[HN Gopher] Kubernetes Hardening Guidance [pdf] ___________________________________________________________________ Kubernetes Hardening Guidance [pdf] Author : cjg Score : 127 points Date : 2022-10-05 15:33 UTC (7 hours ago) (HTM) web link (media.defense.gov) (TXT) w3m dump (media.defense.gov) | Havoc wrote: | I find the fact that the Defense dept issues stuff like this | almost more interesting than the content itself. Says a lot about | what keeps them up at night | anonporridge wrote: | The Space Force is cool, but honestly, we desperately need a | Cyber Force. | core-utility wrote: | https://www.nsa.gov/ | ryanisnan wrote: | Yeah but it'd be cool if we had a governmental agency that | wasn't adversarial to its own citizens. | scarby2 wrote: | The nsa is a bit of an oddity. It has conflicting | branches within it's own organization. Parts of it want | to keep you (and the rest of government) secure and the | other parts want backdoors into everything. | boston_clone wrote: | https://www.cisa.gov/ | e12e wrote: | https://www.cybercom.mil/About/Mission-and-Vision/ ? | jason-phillips wrote: | Having worked exactly in this space, this is a perfectly normal | document. Architects and principal engineers aren't bothered to | the point of distraction but it is definitely something that's | taken seriously. And it isn't just the DoD, it's every federal | agency. | [deleted] | wingmanjd wrote: | Another guide may be the CIS benchmark guide [1]. | | I can't attest to efficacy of this particular benchmark from | defense.gov (we don't use k8s at $DAYJOB), but we've leveraged | other benchmarks from CIS for various flavors of Windows/ Linux. | | [1] https://www.cisecurity.org/benchmark/kubernetes | raesene9 wrote: | This is one of the standards and compliance guides you can use | for k8s. | | The other ones I'm aware of are | | - CIS Benchmarks, there's coverage for Kubeadm, AKS, EKS, GKE, | OpenShift and some others. This is a compliance guide focused on | just k8s | | - DISA STIG for Kubernetes, another compliance guide, they don't | mention which distribution but it's kubeadm from looking at the | paths mentioned. | | - PCI Guidance for containers and container orchestration, this | one is recent, it's a generic guidance targeted at container | environments (docker, k8s etc) for PCI in-scope organizations but | TBH it should work for most places (if that one's of interest, | some more info https://raesene.github.io/) | | Some more details on these https://www.container- | security.site/general_information/cont... | | Making security guidance for k8s is kind of tricky due to the | number of distros and changes between versions | (https://raesene.github.io/blog/2022/09/20/Assessing-Kubernet...) | splix wrote: | Is it possible to configure a Kubernetes cluster to run only | _signed_ images? I.e., if someone has replaced a Docker in | registry is should not be accepted by cluster. | cheriot wrote: | There's an ecosystem of policy control tools built on top of | k8s' ValidatingWebhooks. Check Open Policy Agent and Kyverno. | | https://www.openpolicyagent.org/ | | https://kyverno.io/docs/writing-policies/verify-images/ | AgentME wrote: | Being able to specify images by hash would be a simpler | alternative. | | Requiring signed images seems like an arbitrary place to | require signatures, given that there's plenty of parts of | kubernetes deployment configs that could be used to do damage | and you need the whole thing authenticated. I guess a benefit | of having signed images instead of content-addressed images is | that they could be updated by a trusted person without needing | to update any kubernetes deployments, but presumably you'd want | to tell kubernetes to switch its running instances to the new | images so that sounds like an incomplete solution. | mfer wrote: | The short answer is yes. There are multiple tools that let you | do this. | | My personal favorite tool for this is Kubewarden[1] because its | policies are web assembly. There is a specific policy just for | verifying signatures[2]. | | [1] https://www.kubewarden.io/ | | [2] https://artifacthub.io/packages/kubewarden/verify-image- | sign... | kryptn wrote: | You can probably use an Admission Controller with the | ImagePolicyWebhook. | | https://kubernetes.io/docs/reference/access-authn-authz/admi... | [deleted] | schainks wrote: | Came here to ask the same thing. If I can sign git commits, can | we sign images or even individual layers? | dilyevsky wrote: | Yes, see | https://github.com/sigstore/cosign/blob/main/USAGE.md for one | example | [deleted] | jackconsidine wrote: | > Kubernetes, frequently abbreviated "K8s" because there are 8 | letters between K and S | | I'll be damned. I thought it was because the end kind of sounded | like "8-es" | deathanatos wrote: | Same as i18n (internationalization) and l10n (localization). | davewritescode wrote: | XML-Canonicalization is xml-c14n too! | cmehdy wrote: | a11y for accessibility also (and perhaps "ally" too?), but is | a bit ironic given that screen readers wouldn't be making | much sense out of that one. | paxys wrote: | And a16z. It's a pretty common silicon valley convention. I | was even asked to implement this in an interview once. | temp_praneshp wrote: | ha, me too, 4-5 years ago! | alpb wrote: | Prior discussion: https://news.ycombinator.com/item?id=30692794 | multani wrote: | For those who are implementing these security guidelines: how do | you ensure they have been correctly implemented? | | Do you have any kind of static check program that can check | beforehand that you are going to deploy a hardened kubernetes | cluster? Do you have a "live" checker that can verify the actual | configuration of a running cluster? Does it run all the time | oronce in a while? Also , if you have an automated way of | verifying your configuration, which program do you use? | | I only know about Chef's Inspec and the CIS profiles that are | available online, but the experience wasn't extraordinary and I | was wondering what is used in the wild? | outworlder wrote: | Maybe you can add them to OPA? | (https://www.openpolicyagent.org/) | SoftTalker wrote: | I didn't read this, but it's really tiresome to hear about having | to "harden" systems in 2022. They should be "hard" by default. If | you need to soften them to make them easier to work with | internally, that should be what needs a checklist and | instructions. | stonemetal12 wrote: | Yeah, but then everybody bitches about ease of use. That other | project down the street just works out of the box, while your | project is mired in configuration hell. | | More like we need a better Dev mode vs Production mode switch. | Dev mode would be fairly insecure but would also refuse to run | on the internet. Production mode would ease deploy but also | "self harden". | Kalium wrote: | That kind of divide ultimately falls apart. Over time, things | built in dev mode rely more and more on its insecurity and | production systems get pushed that way. | | This is why development systems need to be as production-like | as possible. Otherwise people ship boring webapps that | inexplicable rely on running as root in privileged containers | and expect prod to enable this. | Kalium wrote: | Looking at the guide, much of the hardening is above and beyond | anything any Kubernetes configuration can be expected to do. | Thus there is literally no way to ship a pre-hardened | Kubernetes that has to be softened with a checklist guide. | | Much of it is about development practices. Kubernetes cannot | scan your containers for vulnerabilities and misconfigurations | for you. Kubernetes cannot ensure lease privilege practices in | your containers for you. Kubernetes cannot do regular reviews | of logs and configurations and security patching status for | you. Kubernetes cannot monitor audit logs for you. | | With all this said, it's worth taking a look at the guide. It | goes far beyond suggesting a few changes to default settings. | Perhaps it could have been better phrased as "Hardening the | context and practices around Kubernetes" to avoid this | confusion. | itintheory wrote: | I think this is true, and the issue is deeper for kubernetes. | A k8s cluster by itself is not particularly useful. In order | to deploy real software you're going to need a bunch of other | components, extensions, and software. Things like persistent | storage, ingress controllers, service mesh, certificate | managers, DNS, etc. All of those components require | consideration from a security perspective. | numbsafari wrote: | Even OpenBSD ships with post-install "hardening" guidance... | | https://man.openbsd.org/afterboot | throwaway894345 wrote: | > I didn't read this, but ... | | :) ___________________________________________________________________ (page generated 2022-10-05 23:00 UTC)