The National Security Agency(NSA) in partnership with the Cybersecurity and Infrastructure Security Agency(CISA) recently published the Kubernetes Hardening Guidance, a technical report focused on securing Kubernetes environments.
The report identifies the common areas of Kubernetes security risks: supply chain, malicious actors, and insider threats. It aims to educate engineers to avoid common misconfiguration issues and safeguard applications.
The guidance suggests that supply chain risks are hard to mitigate and can emerge in the container building cycle or infrastructure provisioning especially in cloud environments.
Some of the recommendations in the report to build secure container images include using trusted repositories, detecting vulnerabilities in images by using a container image scanner, and running containers and pods with the least privileges possible.
One approach mentioned in the report to integrate image scanning is by using an admission controller. A Kubernetes feature that can intercept requests to the Kubernetes API server before the creation of an object, but after authentication and authorization. That way, deployments that don’t comply with the organization's security policy are blocked.
The report also underlines that malicious actors are keen to compromise Kubernetes clusters, especially on the public cloud for many reasons including stealing data and computation power or mining cryptocurrency.
There are many recommendations in the report to mitigate such risks such as encrypting data in transit using Transport Layer Security(TLS) and at rest including secrets. Also, using network policies and firewalls to limit the blast radius of a compromise.
The report refers to running non-root containers as well as rootless container engines. That way, a threat actor who can compromise a particular container won’t be able to escape with all of the root capabilities of a host machine. By default, many applications in containers run as the root user even though little or no access to the underlying host is required.
In addition, the guidance underscores the risk of insider threats. Those are users, administrators, or cloud service providers with special access privileges who can abuse such privileges and compromise the Kubernetes environment.
Some of the recommendations in the report to mitigate such risk include using strong authentication and authorization utilizing RBAC to limit the access of users and administrators. Also, disabling anonymous requests that are enabled by default in Kubernetes can limit the attack surface.
The guidance encourages administrators to stay up to date when it comes to patches, updates, and upgrades. In addition, it highlights the importance of regularly checking the Center for Internet Security(CISA) benchmarks for securing software as well as best practices.
Kubernetes is open-source software that automates the deployment, scaling, and management of applications. It’s the de facto standard for managing application containers at scale. Google donated the technology to the Cloud Native Computing Foundation (CNCF) in 2015. CNCF is part of the Linux Foundation dedicated to the advancement of cloud-native software,community, and ecosystem.
The 59-page technical report is part of NSA’s library which includes many cybersecurity advisories related to networking, 5G Infrastructure, cloud vulnerabilities, and more.