The NSA Can Help Secure Your Kubernetes Clusters
Yes, the National Security Agency (NSA), aka the “No Such Agency,” aka master code-breakers of the world, can also help you secure your Kubernetes clusters. No, this is not a joke. Not only can its “Kubernetes Hardening Guidance” help you, but it’s also darn good.
That’s not as amazing as it may sound at first. Besides the code-breaking side, which everyone knows about from TV and movies, its other mission is to help protect national security by protecting the US’s security. Besides just making codes for the CIA and the like it also publishes documents on how you — yes, you — can better protect your security and privacy. This includes guidance and a list of the most common vulnerabilities threat actors use to plant web shells on servers and how to choose the most secure video-conferencing and collaboration systems.
And, as many of you know, the NSA created SELinux. This is Linux’s optional mandatory access control (MAC) architecture. If you really want to secure Linux, SELinux is your first choice.
So, it comes as no surprise that Kubernetes Hardening Guidance is darn helpful. And, frankly, we need an easy, straightforward Kubernetes security guide. As Red Hat reports in its July 2021 Kubernetes adoption, security, and market trends report, “55% of respondents have had to delay an application rollout because of security concerns.”
That’s way, way too high. So what can you do? According to the NSA, Kubernetes cluster threats come from three main sources:
- Supply chain risk, which poses dangers at multiple levels. These range from the container or application level to the underlying infrastructure.
- Malicious threat actors can exploit exposed architecture APIs. These include the control plane, worker nodes, and containerized applications.
- Insider threats from actors that have elevated privileges or special knowledge, including administrators, users, and cloud service or infrastructure providers.
So, what can you do about these? The NSA has seven recommendations:
- Scan containers and pods for vulnerabilities or misconfigurations.
- Run containers and pods with the least privileges possible.
- Use network separation to control the amount of damage a compromise can cause.
- Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality.
- Use strong authentication and authorization to limit user and administrator access and limit the attack surface.
- Use log auditing so that administrators can monitor activity and be alerted to potential malicious activity.
- Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for, and security patches are applied.
The report then drills deeper into each of the areas. For example, for protecting containers, they recommend:
- Use containers built to run applications as non-root users.
- Whenever possible, run containers with immutable file systems
- Scan container images for possible vulnerabilities or misconfigurations
- Use a Pod Security Policy to enforce a minimum level of security. Specifically: Prevent privileged containers from initiating; deny frequently exploited container features, such as hostPID, hostIPC, hostNetwork, and allowedHostPath; rejecting containers that execute as the root user or allow elevation to root; and hardening applications against exploitation using security services such as SELinux, AppArmor, and seccomp.
In addition to general guidance, the guide includes code examples to enable you to better secure your clusters. These include a Pod Security Policy, Network Policy, and a ResourceQuota Policy to limit aggregate resource usage within a namespace.
Put it all together and you get what I think frankly is the best introduction to Kubernetes security I’ve seen so far. It really is very good and I can’t recommend it highly enough. If you just read this document and put its policies into practice, your clusters are likely to be an order of magnitude more secure than they currently are. Oh, and did I mention it’s free? Download, read, and implement it. You’ll be glad you did.