Apr 08, 2022
One of the best ways to reduce the attack surface of your Kubernetes cluster is the use of Center for Internet Security (CIS) Kubernetes benchmarks. For most practitioners CIS is the gold standard for security benchmarks; however, their benchmarks are not the only guidance available. A resource that is often overlooked is the guidance provided by the U.S. Government, like the “Kubernetes Hardening Guide” that was published by the National Security Agency (NSA) and the Cybersecurity Infrastructure Security Agency (CISA) to support their respective cyber security missions and for broad industry use. Version 1.1 has been released, as of March 2022, to support the growing usage of Kubernetes, as it has become a popular target for threat actors.
While the CIS is compliance gold, the CIS benchmarks are very prescriptive and usually offer minimal explanations. The NSA and CISA felt there was a need for a higher level security resource that explained more of the challenges and rationale behind Kubernetes security. In this respect, the two work as perfect compliments — you get strategies and rationale with the “Kubernetes Hardening Guide,” and the extremely detailed prescriptive checks/controls enumerated by CIS.
In other words, CIS benchmarks offer the exact checks you should use, along with recommended settings. The NSA & CISA supplements this by explaining challenges and recommendations, why they matter, and detailing how potential attackers look at the attack. In version 1.1, the updates include the latest hardening recommendations necessary to protect and defend against today’s threat actors TTPs.
The Kubernetes Hardening Guide excels at providing the strategy and the why; then, you can rely on CIS for how to guidance.
This Kubernetes Hardening Guide addresses security challenges and suggests hardening strategies that comprise the following sections:
The guide then covers the four major areas of Kubernetes security in more detail and suggests hardening strategies for each area. This section easily maps to how CIS breaks down Kubernetes security:
The NSA is a great source for guidance, and, like CIS, they collect and utilize extensive feedback from the community. The guide and the CIS Benchmarks (in PDF form) are available at no charge to facilitate broad usage.
Some highlights of the major changes that occurred in the Kubernetes Hardening Guide 1.1 version are as follows:
For an excellent detailed list of the differences between v1.0 and v1.1, see the following Blog from Kubescape.
The U.S. Government uses Kubernetes for many diverse applications, to include 37 DoD teams are using Kubernetes in projects ranging from F16 jet fighters to Battleship control systems. See the following blog from the Cloud Native Computing Foundation for details on how the DoD is using Kubernetes. The US Government has a strong backing of Kubernetes deployments and the NSA and CISA also use Kubernetes to support their respective cyber security missions.
Using a cloud native security platform like Orca Security is one way that you can check your Kubernetes cloud account configurations. With out-of-the-box support for Kubernetes CIS benchmarks like K8S and CIS EKS, you can track your exact compliance posture.
With CIS Kubernetes benchmarks, Orca will give you details of passed and failed control checks with extensive details around failed checks for the cloud infrastructure plane and Kubernetes Pods.
With Orca’s agentless design, you also gain two important advantages: complete 100% visibility of both the Kubernetes control plane nodes, the Pods, and the containers within them. Orca can even scan containers for vulnerabilities in pods that are either paused or stopped.
The Kubernetes Hardening Guide is a perfect complement not just for CIS – but for security platforms that perform management of misconfigurations and vulnerabilities on Kubernetes systems.
With Orca’s Cloud Security Risk Assessment, you get a Key Risk Findings Report along with a free 30-Day trial to get full visibility into your cloud estate, including Kubernetes.