Ensuring NSA Kubernetes Hardening Guidance with Kubescape
Photo by Scott Graham on Unsplash
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) of the United States collaborated on the Kubernetes Hardening Guidance, a technical report aimed at securing Kubernetes environments. The report describes the dangers that Kubernetes environments face and offers secure configuration advice to reduce risk.
According to the recommendations, supply chain risks are difficult to control and might arise throughout the container building cycle or infrastructure provisioning, particularly in cloud settings.
What Is Kubernetes Hardening NSA Guidance?
The Kubernetes Hardening Guide is a compilation of the National Security Agency's recommendations on how you can improve the security of a company's Kubernetes system. It can assist firms make their Kubernetes environment more difficult to breach.
This 52-page cybersecurity technical paper focuses on the common origins of a compromised Kubernetes system and provides practical advise for administrators on how to operate Kubernetes securely.
Kubernetes Hardening Guidance Recommendations (Version 1.1)
User Authentication
In the previous version of the Kubernetes Hardening Guide, user authentication was considered out-of-scope. Even though powerful multi-factor authentication techniques are not part of Kubernetes, the new version emphasizes the necessity of user authentication and advocates implementing it. The recommendations make it clear that third-party goods should be used in this area.
RBAC
RBAC enabling and setup receive a lot more attention. Additional duty separation is included in the new proposals. It is advised, for example, that administration and infrastructure management functions be separated.
Admission Controller
The report suggests implementing a Kubernetes Admission Controller to mitigate risks, which will request a scan upon pod deployment. However, if an infrequently changed programme is deployed for a long period, this additional deploy-time check will not adequately secure long-running applications. Admission controllers are now expected to check container image signatures and execute better configuration validations in addition to the improved PSP/PSA method.
Auditing and Logging
The recommendation emphasizes log-based monitoring and alerts. Logging at the host, application, and cloud levels are all important considerations. When operating Kubernetes in production, it's critical to know who's responsible for each layer of logging and who's accountable for it.
Hardening Container Engines
Some container workloads are riskier than others, yet they may need to share a cluster. Running them on dedicated nodes with hardened container runtimes that enforce stronger pod isolation boundaries might be a beneficial security control in certain instances.
etcd
The etcd server should be set up to trust only certificates issued by the API server as a general rule. It reduces the attack surface and makes it more difficult for a hostile attacker to get access to the cluster. It may be desirable to use a separate CA for etcd, as it defaults to trusting all certificates issued by the root CA.
Building Secure Container Images
The Kubernetes Hardening Guide also suggests using a scanner as an admission controller during the deployment process to prevent vulnerable or misconfigured pods from operating in the cluster. This sounds like a wonderful idea in theory, but there are a few things to keep in mind before putting it into practise
Network Separation
Pods may freely connect to each other thanks to Kubernetes' default networking settings, independent of the namespace in which they are deployed. Because of this open-ended networking method, a bad actor just has to get access to one pod to gain unrestricted access to others. As a result, the entire platform is only as safe as its least secure component, and a bad actor only needs to get in through your least secure component to gain access.
Using Kubescape for Kubernetes Hardening Guidance
Kubescape Cloud is a free tool that provides risk analysis, security compliance, an RBAC visualizer, and scanning for container image vulnerabilities. Kubescape scans K8s clusters, YAML files, and HELM charts and also looks for misconfigurations across multiple frameworks, software vulnerabilities, and RBAC violations.
The first step should be to install Kubescape if you don't already have it. Create an account on the portal and install it using the instructions below. The command may be copied and pasted into your terminal.
curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
Kubescape uses a variety of security compliance standards and security frameworks such as those by the National Security Agency (NSA), MITRE ATT&CK, Armobest, etc. to analyze security risks and vulnerabilities found in your cluster. In this section of the article, I will be guiding you on how you can scan your Kubernetes cluster for vulnerabilities by using the NSA framework.
Scanning for Vulnerabilities using the NSA Framework
After installing Kubescape on your device, you can use the following command to scan the environment for misconfigurations and vulnerabilities:
Kubescape scan –submit –enable-host-scan
After you run the command, Kubescape will begin scanning the entire cluster and, depending on the architecture, return a result in a very short time.
You may use a variety of commands to scan the environment for vulnerabilities and misconfigurations based on your requirements. Use the following command to see a list of the various types of frameworks available in Kubescape.
Kubescape list frameworks
The above command will return a list of all the frameworks supported by Kubescape.
kubescape scan framework nsa deployment.yaml
This method uses the Kubescape NSA framework to scan your Kubernetes cluster for vulnerabilities.
Conclusion
Kubernetes isn't secure by default, and it's not safe by itself. It is certainly possible and necessary to harden its settings. I hope you learned something new regarding the NSA’s Kubernetes Hardening Guide from this article. The guidelines also emphasize Kubernetes' widespread adoption and how safeguarding Kubernetes clusters and application containers running on Kubernetes remains a priority.