The Inner Circle

Hi All,

The NSA just published Kubernetes Hardening Guidance.

This guidance describes the security challenges associated with setting up and securing a Kubernetes cluster. It includes hardening strategies to avoid common misconfigurations and guides system administrators and developers of National Security Systems on how to deploy Kubernetes with example configurations for the recommended hardening measures and mitigations.
This guidance details the following mitigations:
 Scan containers and Pods for vulnerabilities or misconfigurations.
 Run containers and Pods with the least privileges possible.
 Use network separation to control the amount of damage a compromise can cause.
 Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality.
 Use strong authentication and authorization to limit user and administrator access as well as to limit the attack surface.
 Use log auditing so that administrators can monitor activity and be alerted to potential malicious activity.
 Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for and security patches are applied.

------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------

nice, thx for sharing Michael!​

------------------------------
Marina Hoffmann
Information Security Officer
Userlane
------------------------------

Original Message:
Sent: Aug 03, 2021 11:18:47 AM
From: Michael Roza
Subject: NSA Kubernetes Hardening Guidance

Hi All,

The NSA just published Kubernetes Hardening Guidance.

This guidance describes the security challenges associated with setting up and securing a Kubernetes cluster. It includes hardening strategies to avoid common misconfigurations and guides system administrators and developers of National Security Systems on how to deploy Kubernetes with example configurations for the recommended hardening measures and mitigations.
This guidance details the following mitigations:
 Scan containers and Pods for vulnerabilities or misconfigurations.
 Run containers and Pods with the least privileges possible.
 Use network separation to control the amount of damage a compromise can cause.
 Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality.
 Use strong authentication and authorization to limit user and administrator access as well as to limit the attack surface.
 Use log auditing so that administrators can monitor activity and be alerted to potential malicious activity.
 Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for and security patches are applied.

------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------

Thanks Michael.
Timing wise, it documents PSP or Pod Security Policy.  However, Kubernetes' PodSecurityPolicy feature was deprecated in Kubernetes 1.21.   Not quite ready for production is the replacement "PodSecurity admission controller"  

Larry

References:
"PodSecurity admission (PodSecurityPolicy replacement) #2579"; https://github.com/kubernetes/enhancements/issues/2579
"[K8s] 1.22 Security Features You Need to Know"; https://blog.aquasec.com/kubernetes-version-1.22-security-features

------------------------------
Larry Timmins
Chief Security Advisor
TOT Communications
------------------------------

Original Message:
Sent: Aug 03, 2021 11:18:47 AM
From: Michael Roza
Subject: NSA Kubernetes Hardening Guidance

Hi All,

The NSA just published Kubernetes Hardening Guidance.

This guidance describes the security challenges associated with setting up and securing a Kubernetes cluster. It includes hardening strategies to avoid common misconfigurations and guides system administrators and developers of National Security Systems on how to deploy Kubernetes with example configurations for the recommended hardening measures and mitigations.
This guidance details the following mitigations:
 Scan containers and Pods for vulnerabilities or misconfigurations.
 Run containers and Pods with the least privileges possible.
 Use network separation to control the amount of damage a compromise can cause.
 Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality.
 Use strong authentication and authorization to limit user and administrator access as well as to limit the attack surface.
 Use log auditing so that administrators can monitor activity and be alerted to potential malicious activity.
 Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for and security patches are applied.

------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------

I am the Kubernetes Policy WG co-chair and our group has reviewed both OPA and Kyverno which provide open source admission control implementations and have interviewed many teams using these in production.

I think the "not ready for production" label applies to the new PSP profiles implementation, from the KEP:
"three profile levels (privileged, baseline, restricted) of the Pod Security Standards will be hardcoded into the new admission plugin"

I see this new AC implementation as a nice default feature for non-prod or very simple prod environments.  However, to clarify, using OPA or Kyverno (or their commercially supported versions) is very much battle tested and in use in many very large production environments.  I encourage folks to join either the CNCF Slack or Kubernetes Slack workspaces if you have questions about production use of admission controllers as a replacement to either the now legacy PSPs or the new PSP hardcoded profiles.

Or for any hardening suggestions not covered in this document.

Also happy to answer questions here, as well!

------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC
------------------------------

Original Message:
Sent: Aug 06, 2021 09:48:43 AM
From: Larry Timmins
Subject: NSA Kubernetes Hardening Guidance

Thanks Michael.
Timing wise, it documents PSP or Pod Security Policy.  However, Kubernetes' PodSecurityPolicy feature was deprecated in Kubernetes 1.21.   Not quite ready for production is the replacement "PodSecurity admission controller"

Larry

References:
"PodSecurity admission (PodSecurityPolicy replacement) #2579"; https://github.com/kubernetes/enhancements/issues/2579
"[K8s] 1.22 Security Features You Need to Know"; https://blog.aquasec.com/kubernetes-version-1.22-security-features

------------------------------
Larry Timmins
Chief Security Advisor
TOT Communications

Original Message:
Sent: Aug 03, 2021 11:18:47 AM
From: Michael Roza
Subject: NSA Kubernetes Hardening Guidance

Hi All,

The NSA just published Kubernetes Hardening Guidance.

This guidance describes the security challenges associated with setting up and securing a Kubernetes cluster. It includes hardening strategies to avoid common misconfigurations and guides system administrators and developers of National Security Systems on how to deploy Kubernetes with example configurations for the recommended hardening measures and mitigations.
This guidance details the following mitigations:
 Scan containers and Pods for vulnerabilities or misconfigurations.
 Run containers and Pods with the least privileges possible.
 Use network separation to control the amount of damage a compromise can cause.
 Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality.
 Use strong authentication and authorization to limit user and administrator access as well as to limit the attack surface.
 Use log auditing so that administrators can monitor activity and be alerted to potential malicious activity.
 Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for and security patches are applied.

------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------

Thank you, Michael.

------------------------------
Jacques Reynolds
None
None
------------------------------

Original Message:
Sent: Aug 03, 2021 11:18:47 AM
From: Michael Roza
Subject: NSA Kubernetes Hardening Guidance

Hi All,

The NSA just published Kubernetes Hardening Guidance.

This guidance describes the security challenges associated with setting up and securing a Kubernetes cluster. It includes hardening strategies to avoid common misconfigurations and guides system administrators and developers of National Security Systems on how to deploy Kubernetes with example configurations for the recommended hardening measures and mitigations.
This guidance details the following mitigations:
 Scan containers and Pods for vulnerabilities or misconfigurations.
 Run containers and Pods with the least privileges possible.
 Use network separation to control the amount of damage a compromise can cause.
 Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality.
 Use strong authentication and authorization to limit user and administrator access as well as to limit the attack surface.
 Use log auditing so that administrators can monitor activity and be alerted to potential malicious activity.
 Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for and security patches are applied.

------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------