The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published comprehensive recommendations for strengthening the security of an organization’s Kubernetes system to help companies make their Kubernetes environment more difficult to compromise.
This 52-page cybersecurity technical report offers practical guidance for admins to manage Kubernetes securely, focusing on the common three sources for a compromised Kubernetes environment –
· Supply-chain attacks - can arise in the container build cycle or infrastructure acquisition
· Malicious actors - can exploit vulnerabilities and misconfigurations in components of the Kubernetes architecture, such as the control plane, worker nodes, or containerized applications
· Insider threats - can be administrators, users, or cloud service providers. Insiders with special access to an organization’s Kubernetes infrastructure may be able to abuse these privileges
This guidance details the following mitigations:
· Scan containers and Pods for vulnerabilities or misconfigurations.
· Run containers and Pods with the least privileges possible.
· Use network separation to control the amount of damage a compromise can cause.
· Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality.
· Use strong authentication and authorization to limit user and administrator access as well as to limit the attack surface
· Use log auditing so that administrators can monitor activity and be alerted to potential malicious activity.
· Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for and security patches are applied.
To learn how ARMO Kubernetes Fabric helps to adopt this guidance, click here
Here is a summary of all the recommendations from each section -
ARMO Kubernetes Fabric continuously verifies that Kubernetes clusters meet this guidance. It was designed bottom-up using the same threat model and principles as described in this guidance, and therefore it provides comprehensive protection covering all the security aspects raised by this guidance.
To read how click here