National Security Agency and CISA kubernetes reinforcement guidelines - new content in version 1.1

Invited articles , Originally written in ARMO Blog , author Leonid Sandler,ARMO Chief technology officer and co-founder

2022 year 3 month ,NSA & CISA A new version of Kubernetes Reinforcement guidelines --1.1 edition . It's updated 2021 year 8 Released on Previous version .Kubernetes It's developing very fast ,Kubernetes The application of is growing faster .Kubernetes Has become a very popular target , Therefore, protection measures need to be continuously strengthened .

NSA & CISA Methods have become popular , And used by many people , Because it inspires the reader to understand the root cause of each suggestion , Why is it essential , And how malicious actors might use it . In addition to helping readers understand what should be enabled and disabled , This file also helps map threat situations to your specific solutions , And understand how potential attacks will affect your system .

The new version of the document shows , The author is very concerned about Kubernetes And cloud security , And try to help the industry for the evolution of attack methods as well Kubernetes And prepare for the next wave of threats driven by the new capabilities provided by the cloud platform .

The new version is provided below NSA & CISA Kubernetes Some of the most important points covered in the reinforcement guidelines .

Kubernetes Infrastructure reinforcement

ETCD： Ensure static encryption ;ETCD and KubeAPI The interaction between servers TLS signal communication ; by ETCD Communication is authorized using a separate certificate .

Container runtime ： Emphasis must be placed on container runtime images and Kubernetes Resident components perform continuous vulnerability scanning , As part of the supply chain threat .

Control plane reinforcement ： Used in the control plane communication interface TLS And disable anonymous authentication .

RBAC： Yes RBAC Enabling and configuring Gave more attention . The new proposals include additional role separation . for example , It is recommended to separate the roles of management and infrastructure management .

User authentication

In the previous version of the file , User authentication is considered out of scope . The new version emphasizes the importance of user authentication , It is suggested to use a powerful multi factor authentication method , Even though they're not Kubernetes Part of itself . The guide gives a clear direction , Rely on third-party products in this field .

Use and continuously monitor RBAC, To ensure the principle of minimum privilege between authorized users and user groups .

Disable all unauthenticated interfaces and anonymous authentication . Consider a possible stolen voucher as a viable 、 A dangerous threat , Short time tokens and third-party tools are used to alleviate this situation .

PSP The waste of

For those using PSP People who , It is suggested to move to PSA（ from V1.23 version ）. However , This section also suggests that the third-party admission controller be considered as a more flexible and customizable mechanism .

Admission controller

Although the admission controller is not a new mechanism , In the previous version of the file, there are also , But the new version adds more requirements / expect . In addition to the enhanced PSP/PSA Outside the mechanism , Now you also want the admission controller to be able to verify the container image signature and perform enhanced configuration verification .

POD Service account token protection

Earlier versions have recommended that all not be designed to work with KubeAPI communication POD Remove service account token from . This proposal is still valid . However ,CSP Some of the new features of can now be used SA Token pair Kubernetes Platform services beyond the control . If you are using these functions , It is now recommended that these service accounts be assigned empty RBAC role .

Apply container reinforcement

This document emphasizes the importance of image scanning continuity Image scanning , Because every day there are new vulnerabilities ; Use private / Closed image library ; Use sandboxes and seccomp technology （ Above the principle of least privilege ）; Use network policies and support them CNI; Pay special attention to the necessity of the entry strategy ; Explicit advice always starts with the default reject policy , Then enable the necessary routes （ This is not necessarily extensible , But it is absolutely the safest ）.

Audit and log

The new version pays more attention to the logging of node services and the application itself , It is recommended to use a third-party tool that can correlate and analyze all logs .

The document clearly warns that , Log depth and Kubernetes Secret And other potentially sensitive information .

Kubescape How to help

Kubescape Is the first to offer Kubernetes Misconfigured scan tool , according to NSA and CISA Guideline framework , After they are released , Scan now . Since its launch ,Kubescape stay NSA and CISA Inspired by the method , by Kubernetes Security assessment adds many important security functions . today , It is still the leading open source tool that provides this and several other frameworks .

Some new validations require an in-depth understanding of the node configuration . I want to encourage you to use "-enable-host-scan " sign , allow Kubescape Verify important node configuration aspects , Such as and KubeAPI Of TLS Protect communications , Deactivation of anonymous authentication , And more .

We continue to work for Kubescape Add new validation controls constantly , To keep up with the latest threat situation , And keep up with the development of security framework , Such as NSA and CISA guide . Some new requirements in the new version are already in Kubescape To realize . Such controls may exist in other frameworks , So they will soon be added to NSA In the frame .

Kubescape The continuous container vulnerability scanning provided can better evaluate the background of your potential risk score . If in a privileged POD、 Open to inlet flow POD Or having a privileged service account token POD Key vulnerabilities found in , It will cause greater danger to your system .