubelet.
    **See detailed step-by-step configmap procedures in
    https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/

References

  1. https://kubernetes.io/docs/admin/kubelet/
  2. https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/ (EKS)

Node

A node is a worker machine in Kubernetes, previously known as a minion. A node may be a VM or physical machine, depending on the cluster. Each node contains the services necessary to run pods and is managed by the master components. The services on a node include the container runtime, kubelet and kube-proxy.

Compliance Frameworks

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.3.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.20
  • CIS Kubernetes Benchmark v1.23
  • CIS Kubernetes Benchmark v1.24
  • CIS Kubernetes Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.5.1
  • CIS Kubernetes Benchmark v1.6.1
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.3.0
  • CIS OpenShift Container Platform v4 Benchmark v1.1.0
  • CIS OpenShift Container Platform v4 Benchmark v1.4.0
  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices
  • OpenShift Container Platform v3