aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • Software Engineering

NSA & CISA Kubernetes Hardening Guide – What Is New With Version 1.1

  • aster.cloud
  • March 20, 2022
  • 4 minute read

In March 2022, NSA & CISA has issued a new version of the Kubernetes Hardening Guide – version 1.1. It updates the previous version that was released in August 2021. Kubernetes evolves fast, and Kubernetes adoption grows even quicker. Kubernetes has become a very popular target and therefore requires continuous enhancement of the protection measures.

The approach that NSA & CISA became popular and is used by many because it inspires readers to understand the root cause of each recommendation, why it is essential, and how malicious actors may utilize it. In addition to helping the readers understand what to enable and disable, the document helps map the threat landscape onto your specific solution and understand how potential attacks will influence your system.


Partner with aster.cloud
for your next big idea.
Let us know here.



From our partners:

CITI.IO :: Business. Institutions. Society. Global Political Economy.
CYBERPOGO.COM :: For the Arts, Sciences, and Technology.
DADAHACKS.COM :: Parenting For The Rest Of Us.
ZEDISTA.COM :: Entertainment. Sports. Culture. Escape.
TAKUMAKU.COM :: For The Hearth And Home.
ASTER.CLOUD :: From The Cloud And Beyond.
LIWAIWAI.COM :: Intelligence, Inside and Outside.
GLOBALCLOUDPLATFORMS.COM :: For The World's Computing Needs.
FIREGULAMAN.COM :: For The Fire In The Belly Of The Coder.
ASTERCASTER.COM :: Supra Astra. Beyond The Stars.
BARTDAY.COM :: Prosperity For Everyone.

The new version of the document shows that its authors follow Kubernetes and cloud security very closely and try to help the industry be ready for the next wave of threats driven by the evolution of the attack methodologies and the new features offered by Kubernetes and cloud platforms.

Several most important points addressed in the new version of the NSA & CISA Kubernetes Hardening Guide are provided here below:

Kubernetes infrastructure hardening

ETCD: ensure encryption at rest; mutual TLS communication between ETCD and KubeAPI server; use separate Certificate Authority for ETCD communication.

Container Runtimes: emphasized the necessity of continuous vulnerability scanning of the container runtime images and Kubernetes resident components as part of the supply chain threat.

Control plane hardening: use TLS and disable anonymous authentication in the control plane communication interfaces.

Read More  To User-Friendly SQL With Love From BigQuery

RBAC: much more focus is placed on the RBAC enablement and configuration. New recommendations include additional role separation. For example, it is recommended to separate between administration and infrastructure management roles.

User authentication

User authentication was treated as out-of-scope in the previous version of the document. The new version focuses on the importance of user authentication and suggests using strong multi-factor authentication methods even though they are not part of Kubernetes itself. The guidelines give clear direction to rely on the third-party products in this area.

Use and continuously monitor RBAC to ensure the least privileged principle among authorized users and user groups.

Disable all unauthenticated interfaces and anonymous authentication. Treat potentially stolen credentials as a viable and dangerous threat and use short-time tokens and third-party tools to mitigate this.

Deprecation of PSP

For those who used PSP, it is recommended to move to PSA (starting from v1.23). However, this section also recommends considering third-party admission controllers as a more flexible and customizable mechanism.

Admission controller

While admission controller is not a new mechanism and was also present in the previous version of the document, the new version adds more requirements/expectations. In addition to the enhanced PSP/PSA mechanism, admission controllers are now expected to validate container image signatures and perform enhanced configuration validations.

POD Service Account token protection

The earlier version has recommended removing Service Account tokens from all PODs that are not designed to communicate with KubeAPI. This recommendation is still valid. However, some new capabilities from CSPs now enable usage of the SA token to authenticate against platform services that are beyond Kubernetes control. If these capabilities are in use, assigning empty RBAC roles to such Service Accounts is now recommended.

Read More  Lockheed Martin Flies Real-Time, Mission Enabling Kubernetes Onboard U-2

Application container hardening

The document emphasizes the importance of continuous image scanning as new vulnerabilities appear every day; usage of private/closed image repositories; use of sandboxing and seccomp technologies (on top of least privileged principle); usage of network policies and CNI that supports them; special attention is paid to ingress policy necessity; explicit recommendation to always start from default denial policy and then enable necessary routes (which may not always be scalable, but definitely the most secure).

Auditing and Logging

The new version pays more attention to logging node services and applications themselves and suggests using third-party tools that can correlate and analyze all the logs together.

The document explicitly warns about a potential conflict in logging depth and exposure of potentially sensitive information such as Kubernetes secrets.

How Kubescape can help

Kubescape was the first tool offering Kubernetes misconfigurations scanning according to NSA & CISA Guidelines framework right after they were published. Since its launch, Kubescape has added many important security features inspired by NSA & CISA approach to the Kubernetes security assessment. It remains the leading open-source tool offering this and several additional frameworks today.

Some of the new verifications require deep visibility of the node configuration. I want to encourage you to use “–enable-host-scan” flag allowing Kubescape to verify important node configuration aspects such as TLS protected communication with KubeAPI, anonymous authentication deactivation, and many more.

We continue adding to Kubescape continuously new verification controls to adhere to the latest threat landscape and keep up with the evolution of the security frameworks such as NSA & CISA guidelines. Some of the new requirements in this new version were already implemented in Kubescape. Such controls may be present in other frameworks, so they will be added to the NSA framework shortly.

Read More  Enhancing The DevOps Experience On Kubernetes With Logging

Continuous container vulnerability scanning provided by Kubescape enables a better contextual assessment of your potential risk score. Critical vulnerabilities pose more danger to your system when they are found in the privileged PODs, PODs open to the ingress traffic, or PODs that possess privileged Service Account tokens.

 

 

Guest post originally published on ARMO’s blog by Leonid Sandler, CTO & Co-founder, ARMO
Source CNCF


For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!

Our humans need coffee too! Your support is highly appreciated, thank you!

aster.cloud

Related Topics
  • ARMO
  • CNCF
  • KubeAPI
  • Kubernetes
  • Kubescape
You May Also Like
View Post
  • Software Engineering
  • Technology

Claude 3.7 Sonnet and Claude Code

  • February 25, 2025
View Post
  • Engineering
  • Software Engineering

This Month in Julia World

  • January 17, 2025
View Post
  • Engineering
  • Software Engineering

Google Summer of Code 2025 is here!

  • January 17, 2025
View Post
  • Software Engineering

5 Books Every Beginner Programmer Should Read

  • July 25, 2024
Ruby
View Post
  • Software Engineering

How To Get Started With A Ruby On Rails Project – A Developer’s Guide

  • January 27, 2024
View Post
  • Engineering
  • Software Engineering

5 Ways Platform Engineers Can Help Developers Create Winning APIs

  • January 25, 2024
Clouds
View Post
  • Cloud-Native
  • Platforms
  • Software Engineering

Microsoft Releases Azure Migrate Assessment Tool For .NET Application

  • January 14, 2024
View Post
  • Software Engineering
  • Technology

It’s Time For Developers And Enterprises To Build With Gemini Pro

  • December 21, 2023

Stay Connected!
LATEST
  • 1
    Just make it scale: An Aurora DSQL story
    • May 29, 2025
  • 2
    Reliance on US tech providers is making IT leaders skittish
    • May 28, 2025
  • Examine the 4 types of edge computing, with examples
    • May 28, 2025
  • AI and private cloud: 2 lessons from Dell Tech World 2025
    • May 28, 2025
  • 5
    TD Synnex named as UK distributor for Cohesity
    • May 28, 2025
  • Weigh these 6 enterprise advantages of storage as a service
    • May 28, 2025
  • 7
    Broadcom’s ‘harsh’ VMware contracts are costing customers up to 1,500% more
    • May 28, 2025
  • 8
    Pulsant targets partner diversity with new IaaS solution
    • May 23, 2025
  • 9
    Growing AI workloads are causing hybrid cloud headaches
    • May 23, 2025
  • Gemma 3n 10
    Announcing Gemma 3n preview: powerful, efficient, mobile-first AI
    • May 22, 2025
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • Understand how Windows Server 2025 PAYG licensing works
    • May 20, 2025
  • By the numbers: How upskilling fills the IT skills gap
    • May 21, 2025
  • 3
    Cloud adoption isn’t all it’s cut out to be as enterprises report growing dissatisfaction
    • May 15, 2025
  • 4
    Hybrid cloud is complicated – Red Hat’s new AI assistant wants to solve that
    • May 20, 2025
  • 5
    Google is getting serious on cloud sovereignty
    • May 22, 2025
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.