NSA & CISA Kubernetes Hardening Guide Version 1.2 — Disentangled

Kubernetes is an open-source system that automates the deployment, scaling, and administration of containerized applications. It is frequently hosted in the cloud. When opposed to traditional, monolithic software platforms, using this sort of virtualized infrastructure can give various flexibility and security benefits. Securely managing everything from microservices to the underlying infrastructure, on the other hand, presents new complications. Supply chain risks, hostile threat actors, and insider threats are three frequent causes of compromise in Kubernetes.

The NSA and CISA have published “Kubernetes Hardening Guidance,” which describes vulnerabilities to Kubernetes settings and gives secure configuration guidance to reduce risk.

The NSA and CISA released version 1.2 of the Kubernetes Hardening Guide in August 2022. It is an upgrade to the previous version, which was released in 2022. Kubernetes advances quickly, and adoption grows even faster. Kubernetes has been a popular target, necessitating the ongoing improvement of security measures.

The current edition of the paper demonstrates that its authors closely monitor Kubernetes and cloud security and want to prepare the industry for the next wave of risks caused by the growth of attack tactics and new capabilities supplied by Kubernetes and cloud platforms.

The following are some of the most critical points addressed in the revised version of the NSA & CISA Kubernetes Hardening Guide:

· Kubernetes Pod Security

1. Make employ of containers designed to run apps as non-root users.
2. Run containers with immutable file systems wherever possible.
3. Examine container images for any flaws or misconfigurations.
4. Implement a technological control to ensure a minimal degree of security, such as: preventing privileged containers, Restricting container characteristics often used for breakouts, such as hostPID, hostIPC, hostNetwork, and allowedHostPath, Rejecting containers that run as the root user or allowing root elevation & Protecting apps from exploitation through the use of security services such as SELinux®, AppArmor®, and secure computing mode (seccomp).

· Network Separation and Hardening

1. Use a firewall and role-based access control to restrict access to control plane nodes (RBAC). Separate networks should be used for control plane components and nodes.
2. Limit access to the Kubernetes etcd server even further.
3. Configure control plane components to communicate using authorized, encrypted Transport Layer Security (TLS) certificates.
4. Encrypt etcd at rest and communicate using a different TLS certificate.
5. Create network rules to separate resources. Unless extra isolation is imposed, pods and services in separate namespaces can still communicate with each other.
6. Create an explicit network deny policy.
7. Instead of configuration files, save all credentials and sensitive information encrypted in Kubernetes Secrets. Use a robust encryption technique to encode Secrets.

· Authentication and Authorization

1. Turn off anonymous login (enabled by default).
2. Implement robust user authentication.
3. Develop RBAC policies that provide distinct roles for users, administrators, developers, service accounts, and the infrastructure team.

Audit Logging and Threat Detection

1. Turn on audit logging (disabled by default).
2. Keep logs to assure availability in the event of a node, pod, or container failure.
3. Set up logging across the environment (for example, cluster API audit event logs, cluster metric logs, application logs, Pod seccomp logs, repository audit logs, and so on).
4. Gather logs from outside the cluster.
5. Put in place a log monitoring and alerting system that is specific to the organization’s cluster.

· Upgrading and application security practices

1. Apply security fixes and upgrades as soon as possible.
2. Conduct vulnerability scans and penetration testing on a regular basis.
3. Uninstall and remove unnecessary components from the system.

How KubeScape can help:

Kubescape is an open-source K8s utility that provides a single pane of glass for Kubernetes, encompassing risk analysis, security compliance, an RBAC visualizer, and image vulnerability screening.

It was the first solution to enable Kubernetes misconfiguration detection based on the NSA and CISA Guidelines frameworks as soon as they were published. Kubescape has developed several key security features inspired by the NSA and CISA approach to Kubernetes security evaluation since its initial release. It is still the premier open-source tool today, offering this and numerous more frameworks.

Some of the new requirements in this new version are already in Kubescape. Because such controls may exist in other frameworks, they will be incorporated to the NSA framework soon.

Please consult my earlier article, which will be cited below, for more details on the internal workings of kubescape and its limits. I hope this article has given you a better understanding of the enhancements proposed in the updated version of the NSA hardening guidance. Please do provide your meaningful feedback 😊

References:

Kubescape & Kubernetes Hardening- Demystified

https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PdF

GitHub — kubescape/kubescape