A. Overview

This docs is about summary how to hardening kubernetes cluster based on NSA

Reference: https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF

This guidance outlines a defense-in-depth approach, focusing on five key domains: Workload Security, Network Security, Access Control, Observability, and Lifecycle Management. Recommendations are based on industry best practices and address threats from external actors, insider risks, and supply chain vulnerabilities.
The objective is to provide actionable steps to reduce the overall attack surface, enforce the principle of least privilege, and ensure robust detection and response capabilities for any Kubernetes deployment.

B. Threat Model

Understanding the threat landscape is the first step in building an effective security posture. Key threats to a Kubernetes environment include:

• External Malicious Actors: Adversaries seeking to compromise the cluster from the outside. Their objectives often include:
  • Data Theft: Gaining access to sensitive data stored in volumes, databases, or application Secrets.
  • Compute Power Theft: Hijacking cluster resources to perform unauthorized tasks, such as cryptocurrency mining or participating in DDoS attacks.
  • Methods: Typically involve exploiting application vulnerabilities, using stolen credentials to access the Kubernetes API server, or attacking exposed worker node services like the kubelet.
• Insider Threats: Users with legitimate access who may pose a risk, either intentionally or accidentally.
  • Privileged Users (Administrators): Have extensive control and can cause significant damage if their accounts are compromised or used maliciously. A lack of Two-Person Integrity Controls (Four-Eyes Principle) for critical actions increases this risk.
  • Standard Users: Developers or applications with credentials that, if compromised or misused, could be exploited to escalate privileges or access unauthorized resources.
  • Cloud/Infrastructure Providers: Have physical or hypervisor-level access to the underlying infrastructure, representing a potential vector for compromise.
• Supply Chain Risks: Vulnerabilities introduced via third-party components.
  • Container Images: Malicious or vulnerable code and libraries baked into container images can create immediate security holes upon deployment.
  • Container Runtimes: A vulnerability in the runtime (e.g., containerd, CRI-O) could break the isolation between containers or between a container and the host.
  • Infrastructure: Compromised hardware or vulnerable base operating systems on worker nodes can undermine the security of the entire cluster.

C. Hardening best practices

1. Pod and Workload Security

Workloads are the primary assets within a cluster. Securing them is the most fundamental layer of defense.

1.1. Principle of Least Privilege

• Non-Root Containers: Applications inside containers must run as a non-root user. This drastically limits an attacker’s capabilities if they achieve code execution within a Pod.
• Immutable Filesystems: Where possible, containers should run with a read-only root filesystem (readOnlyRootFilesystem: true) to prevent attackers from modifying the application or writing malicious tools to disk.

1.2. Secure Container Images

• Trusted Sources: Only use container images from trusted, reputable registries.
• Vulnerability Scanning: Integrate automated image scanning into the CI/CD pipeline to detect known vulnerabilities (CVEs) in OS packages and application libraries before they are deployed.

1.3. Pod Security Admission (PSA)

Kubernetes’ built-in admission controller should be enabled to enforce Pod Security Standards.

• Enforcement: Configure namespaces to enforce baseline or restricted security profiles to block insecure Pod configurations cluster-wide.
• Key Controls: PSA prevents common high-risk configurations, including:
  • Running privileged containers.
  • Accessing host namespaces (hostPID, hostIPC, hostNetwork).
  • Running as the root user or allowing privilege escalation.

1.4. Service Account Token Protection

• Disable Automounting: By default, every Pod is mounted with a token for its Service Account. If an application does not need to communicate with the Kubernetes API, disable this by setting automountServiceAccountToken: false.
• Use Specific Accounts: Avoid using the default service account. Create dedicated, least-privilege service accounts for each application.

1.5. Hardening Container Runtimes

• Kernel-Based Solutions: Leverage security modules like Seccomp (to restrict allowed system calls) and AppArmor or SELinux (for mandatory access control) to harden the boundary between the container and the host kernel, reducing the attack surface.

2. Network Security and Segmentation

Controlling traffic flow is critical to preventing lateral movement and isolating resources.

2.1. Control Plane Hardening

• Firewall Protection: The Kubernetes API server (typically on port 6443) must be protected by a firewall, allowing access only from trusted IP ranges. It should never be exposed directly to the public internet.
• Separate Networks: Use dedicated, isolated networks for the control plane and worker node components.

2.2. Etcd Security

• Isolation: The etcd database contains the entire state of the cluster and is highly sensitive. Network access should be restricted exclusively to the Kubernetes API servers.
• Encryption: Enforce TLS for all communication to and from etcd. Additionally, encrypt the etcd datastore at rest.

2.3. Network Policies

• Default Deny: Implement a default-deny policy for all ingress and egress traffic in every namespace. This ensures no Pod can communicate unless explicitly allowed.
• Namespace Segmentation: Use Network Policies to enforce strict communication boundaries between namespaces and applications. For example, a front-end application should only be allowed to communicate with its specific back-end service, and nothing else.
• CNI Requirement: Use a Container Network Interface (CNI) plugin that supports and enforces NetworkPolicy objects (e.g., Calico, Cilium, Weave).

2.4. Resource Policies

• Prevent Resource Exhaustion: Use ResourceQuotas to limit the total amount of CPU, memory, and storage a namespace can consume. Use LimitRanges to enforce reasonable resource requests and limits on individual Pods. This prevents a single application from causing a denial-of-service attack on cluster resources.

2.5. Encryption

• In-Transit: All communication between cluster components and between services should be encrypted using modern TLS (1.2 or 1.3).
• Secrets at Rest: Kubernetes Secrets are only Base64 encoded by default, not encrypted. Configure encryption at rest for Secrets using a Key Management Service (KMS) provider or another strong encryption method.

3. Authentication and Authorization (IAM)

Strictly controlling who can access the cluster and what they can do is paramount.

• Disable Anonymous Authentication: Anonymous access to the API server (-anonymous-auth=false) is enabled by default in some older versions and must be disabled.
• Strong Authentication: Integrate the API server with a centralized, strong identity provider (e.g., OIDC, SAML) that supports multi-factor authentication (MFA). Avoid static token or password files.
• Role-Based Access Control (RBAC):
  • Least Privilege: Design RBAC roles with the minimum permissions required for each user, group, or service account to perform its function.
  • Avoid Cluster-Admin: Grant cluster-admin privileges sparingly.
  • Regular Reviews: Periodically review and audit all RBAC roles and bindings to remove unnecessary permissions.

4. Audit Logging and Threat Detection

You cannot defend what you cannot see. Comprehensive logging and monitoring are non-negotiable.

4.1. Enable Audit Logging

• API Server Auditing: Enable audit logging on the Kubernetes API server. This creates a chronological record of all actions performed in the cluster.
• Log Aggregation: Persist all logs to a centralized, external logging solution (e.g., a SIEM platform). This prevents log tampering and ensures availability if a node or the cluster fails.
• Comprehensive Coverage: Collect logs from all layers: host OS, container runtime, kubelet, API server audit, application logs, and network flow logs.

4.2. Monitoring and Alerting

• Establish Baselines: Profile normal application and cluster behavior to enable the detection of anomalous activity.
• Define Critical Alerts: Configure alerts for high-priority security events, including:
  • Anonymous or failed API requests.
  • Creation of privileged Pods.
  • Access to sensitive Secrets.
  • Significant deviations from resource consumption baselines.
  • Changes to critical security configurations (e.g., RBAC, Pod Security Policies).

4.3. Threat Detection Tooling

• Integrate the cluster with modern security tooling designed for cloud-native environments. This includes Intrusion Detection Systems (IDS), SIEM platforms with Kubernetes-aware parsers, and runtime security monitoring tools.

5. Cluster Lifecycle and Maintenance

Security is an ongoing process, not a one-time configuration.

• Prompt Patching and Upgrades: Regularly apply security patches to all components of the environment, including Kubernetes itself, host operating systems, container runtimes, and all running applications.
• Periodic Vulnerability Scanning: Continuously scan running containers and host nodes for new vulnerabilities.
• Regular Penetration Testing: Engage in periodic penetration tests to proactively identify weaknesses in the cluster’s security posture.

Configuration Audits: Regularly audit the cluster configuration against industry benchmarks like the CIS (Center for Internet Security) Kubernetes Benchmark.

Reference

https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF