The National Security Agency and the Cybersecurity and Infrastructure Agency on Tuesday released new guidance on Kubernetes security providing advice on securing container environments from supply chain threats, insider threats and data exfiltration risks.
The guidance reviews the security challenges in Kubernetes environments and describes hardening strategies for these infrastructures. The report details recommendations to harden Kubernetes systems. Primary actions include the scanning of containers and pods for vulnerabilities or misconfigurations, and using network separation, strong authentication and log auditing.
Risk Factors
Kubernetes is an open-source container-orchestration system used to automate deploying, scaling and managing containerised applications. The agencies note that hackers target Kubernetes for data theft, computational power theft and denial-of-service attacks.
According to the guidance report, supply chain risks are often challenging to mitigate and can arise in the container build cycle or infrastructure acquisition. Malicious threat actors can exploit vulnerabilities and misconfigurations in components of the Kubernetes architecture, such as the control plane, worker nodes, or containerised applications. Insider threats can be administrators, users, or cloud service providers. Insiders with special access to an organisation’s Kubernetes infrastructure may be able to abuse these privileges.
Recommendations
The guidance recommends several mitigations to strengthen Kubernetes containers.
- Scan containers and Pods for vulnerabilities or misconfigurations.
- Run containers and Pods with the least privileges possible.
- Use network separation to control the amount of damage a compromise can cause.
- Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality.
- Use strong authentication and authorisation to limit user and administrator access as well as to limit the attack surface.
- Use log auditing so that administrators can monitor activity and be alerted to potential malicious activity.
- Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for and security patches are applied.
NSA and CISA also recommend periodic reviews of Kubernetes settings and vulnerability scans to ensure appropriate risks are accounted for and security patches are applied, the report stated.