NSA & CISA Issue Guidance on Hardening Security and Managing Kubernetes Environments

Kubernetes is a popular open-source cloud solution for deploying and managing containerized apps.  Recently there have been several security breaches where hackers have gained access to poorly secured Kubernetes environments to steal sensitive data, deploy cryptocurrency miners, and conduct denial-of-service attacks.

This month, security researchers discovered Kubernetes clusters were being targeted by cyber actors who were exploiting misconfigured permissions for the web-facing dashboard of Argo Workflows instances. In these attacks, the computing power of Kubernetes environments were harnessed for mining cryptocurrencies. In another attack, a vulnerability in the Kubernetes API Server was being exploited to steal sensitive data.

In light of these attacks, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a 52-page technical report that includes detailed guidance on how to correctly set up and manage Kubernetes environments to make it harder for the environments to be compromised by hackers.

The report includes details of the most common threats to Kubernetes environments, including supply chain attacks, malicious external cyber actors, and insider threats. Improving defenses against supply chain attacks can be a major challenge. These can arise in the container build cycle or infrastructure acquisition. Vulnerabilities and misconfigurations of the Kubernetes architecture such as the control plane, worker nodes, and containerized applications are often exploited, while insiders with high-level privileges can easily abuse their privileges to conduct a range of attacks.

There are multiple ways that hackers gain access to Kubernetes environments, and while it is not possible to eliminate risk entirely, by setting up Kubernetes correctly, avoiding common misconfigurations and implementing mitigations, security can be significantly strengthened. Implementing appropriate access controls and limiting privileges can greatly reduce the risk from insider threats.

The most common way for hackers to gain access to Kubernetes is by exploiting vulnerabilities and misconfigurations. It is therefore important for security teams to conduct scans of their Kubernetes containers and pods to identify vulnerabilities and misconfigurations and ensure they are corrected, or mitigations are implemented. Periodic reviews of Kubernetes settings and regular vulnerability scans should be performed.

The NSA and CISA also recommend running containers and pods with the least privileges possible, and using network separation, firewalls, strong authentication, and log auditing. It is also important to keep on top of patching, updates, and upgrades to ensure the Kubernetes environment remains secure.

The guidance includes detailed recommendations on Kubernetes pod security, network separation and hardening, authentication and authorization, log auditing, and details best practices for application security.

The Kubernetes Hardening Guidance can be downloaded on this link (PDF).

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.