Skip to main content
Contact Us
Careers

Search

Weaver Connect

Payment Portal Client Login MyWeaver Weaver Alumni Login
Home    /    Insights & Resources

Federal Agencies Publish Kubernetes Hardening Guidance

Resource & Insights
August 17, 2021

Never miss a thing.

Reach out to our team and we'll start a conversation.

Connect

A long-awaited, thoughtful and clear document, Kubernetes Hardening Guidance, was published recently by the National Security Agency (NSA) and the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). The information is particularly timely because many organizations are shifting from classic to cluster-based infrastructure for their most critical workloads. This guide provides an opportunity for organizations to address critical cyber issues at a time when they are increasingly vulnerable.

Kubernetes, originally designed by Google, is an open-source container orchestration system that is widely adopted for the deployment and management of containers (lightweight applications) in a cluster-based architecture. Kubernetes adds a layer of abstraction to the virtualized infrastructure that organizations use. It allows developers and system administrators to focus on the rapid deployment of applications through existing Agile and DevOps workflows with natural support for a highly redundant and scalable environment. A similar concept would be the “dream within a dream” from the 2010 film Inception. As this additional abstraction has evolved from the traditional bare metal hardware or virtual machine environments, so have the complexities of the security hardening practices.

The Kubernetes Hardening Guidance covers a range of topics, including Kubernetes pod security (one or more containers make up a pod), network segmentation and hardening, authentication and authorization, audit logging and monitoring, and vulnerability management. While the specific recommendations are fairly technical and only applies to Kubernetes, the overall guidance covers principles and concepts that also apply to classic infrastructure. If you use Kubernetes, the following key recommendations should be incorporated into your organization’s hardening practices:

Kubernetes Pod Security

  • Use containers built to run applications as non-root users
  • Where possible, run containers with immutable (can’t be changed) file systems
  • Scan container images for possible vulnerabilities or misconfigurations
  • Prevent privileged containers (privileged containers have access to all root capabilities of the host machine)
  • Deny container features frequently exploited to breakout (of the container), such as hostPID, hostIPC, hostNetwork, allowedHostPath
  • Reject containers that execute as the root user or allow elevation to root
  • Harden applications against exploitation using security services such as SELinux®, AppArmor®, and seccomp

Network Separation and Hardening

  • Lock down access to control plane (Management) nodes using a firewall and role-based access control (RBAC)
  • Further limit access to the Kubernetes etcd server
  • Configure control plane components to use authenticated, encrypted communications using Transport Layer Security (TLS) certificates
  • Set up network policies to isolate resources. Pods and services in different namespaces can still communicate with each other unless additional separation is enforced, such as network policies
  • Place all credentials and sensitive information in Kubernetes Secrets rather than in configuration files. Encrypt Secrets using a strong encryption method (such as a Key Management Service)

Authentication and Authorization

  • Disable anonymous login (enabled by default)
  • Use strong user authentication
  • Create RBAC policies to limit administrator, user, and service account activity

Log Auditing

  • Enable audit logging (disabled by default)
  • Persist logs to ensure availability in the case of node, Pod, or container level failure
  • Configure a metrics logger

Upgrading and Application Security Practices

  • Immediately apply security patches and updates
  • Perform periodic vulnerability scans and penetration tests
  • Remove components from the environment when they are no longer needed

Here are some additional resources:

Weaver’s IT advisory team has broad experience across diverse environments, from procedures such as continuous monitoring and compliance perspective, to accounting for considerations such as on-premise and cloud-based Kubernetes deployments from both the end user and Cloud Service Provider perspective.

To find out how Weaver can help your organization with its security and compliance posture, contact us. We are here to help.

© 2021