Skip to content

NSA Kubernetes Hardening Guide

Jump to bottom
Prashant Mishra edited this page Aug 31, 2023 · 1 revision

Credits to parthyadav from the Kubearmor Telegram!

Pod Hardening:

  • Build containers with application having non-root user with non-root group membership, set to non-root user in k8s manifest also
  • Use rootless container engines(checkout docker rootless container)
  • Make container’s filesystem as immutable as possible(i.e. read only)
  • Use trusted repositories and digitally signed 🔐 images if possible.
  • Scan you container images 👀 (scheck sysdig blogs)
  • Enforce proper policies based on your cluster usecase and team(PSA, PSP, kyverno, OPA)
  • Harden your Pod Capabilities(linux capablities)
  • Prevent automount of service account in Pod(spec.automountServiceAccountToken: false)
  • Use Hardened Container runtimes like(Hypervisor-backed or Kernel based or Application sandboxes container runtimes)
  • Limit your Pod PIDs(using podPidsLimit: in your kubelet file)(also reserve pid for system and kubernetes, --system-reserved, --kube-reserved)

Namespace Hardening:

  • Isolate namespaces for multiples individuals, teams or application using rbac rules
  • Limit resources(Resource Quota, LimitRange Policy)

Network and Control-Plane Hardening:

  • Use a default network policy to deny all ingress and egress traffic to and from a pod.
  • Use TLS certificates to encrypt traffic for all services that are exposed externally using NodePort, LoadBalancer etc.
  • API Server should not be exposed to the internet or an untrusted network.
  • Setup TLS certificates to enforce HTTPS communication between etcd and api-server.
  • Also, use separate CA(certificate authority) for etcd.
  • Unauthenticated non-root users should be blocked from accessing kubeconfig files, etc
  • Network Segment your worker nodes, control nodes for certain types of network traffice(Example: kubelet port 10250 do not need internet access, Certain Databases and other internal services may not need internet access, Certain traffic b/w worker nodes or group of worker node can be restricted or limited)
  • Encrypt all traffic between kubernetes components, node, and the control-plane with TLS certificates.
  • Restrict access to secret resources by applying RBAC policies.
  • Use strong encryption for secret data (see how to configure KMS in k8s)
  • If running on cloud, then try to prevent access from your instance cloud metadata(like http://169.254.169.254 in openstack).

Authentication and Authorization:

  • Implement authentication method or delegate authentication to a third-party service. K8s assumes that a cluster-independent service manages user authentication.
  • disable anonymous requests by passing --anonymous-auth=false option to the API server.
  • Create RBAC policies with unique roles for users, administrators, developers, service accounts and infrastructure teams.
  • Access to Pod secrets should be restricted to those who needs to view them using k8s RBAC.

For a more detailed information, check out: https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF

Clone this wiki locally