1464 个项目已找到

弱点

Kubernetes Misconfiguration: Missing Kubelet Authorization

YAML

Abstract

Kubelet 不需要任何请求授权。

Explanation

Kubelet 使用 AlwaysAllow 模式或 Webhook 模式授权请求。未指定授权模式时默认使用 AlwaysAllow。在 AlwaysAllow 模式下，Kubelet 不执行任何授权检查，因为该模式允许所有请求。由于 Kubelets 是管理工作程序计算机工作负载的 Kubernetes 主要代理，攻击者可以使用不受控制的请求来访问保护不充分和安全敏感的服务 API。

示例 1：Kubelet 不执行任何授权检查，因为授权模式设置为 AlwaysAllow。


apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
authorization:
  mode: AlwaysAllow

References

[1] Set Kubelet parameters via a config file The Kubernetes Authors

[2] Kubelet Options The Kubernetes Authors

[3] Standards Mapping - CIS Kubernetes Benchmark Recommendation 4.2.2

[4] Standards Mapping - Common Weakness Enumeration CWE ID 285

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-002165

[9] Standards Mapping - FIPS200 CM

[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users)

[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)

[15] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[16] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[17] Standards Mapping - OWASP Top 10 2007 A10 Failure to Restrict URL Access

[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[20] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[21] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 7.2

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.10, Requirement 7.2

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8, Requirement 7.2

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8, Requirement 7.2

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8, Requirement 7.2

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[34] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285

[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 862

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.2 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.2 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.2 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.2 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.2 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.2 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.2 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[59] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[60] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[61] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.yaml.kubernetes_misconfiguration_missing_kubelet_authorization.base

Kubernetes Misconfiguration: Missing Kubelet Certificate Authentication

YAML

Abstract

未定义对 Kubelet 的 HTTPS 端点的 X509 客户端证书身份验证。

Explanation

Kubelet 可以对客户端进行身份验证，但用于验证客户端证书的证书颁发机构 (CA) 捆绑包未在 Kubelet 配置中定义。由于 Kubelets 是用于管理工作程序计算机工作负载的 Kubernetes 主要代理，攻击者可以使用匿名请求来访问保护不充分和安全敏感的服务 API。

示例 1：以下 Kubelet 配置不包含用来指定用于验证客户端证书的 CA 捆绑包的 clientCAFile 字段。


apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration

References

[1] Set Kubelet parameters via a config file The Kubernetes Authors

[2] Kubelet The Kubernetes Authors

[3] Standards Mapping - CIS Kubernetes Benchmark Recommendation 4.2.3

[4] Standards Mapping - Common Weakness Enumeration CWE ID 285

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-002165

[6] Standards Mapping - FIPS200 IA

[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users)

[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)

[12] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[13] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management

[14] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[15] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management

[16] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[17] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3, Requirement 7.2

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7, Requirement 7.2

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10, Requirement 7.2

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10, Requirement 7.2

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10, Requirement 7.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10, Requirement 7.2

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 4.2.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 4.2.1

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285

[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.2 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.2 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.2 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.2 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.2 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.2 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.2 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II

[56] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)

[57] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.structural.yaml.kubernetes_misconfiguration_missing_kubelet_certificate_authentication

Kubernetes Misconfiguration: Missing Kubelet Client Certificate

YAML

Abstract

Kubernetes API 服务器不会向 Kubelet 的 HTTPS 端点进行自我身份验证。

Explanation

默认情况下，Kubernetes API 服务器在提交请求时不会向 Kubelets 进行自我身份验证。允许访问各种资源的 Kubelets 无法验证这些请求的真实性。

示例 1：以下命令将启动 Kubernetes API 服务器，但未使用 --kubelet-client-certificate 标记和 --kubelet-client-key 标记分别指定客户端证书和相应的私钥，以启用对 Kubelets 的基于证书的身份验证。


...
spec:
  containers:
  - command:
    - kube-apiserver
    - --audit-log-maxage=50
    - --audit-log-maxbackup=20
    - --audit-log-maxsize=200
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
    ...

References

[1] Kubernetes API Server The Kubernetes Authors

[2] Kubelet authentication/authorization The Kubernetes Authors

[3] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.2.4

[4] Standards Mapping - Common Weakness Enumeration CWE ID 284

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[9] Standards Mapping - FIPS200 AC

[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), SC-3 Security Function Isolation (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, SC-3 Security Function Isolation

[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3)

[15] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[19] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[20] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[21] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[34] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285

[36] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[59] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[60] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[61] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.yaml.kubernetes_misconfiguration_missing_kubelet_client_certificate

Kubernetes Misconfiguration: Missing Kubelet Identity Verification

YAML

Abstract

当 Kubernetes API 服务器建立 SSL 连接时，Kubelets 的服务器身份验证将被禁用。

Explanation

Kubernetes API 服务器向 Kubelet 发送指令以创建工作负载、查询 Kubelet 托管资源的状态，并为 Kubelet 提供可选的端口转发服务。默认情况下，API 服务器在建立连接之前不会验证 Kubelet 的服务证书。因此，此连接易受到中间人攻击。

示例 1：以下命令将启动 Kubernetes API 服务器，但未指定根证书捆绑包以使用 --kubelet-certificate-authority 标记验证 Kubelet 的服务证书。


...
spec:
  containers:
  - command:
    - kube-apiserver
    - --audit-log-maxage=50
    - --audit-log-maxbackup=20
    - --audit-log-maxsize=200
  image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
    ...

References

[1] Kubernetes API Server The Kubernetes Authors

[2] Control Plane-Node Communication The Kubernetes Authors

[3] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.2.5

[4] Standards Mapping - Common Weakness Enumeration CWE ID 297

[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [25] CWE ID 295

[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798

[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798

[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000185, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422

[11] Standards Mapping - FIPS200 CM, SC

[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), IA-5 Authenticator Management (P1), SC-8 Transmission Confidentiality and Integrity (P1)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), IA-5 Authenticator Management, SC-8 Transmission Confidentiality and Integrity

[15] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[17] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[18] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management

[19] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[20] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[23] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications

[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.structural.yaml.kubernetes_misconfiguration_missing_kubelet_identity_verification.base

Kubernetes Misconfiguration: Missing Node Authorization

YAML

Abstract

Kubernetes API 服务器不使用 Node 模式来对 Kubelets 发出的请求进行授权。

Explanation

Kubernetes API 服务器可以使用多个授权模式之一来授权请求。Node 授权是一种特殊用途的授权模式，专门对 Kubelets 发出的 API 请求进行授权。这可确保 Kubelets 拥有正确操作所需的一组最低权限。

示例 1：以下配置在不使用 Node 授权模式的情况下启动 Kubernetes API 服务器。


...
kind: Pod
...
spec:
  containers:
  - command:
    - kube-apiserver
    ...
    - --authorization-mode=RBAC,Webhook
    ...

References

[1] Kubernetes API Server The Kubernetes Authors

[2] Kubernetes Authorization Overview The Kubernetes Authors

[3] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.2.7

[4] Standards Mapping - Common Weakness Enumeration CWE ID 250

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [22] CWE ID 269

[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235

[8] Standards Mapping - FIPS200 AC

[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-7 Least Functionality (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-7 Least Functionality

[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.3 Access Control Architectural Requirements (L2 L3)

[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[15] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[16] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[32] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285

[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250

[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[58] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[59] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.yaml.kubernetes_misconfiguration_missing_node_authorization.base

Kubernetes Misconfiguration: Missing NodeRestriction Admission Controller

YAML

Abstract

用于启动 Kubernetes API 服务器的命令不会启用 NodeRestriction 准入控制器。

Explanation

始终启用 Kubernetes API 服务器的 NodeRestriction 准入控制器。NodeRestriction 准入控制器限制每个 Kubelet 修改其 Node 和 Pod 对象，且拒绝对敏感系统对象的访问。这可以防止任何受损节点获取 Kubernetes 群集的其他节点上的权限。

示例 1：以下 Pod 定义启动了未启用 NodeRestriction 准入控制器的 Kubernetes API 服务器。


apiVersion: v1
kind: Pod
...
spec:
  containers:
  - command:
    - kube-apiserver
    ...
    - --enable-admission-plugins=PodSecurityPolicy
    ...

References

[1] Kubernetes API Server The Kubernetes Authors

[2] Using Admission Controllers The Kubernetes Authors

[3] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.2.15

[4] Standards Mapping - Common Weakness Enumeration CWE ID 285

[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[8] Standards Mapping - FIPS200 AC, SC

[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), SC-3 Security Function Isolation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, SC-3 Security Function Isolation

[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)

[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[15] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[16] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2013 A7 Missing Function Level Access Control

[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2, Requirement 7.2

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.5, Requirement 6.5.10, Requirement 7.2

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8, Requirement 7.2

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8, Requirement 7.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8, Requirement 7.2

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[32] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285

[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3470.1 CAT II, APP3470.4 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3470.1 CAT II, APP3470.4 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3470.1 CAT II, APP3470.4 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3470.1 CAT II, APP3470.4 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3470.1 CAT II, APP3470.4 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3470.1 CAT II, APP3470.4 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3470.1 CAT II, APP3470.4 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[58] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)

[59] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.structural.yaml.kubernetes_misconfiguration_missing_noderestriction_admission_controller.base

Kubernetes Misconfiguration: Missing PodSecurityPolicy Admission Controller

YAML

Abstract

用于启动 Kubernetes API 服务器的命令不会启用 PodSecurityPolicy 准入控制器。

Explanation

缺少 PodSecurityPolicy 准入控制器表明安全控制较弱，除非 Kubernetes 有 K-Rail、Kyverno、OPA/Gatekeeper 等替代策略执行工具。PodSecurityPolicy 准入控制器强制执行 Pod 安全策略，这些策略用于指定群集中允许的安全相关 Pod 属性。例如，通过使用 PodSecurityPolicy，您可以在创建 Pod 时默认禁止特权容器并禁止特权提升。

示例 1：以下 Pod 定义启动了未启用 PodSecurityPolicy 准入控制器的 Kubernetes API 服务器。


apiVersion: v1
kind: Pod
...
spec:
  containers:
  - command:
    - kube-apiserver
    ...
    - --enable-admission-plugins=NodeRestriction
    ...

References

[1] Kubernetes API Server The Kubernetes Authors

[2] Using Admission Controllers The Kubernetes Authors

[3] Pod Security Policies The Kubernetes Authors

[4] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.2.12

[5] Standards Mapping - Common Weakness Enumeration CWE ID 285

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[9] Standards Mapping - FIPS200 AC, SC

[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), SC-3 Security Function Isolation (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, SC-3 Security Function Isolation

[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[15] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2013 A7 Missing Function Level Access Control

[19] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[20] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2, Requirement 7.2

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.5, Requirement 6.5.10, Requirement 7.2

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8, Requirement 7.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8, Requirement 7.2

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8, Requirement 7.2

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[33] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285

[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3470.1 CAT II, APP3470.4 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3470.1 CAT II, APP3470.4 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3470.1 CAT II, APP3470.4 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3470.1 CAT II, APP3470.4 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3470.1 CAT II, APP3470.4 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3470.1 CAT II, APP3470.4 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3470.1 CAT II, APP3470.4 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.structural.yaml.kubernetes_misconfiguration_missing_podsecuritypolicy_admission_controller.base

Kubernetes Misconfiguration: Missing RBAC Authorization

YAML

Abstract

Kubernetes API 服务器不使用基于角色的访问控制 (RBAC)。

Explanation

Kubernetes API 服务器可以使用多个授权模式之一来授权请求。基于角色的访问控制 (RBAC) 根据组织内个人用户的角色控制对计算机或网络资源的访问。RBAC 是最安全的授权模式。

示例 1：以下配置在不使用 RBAC 授权模式的情况下启动 Kubernetes API 服务器。


...
kind: Pod
...
spec:
  containers:
  - command:
    - kube-apiserver
    ...
    - --authorization-mode=Node,Webhook
    ...

References

[1] Kubernetes API Server The Kubernetes Authors

[2] Kubernetes Authorization Overview The Kubernetes Authors

[3] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.2.8