-
Notifications
You must be signed in to change notification settings - Fork 355
NSA Kubernetes Hardening Guide
Prashant Mishra edited this page Aug 31, 2023
·
1 revision
Credits to parthyadav from the Kubearmor Telegram!
Pod Hardening:
- Build containers with application having non-root user with non-root group membership, set to non-root user in k8s manifest also
- Use rootless container engines(checkout docker rootless container)
- Make container’s filesystem as immutable as possible(i.e. read only)
- Use trusted repositories and digitally signed 🔐 images if possible.
- Scan you container images 👀 (scheck sysdig blogs)
- Enforce proper policies based on your cluster usecase and team(PSA, PSP, kyverno, OPA)
- Harden your Pod Capabilities(linux capablities)
- Prevent automount of service account in Pod(spec.automountServiceAccountToken: false)
- Use Hardened Container runtimes like(Hypervisor-backed or Kernel based or Application sandboxes container runtimes)
- Limit your Pod PIDs(using podPidsLimit: in your kubelet file)(also reserve pid for system and kubernetes, --system-reserved, --kube-reserved)
Namespace Hardening:
- Isolate namespaces for multiples individuals, teams or application using rbac rules
- Limit resources(Resource Quota, LimitRange Policy)
Network and Control-Plane Hardening:
- Use a default network policy to deny all ingress and egress traffic to and from a pod.
- Use TLS certificates to encrypt traffic for all services that are exposed externally using NodePort, LoadBalancer etc.
- API Server should not be exposed to the internet or an untrusted network.
- Setup TLS certificates to enforce HTTPS communication between etcd and api-server.
- Also, use separate CA(certificate authority) for etcd.
- Unauthenticated non-root users should be blocked from accessing kubeconfig files, etc
- Network Segment your worker nodes, control nodes for certain types of network traffice(Example: kubelet port 10250 do not need internet access, Certain Databases and other internal services may not need internet access, Certain traffic b/w worker nodes or group of worker node can be restricted or limited)
- Encrypt all traffic between kubernetes components, node, and the control-plane with TLS certificates.
- Restrict access to secret resources by applying RBAC policies.
- Use strong encryption for secret data (see how to configure KMS in k8s)
- If running on cloud, then try to prevent access from your instance cloud metadata(like http://169.254.169.254 in openstack).
Authentication and Authorization:
- Implement authentication method or delegate authentication to a third-party service. K8s assumes that a cluster-independent service manages user authentication.
- disable anonymous requests by passing --anonymous-auth=false option to the API server.
- Create RBAC policies with unique roles for users, administrators, developers, service accounts and infrastructure teams.
- Access to Pod secrets should be restricted to those who needs to view them using k8s RBAC.
For a more detailed information, check out: https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF