The National Security Agency (NSA) in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) of the United States has just released a hardening Guidance for Kubernetes. This document provides an excellent overview of the complex Kubernetes infrastructure, known threats and “descriptive” level hardening recommendations. Let’s dive in.
Why Do We Need This?
The proliferation of Kubernetes across enterprise is growing exponentially. Kubernetes “simplifies” the orchestration and deployment of containerized applications, supports modern day architectures such as microservices and provides highly desired elasticity for workloads. However, I put “simplifies” in quotes because while the solution does streamline a plethora of tasks once done manually with several different technologies, it is far from simple or turn-key to deploy and manage securely.
As enterprises continue to move business critical workloads onto modern day solutions such as Kubernetes, cyber criminals are adjusting their attack patterns to take advantage of these poorly deployed and insecure Kubernetes deployments. This guidance document has been published to increase awareness of the problem and enable companies to improve their security posture.
What are the Threats?
The document outlines that most attacks that are being observed against insecure Kubernetes Infrastructure are focused on stealing data and/or stealing computing resources for cryptomining with a smaller observation of service interruption (denial of service). However, it is worth nothing that the compute theft incident types are more of a nuisance and the real threats of stealing data and compromising the DevOps infrastructure to embed malicious code will continue to become a larger problem with greater impacts.
What are the Recommendations?
At a high-level the guidance breaks down recommendations into securing the pods, leveraging network separation capabilities, properly implementing authentication and authorization, logging and monitoring and software life cycle management such as patching, updates and upgrades.
What about CIS Benchmarks?
The Kubernetes Hardening Guidance is 59 pages and does a good job of identifying the problem and providing some “descriptive” level recommendations. However, this newly released document recommends leveraging the Centre for Internet Security (CIS) Benchmark for Kubernetes for actual control implementation as it is much more comprehensive, prescriptive, measurable and sitting at a easy 299 page weekend read.
What about the Azure Kubernetes Service?
Not only does CIS offer a Kubernetes Benchmark but also an Azure Kubernetes Service (AKS) guidance. In the AKS Benchmark document, it covers securing Master Components and Configurations, Worker Nodes, Policies and Managed Services. The AKS Benchmark document is about half the size of the Kubernetes Document as Master Component and Configurations are managed by Azure, resulting in a reduction of the organizations responsibility on some of the core and arguably most commonly insecure components of Kubernetes.
Did I mention the benefits of owning less with PaaS = having less to secure?