계: Security Features

소프트웨어 보안은 보안 소프트웨어가 아닙니다. 여기서는 인증, 액세스 제어, 기밀성, 암호화, 권한 관리 등의 항목에 대해 설명합니다.

Kubernetes Misconfiguration: Improper Admission Controller Access Control

Abstract
Kubernetes API 서버가 승인 컨트롤러로 구성되지 않았습니다.
Explanation
승인 컨트롤러는 Kubernetes API 서버에 대한 요청을 검증하고 사용자 지정합니다. 권한이 부여되지 않은 특권 요청을 거부하고, 네임스페이스 격리를 적용하며, 과도한 리소스 요청을 제한하는 등의 보안 제어를 구현할 수 있습니다. 이 API 서버는 승인 컨트롤러가 없거나 더 이상 사용되지 않는 AlwaysAdmit 승인 컨트롤러가 활성화되었기 때문에 요청을 검증하지 않습니다.

예제 1: 다음 구성은 AlwaysAdmit 승인 컨트롤러를 사용하여 Kubernetes API 서버를 시작합니다.

...
kind: Pod
...
spec:
  containers:
  - command:
    - kube-apiserver
    ...
    - --enable-admission-plugins=AlwaysAdmit,PodSecurityPolicy
    ...
References
[1] Kubernetes API Server The Kubernetes Authors
[2] Using Admission Controllers The Kubernetes Authors
[3] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.2.10
[4] Standards Mapping - Common Weakness Enumeration CWE ID 1188
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-003109
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1), SA-4 Acquisition Process (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings, SA-4 Acquisition Process
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.5.3, Requirement 6.5.4, Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.5.3, Requirement 6.5.4, Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.3 - Secure Defaults
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.3 - Secure Defaults
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.3 - Secure Defaults
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3370 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3370 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3370 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3370 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3370 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15), Server Misconfiguration (WASC-14)
desc.structural.yaml.kubernetes_misconfiguration_improper_admission_controller_access_control