Reino: Security Features
Segurança de software não é o mesmo que software de segurança. Aqui, estamos interessados em tópicos como autenticação, controle de acesso, confidencialidade, criptografia e gestão de privilégios.
Kubernetes Misconfiguration: Improper Admission Controller Access Control
Abstract
Um servidor de API do Kubernetes não está configurado com nenhum controlador de admissão.
Explanation
Os controladores de admissão validam e personalizam solicitações para um servidor de API do Kubernetes. Eles podem implementar controles de segurança, como rejeição de solicitações com privilégios não autorizados, aplicação de isolamento de namespace, limitação de solicitações excessivas de recursos e muito mais. O servidor API não valida solicitações porque não há controlador de admissão ou o controlador de admissão
Exemplo 1: A configuração a seguir inicia um servidor da API Kubernetes com o controlador de admissão
AlwaysAdmit está habilitado.Exemplo 1: A configuração a seguir inicia um servidor da API Kubernetes com o controlador de admissão
AlwaysAdmit.
...
kind: Pod
...
spec:
containers:
- command:
- kube-apiserver
...
- --enable-admission-plugins=AlwaysAdmit,PodSecurityPolicy
...
References
[1] Kubernetes API Server The Kubernetes Authors
[2] Using Admission Controllers The Kubernetes Authors
[3] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.2.10
[4] Standards Mapping - Common Weakness Enumeration CWE ID 1188
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-003109
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1), SA-4 Acquisition Process (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings, SA-4 Acquisition Process
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.5.3, Requirement 6.5.4, Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.5.3, Requirement 6.5.4, Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.3 - Secure Defaults
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.3 - Secure Defaults
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.3 - Secure Defaults
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3370 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3370 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3370 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3370 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3370 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15), Server Misconfiguration (WASC-14)
desc.structural.yaml.kubernetes_misconfiguration_improper_admission_controller_access_control