Kubernetes Hardening Guide: A Perfect Complement to the CIS Kubernetes Benchmarks


Apr 08, 2022

Reading time:

4 Minutes

One of the best ways to reduce the attack surface of your Kubernetes cluster is the use of Center for Internet Security (CIS) Kubernetes benchmarks.  For most practitioners CIS is the gold standard for security benchmarks; however, their benchmarks are not the only guidance available. A resource that is often overlooked is the guidance provided by the U.S. Government, like the “Kubernetes Hardening Guide” that was published by the National Security Agency (NSA) and the Cybersecurity Infrastructure Security Agency (CISA) to support their respective cyber security missions and for broad industry use. Version 1.1 has been released, as of March 2022, to support the growing usage of Kubernetes, as it has become a popular target for threat actors.

While the CIS is compliance gold, the CIS benchmarks are very prescriptive and usually offer minimal explanations. The NSA and CISA felt there was a need for a higher level security resource that explained more of the challenges and rationale behind Kubernetes security. In this respect, the two work as perfect compliments — you get strategies and rationale with the “Kubernetes Hardening Guide,” and the extremely detailed prescriptive checks/controls enumerated by CIS.

In other words, CIS benchmarks offer the exact checks you should use, along with recommended settings. The NSA & CISA supplements this by explaining challenges and recommendations, why they matter, and detailing how potential attackers look at the attack. In version 1.1, the updates include the latest hardening recommendations necessary to protect and defend against today’s threat actors TTPs.

How does the Kubernetes Hardening Guide help the cybersecurity community?

The Kubernetes Hardening Guide excels at providing the strategy and the why; then, you can rely on CIS for how to guidance.

This Kubernetes Hardening Guide addresses security challenges and suggests hardening strategies that comprise the following sections:

  • Introduction to Kubernetes – written from a security perspective
  • Architectural Overview – an overview of the Kubernetes cluster architecture and strategies for securing the different components of the architecture
  • Threat Model – explains the most likely bad actors that work to compromise Kubernetes systems

The guide then covers the four major areas of Kubernetes security in more detail and suggests hardening strategies for each area. This section easily maps to how CIS breaks down Kubernetes security: 

  1. Kubernetes Pod security
  2. Network separation and hardening
  3. Authentication and authorization
  4. Audit logging and threat detection

The NSA is a great source for guidance, and, like CIS, they collect and utilize extensive feedback from the community. The guide and the CIS Benchmarks (in PDF form) are available at no charge to facilitate broad usage.

Differences between 1.0 and 1.1 Versions of the Kubernetes Hardening Guide

Some highlights of the major changes that occurred in the Kubernetes Hardening Guide 1.1 version are as follows:

  • Recommends the use of TLS and disabling anonymous authentication on the control plane
  • Increased emphasis on the continuous scanning of container images both in development and production environments
  • More guidance and a greater emphasis on the use of RBAC

For an excellent detailed list of the differences between v1.0 and v1.1, see the following Blog from Kubescape.

DoD Usage of Kubernetes in the real world

The U.S. Government uses Kubernetes for many diverse applications, to include 37 DoD teams are using Kubernetes in projects ranging from F16 jet fighters to Battleship control systems. See the following blog from the Cloud Native Computing Foundation for details on how the DoD is using Kubernetes.  The US Government has a strong backing of Kubernetes deployments and the NSA and CISA also use Kubernetes to support their respective cyber security missions.

How Orca Helps you Secure Kubernetes and how you use the Kubernetes Hardening Guide with Orca

Using a cloud native security platform like Orca Security is one way that you can check your Kubernetes cloud account configurations. With out-of-the-box support for Kubernetes CIS benchmarks like K8S and CIS EKS, you can track your exact compliance posture.
With CIS Kubernetes benchmarks, Orca will give you details of passed and failed control checks with extensive details around failed checks for the cloud infrastructure plane and Kubernetes Pods. 

With Orca’s agentless design, you also gain two important advantages: complete 100% visibility of both the Kubernetes control plane nodes, the Pods, and the containers within them. Orca can even scan containers for vulnerabilities in pods that are either paused or stopped.

The Kubernetes Hardening Guide is a perfect complement not just for CIS – but for security platforms that perform management of misconfigurations and vulnerabilities on Kubernetes systems.

With Orca’s Cloud Security Risk Assessment, you get a Key Risk Findings Report along with a free 30-Day trial to get full visibility into your cloud estate, including Kubernetes.