Achieving the NSA Kubernetes Hardening Guidelines with Kyverno

Achieving the NSA Kubernetes Hardening Guidelines with Kyverno

On August 3 of last year, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) jointly unveiled the Kubernetes Hardening Guidance. With Kubernetes adoption considerably increasing, including a 67% increase[1]  in developer usage between 2020 and 2021, the guide was created to educate users about the various threats to Kubernetes environments. Additionally, the Kubernetes Hardening Guidance offers best practices for secure configurations to minimize risk exposure.

The Kubernetes Hardening Guidance is particularly helpful for developers working on high-level national security systems and applies to various Kubernetes deployments. Here are the key items DevOps specialists should take away from the hardening guide and how Kyverno helps achieve the Kubernetes hardening guidelines.

Why the Kubernetes Hardening Guidance Matters

Given that many of the company’s most important assets are running or deployed on Kubernetes, it is vital to keep Kubernetes secure. The Kubernetes Hardening Guidance speaks to ensuring Kubernetes is configured most securely – eliminating any negative impact on applications, whether due to inadvertent threats caused by unknowing users or to malicious threat actors purposefully compromising an environment.

Kubernetes is a powerful and layered development tool known for its steep learning curve, with many developers unsure of its full capabilities and the necessary nuances required to secure Kubernetes environments. Additionally, Kubernetes leaves several components susceptible to exploitation, considering that it’s not secure out of the box and necessitates the hardening of Kubernetes deployments.

Nirmata co-founder and VP of products, Ritesh Patel, recognizes the importance of hardening to secure Kubernetes environments.

“Hardening Kubernetes helps you get to a point where, whether it’s bad actors or insider threats, you can prevent threats from impacting applications,” Patel says. “Misconfiguration is probably 80 or 90% of the issues we see in Kubernetes. Every configuration in Kubernetes must be done in a way where it isn’t compromised.” 

The Key Recommendations from the Kubernetes Hardening Guidance for DevSecOps

The hardening guidelines provided by the NSA outline a defense-in-depth strategy to counter cluster attacks, making the blast radius as small as possible.

Scanning Kubernetes pods and containers for any configuration issues or vulnerabilities and running those containers/pods with the least possible privileges are among the key recommendations presented by the Kubernetes Hardening Guidance. Other notable recommendations from the guide include:

  • Using network separation to reduce the blast radius in case  of a compromise
  • Using firewalls to prevent excessive network encryption and connectivity, thus preserving the confidentiality
  • Limiting admin access and the attack surface by using enhanced authentication practices
  • Performing log auditing, which affords administrators the ability to monitor activity consistently and identify suspicious activity

“We talk about providing DevOps guardrails for developers so that they don’t end up shooting themselves in the foot. Having these types of guardrails ensures pod security, things like multi-tenancy,” Patel says. “A lot of it is security, but it also involves governance, compliance, and standards.”

Are There Controls In Place for Developers to Understand Supply Chains?

The hardening guidance highlights three key threat actors that compromise clusters: supply chain risks, malicious threat actors, and insider threats. While insider threats are particularly commonplace, with those threats either willingly or unwillingly coming from administrators, cloud service providers, and users, supply chain risks are arguably the most diverse and hardest to mitigate as they can arise during containerization build cycles or infrastructure provisioning.

Supply chain risks see adversaries subverting elements that make-up systems – such as product components, personnel, and systems that consistently supply the end product. Supply chain disruptions affect Kubernetes at various levels including the container level, with application security in Kubernetes and their third-party dependencies relying heavily on developer trustworthiness and defending the developing infrastructure. Additionally, Kubernetes’ underlying systems have their hardware and software dependencies, with any compromise of systems used as part of the control plane – providing threat actors with a firm standing within the cluster.

Building secure container images makes it possible to reduce supply chain threats, by using trusted repositories and container image scanners to detect image vulnerabilities.

Kyverno helps enterprises and users secure supply chains, using image verification to ensure software supply chain security – an issue that has long required a more robust solution.


What Should DevOps Consider With Kubernetes Hardening?

With architectures becoming more complex, Kubernetes security has become increasingly difficult. Kubernetes pod security and pod security policies are key talking points within the Kubernetes Hardening Guidance. Pods typically contain one or more containers and are a threat actor’s first execution environment when breaking into a container. Hardening pods reduce exploitation and limit damages triggered by a security breach, by using non-root containers and rootless containers to prevent root execution. Non-root containers and rootless containers considerably affect runtime environments, necessitating the thorough testing of applications to ensure compatibility.

Building secure container images, either from scratch or by building on top of existing images from a repository, is another hardening element to consider. Image scanning is vital for securing deployed containers, with images scanned throughout container building workflows in order to determine outdated libraries’ misconfigurations or to identify insecure ports.

Meanwhile, Kubernetes pod security policies (PSPs) specify security defaults for pods to execute within Kubernetes clusters, establishing minimum security thresholds that all pods must follow. These policies are valuable controls to enforce security within a cluster. Before applying these policies, however, the PSP plugin should be enabled for a Kubernetes admission controller, then receive verification through the role-based access control (RBAC) API. The RBAC, from an insider threat point of view, ensures only appropriate people within an organization access a Kubernetes cluster.

Open-source projects like Kyverno, according to Patel, are ideal tools to enforce these PSPs successfully.

“We have an open-source project, Kyverno, which does a fantastic job of enforcing these policies. It’s very flexible and gives you a way to define and enforce pod security policies at a very granular level,” Patel says. “Kyverno enables PSPs in a way that makes it very usable. The original implementation of PSPs in Kubernetes was very cumbersome and difficult to use and has since been deprecated. Kyverno improves the security posture of your clusters.”

Network Separation and Kubernetes Hardening

Networking is a core Kubernetes concept, with communication between pods, containers, and services (both internal and external) deemed necessary. Encryption and resource separation are effective methods to limit cyber-actor movement within clusters, encrypt traffic and sensitive data at rest, and secure the control plane.

Kubernetes namespaces partition cluster resources among multiple applications within a cluster, assigning a label to a scope – specifying authorization rules through rule-based access controls and networking policies. Meanwhile, the network policies compute resources and restrict storage to improve pod control at the namespace level. Additionally, network policies reject connections not explicitly allowed by applicable policy objects.

“As we talk about multi-tenant clusters, it’s important to have network separation. You want to make sure that applications running in the cluster are only accessing the resources they need,” says Patel. “Kyverno ensures that every application deployed has some policies created that will allow inbound access but deny outbound access. You can have more granular network policies that control each of your applications and pods.”

Control Plane Hardening

Another core Kubernetes feature is the control plane, giving users the freedom to view containers, schedule new pods, and execute commands within the cluster. Network separation comprehensively protects the control plane and its most sensitive components, preventing unauthorized user entry and securing configurations like RBAC and TLS encryption.

“There are tons of configuration knobs in the control plane that need to be carefully managed, and some of the configuration settings that lead to security issues can be avoided,” says Patel.

Open-Source Software is the Key to Achieving Kubernetes Hardening Guidelines

Nirmata’s solution is an open-source solution that responds quickly and robustly to new challenges in Kubernetes, leveraging the power of the community to achieve safety. It’s a more agile and compelling security approach than a closed source solution.

Through Kyverno, real-time snapshots are provided of Kubernetes security postures within enterprises. Also, Kyverno offers best practices to help developers discover misconfigurations, simplifying Kubernetes complexity and following the continuous approach the NSA’s hardening guidance emphasizes.

With the Nirmata Policy Manager, you can manage multiple Kubernetes clusters at once using a unified management plane – streamlining Kyverno adoption, facilitating policy-as-code best practices, and getting visibility into the security posture of your applications and your clusters.

“The community continues to focus on addressing all these different aspects whenever possible to help enterprises using Kubernetes deploy more securely,” says Patel. “Nirmata Policy Manager provides detailed information about what’s happening with policies, which policies are being violated, by whom, and which applications are not following your guidelines.”

At Nirmata, we offer complete policy management for Kubernetes. Our Kyverno-powered platform solution provides DevOps and all users with increased control and hardening best practices to meet the guidelines specified by the NSA and CISA. Our Kubernetes management and deployment solution also facilitates the autonomy, agility, and alignment necessary for runtime security – automating the creation, deployment, and lifecycle management of policy-based intelligent guardrails. Learn more about our solution featuring greater Kubernetes security today. Meet Kyverno here.

Harbor, Cosign, and Kyverno for Software Supply Chain Security in Kubernetes
Kyverno Highlight: Meet Frank Jogeleit, Kyverno Maintainer!
No Comments

Sorry, the comment form is closed at this time.