[HN Gopher] Kubernetes Hardening Guidance [pdf]
___________________________________________________________________
Kubernetes Hardening Guidance [pdf]
Author : cjg
Score : 127 points
Date : 2022-10-05 15:33 UTC (7 hours ago)
(HTM) web link (media.defense.gov)
(TXT) w3m dump (media.defense.gov)
| Havoc wrote:
| I find the fact that the Defense dept issues stuff like this
| almost more interesting than the content itself. Says a lot about
| what keeps them up at night
| anonporridge wrote:
| The Space Force is cool, but honestly, we desperately need a
| Cyber Force.
| core-utility wrote:
| https://www.nsa.gov/
| ryanisnan wrote:
| Yeah but it'd be cool if we had a governmental agency that
| wasn't adversarial to its own citizens.
| scarby2 wrote:
| The nsa is a bit of an oddity. It has conflicting
| branches within it's own organization. Parts of it want
| to keep you (and the rest of government) secure and the
| other parts want backdoors into everything.
| boston_clone wrote:
| https://www.cisa.gov/
| e12e wrote:
| https://www.cybercom.mil/About/Mission-and-Vision/ ?
| jason-phillips wrote:
| Having worked exactly in this space, this is a perfectly normal
| document. Architects and principal engineers aren't bothered to
| the point of distraction but it is definitely something that's
| taken seriously. And it isn't just the DoD, it's every federal
| agency.
| [deleted]
| wingmanjd wrote:
| Another guide may be the CIS benchmark guide [1].
|
| I can't attest to efficacy of this particular benchmark from
| defense.gov (we don't use k8s at $DAYJOB), but we've leveraged
| other benchmarks from CIS for various flavors of Windows/ Linux.
|
| [1] https://www.cisecurity.org/benchmark/kubernetes
| raesene9 wrote:
| This is one of the standards and compliance guides you can use
| for k8s.
|
| The other ones I'm aware of are
|
| - CIS Benchmarks, there's coverage for Kubeadm, AKS, EKS, GKE,
| OpenShift and some others. This is a compliance guide focused on
| just k8s
|
| - DISA STIG for Kubernetes, another compliance guide, they don't
| mention which distribution but it's kubeadm from looking at the
| paths mentioned.
|
| - PCI Guidance for containers and container orchestration, this
| one is recent, it's a generic guidance targeted at container
| environments (docker, k8s etc) for PCI in-scope organizations but
| TBH it should work for most places (if that one's of interest,
| some more info https://raesene.github.io/)
|
| Some more details on these https://www.container-
| security.site/general_information/cont...
|
| Making security guidance for k8s is kind of tricky due to the
| number of distros and changes between versions
| (https://raesene.github.io/blog/2022/09/20/Assessing-Kubernet...)
| splix wrote:
| Is it possible to configure a Kubernetes cluster to run only
| _signed_ images? I.e., if someone has replaced a Docker in
| registry is should not be accepted by cluster.
| cheriot wrote:
| There's an ecosystem of policy control tools built on top of
| k8s' ValidatingWebhooks. Check Open Policy Agent and Kyverno.
|
| https://www.openpolicyagent.org/
|
| https://kyverno.io/docs/writing-policies/verify-images/
| AgentME wrote:
| Being able to specify images by hash would be a simpler
| alternative.
|
| Requiring signed images seems like an arbitrary place to
| require signatures, given that there's plenty of parts of
| kubernetes deployment configs that could be used to do damage
| and you need the whole thing authenticated. I guess a benefit
| of having signed images instead of content-addressed images is
| that they could be updated by a trusted person without needing
| to update any kubernetes deployments, but presumably you'd want
| to tell kubernetes to switch its running instances to the new
| images so that sounds like an incomplete solution.
| mfer wrote:
| The short answer is yes. There are multiple tools that let you
| do this.
|
| My personal favorite tool for this is Kubewarden[1] because its
| policies are web assembly. There is a specific policy just for
| verifying signatures[2].
|
| [1] https://www.kubewarden.io/
|
| [2] https://artifacthub.io/packages/kubewarden/verify-image-
| sign...
| kryptn wrote:
| You can probably use an Admission Controller with the
| ImagePolicyWebhook.
|
| https://kubernetes.io/docs/reference/access-authn-authz/admi...
| [deleted]
| schainks wrote:
| Came here to ask the same thing. If I can sign git commits, can
| we sign images or even individual layers?
| dilyevsky wrote:
| Yes, see
| https://github.com/sigstore/cosign/blob/main/USAGE.md for one
| example
| [deleted]
| jackconsidine wrote:
| > Kubernetes, frequently abbreviated "K8s" because there are 8
| letters between K and S
|
| I'll be damned. I thought it was because the end kind of sounded
| like "8-es"
| deathanatos wrote:
| Same as i18n (internationalization) and l10n (localization).
| davewritescode wrote:
| XML-Canonicalization is xml-c14n too!
| cmehdy wrote:
| a11y for accessibility also (and perhaps "ally" too?), but is
| a bit ironic given that screen readers wouldn't be making
| much sense out of that one.
| paxys wrote:
| And a16z. It's a pretty common silicon valley convention. I
| was even asked to implement this in an interview once.
| temp_praneshp wrote:
| ha, me too, 4-5 years ago!
| alpb wrote:
| Prior discussion: https://news.ycombinator.com/item?id=30692794
| multani wrote:
| For those who are implementing these security guidelines: how do
| you ensure they have been correctly implemented?
|
| Do you have any kind of static check program that can check
| beforehand that you are going to deploy a hardened kubernetes
| cluster? Do you have a "live" checker that can verify the actual
| configuration of a running cluster? Does it run all the time
| oronce in a while? Also , if you have an automated way of
| verifying your configuration, which program do you use?
|
| I only know about Chef's Inspec and the CIS profiles that are
| available online, but the experience wasn't extraordinary and I
| was wondering what is used in the wild?
| outworlder wrote:
| Maybe you can add them to OPA?
| (https://www.openpolicyagent.org/)
| SoftTalker wrote:
| I didn't read this, but it's really tiresome to hear about having
| to "harden" systems in 2022. They should be "hard" by default. If
| you need to soften them to make them easier to work with
| internally, that should be what needs a checklist and
| instructions.
| stonemetal12 wrote:
| Yeah, but then everybody bitches about ease of use. That other
| project down the street just works out of the box, while your
| project is mired in configuration hell.
|
| More like we need a better Dev mode vs Production mode switch.
| Dev mode would be fairly insecure but would also refuse to run
| on the internet. Production mode would ease deploy but also
| "self harden".
| Kalium wrote:
| That kind of divide ultimately falls apart. Over time, things
| built in dev mode rely more and more on its insecurity and
| production systems get pushed that way.
|
| This is why development systems need to be as production-like
| as possible. Otherwise people ship boring webapps that
| inexplicable rely on running as root in privileged containers
| and expect prod to enable this.
| Kalium wrote:
| Looking at the guide, much of the hardening is above and beyond
| anything any Kubernetes configuration can be expected to do.
| Thus there is literally no way to ship a pre-hardened
| Kubernetes that has to be softened with a checklist guide.
|
| Much of it is about development practices. Kubernetes cannot
| scan your containers for vulnerabilities and misconfigurations
| for you. Kubernetes cannot ensure lease privilege practices in
| your containers for you. Kubernetes cannot do regular reviews
| of logs and configurations and security patching status for
| you. Kubernetes cannot monitor audit logs for you.
|
| With all this said, it's worth taking a look at the guide. It
| goes far beyond suggesting a few changes to default settings.
| Perhaps it could have been better phrased as "Hardening the
| context and practices around Kubernetes" to avoid this
| confusion.
| itintheory wrote:
| I think this is true, and the issue is deeper for kubernetes.
| A k8s cluster by itself is not particularly useful. In order
| to deploy real software you're going to need a bunch of other
| components, extensions, and software. Things like persistent
| storage, ingress controllers, service mesh, certificate
| managers, DNS, etc. All of those components require
| consideration from a security perspective.
| numbsafari wrote:
| Even OpenBSD ships with post-install "hardening" guidance...
|
| https://man.openbsd.org/afterboot
| throwaway894345 wrote:
| > I didn't read this, but ...
|
| :)
___________________________________________________________________
(page generated 2022-10-05 23:00 UTC)