Kubernetes Hardening Guidance [pdf]

This is one of the standards and compliance guides you can use for k8s.<p>The other ones I&#x27;m aware of are<p>- CIS Benchmarks, there&#x27;s coverage for Kubeadm, AKS, EKS, GKE, OpenShift and some others. This is a compliance guide focused on just k8s<p>- DISA STIG for Kubernetes, another compliance guide, they don&#x27;t mention which distribution but it&#x27;s kubeadm from looking at the paths mentioned.<p>- PCI Guidance for containers and container orchestration, this one is recent, it&#x27;s a generic guidance targeted at container environments (docker, k8s etc) for PCI in-scope organizations but TBH it should work for most places (if that one&#x27;s of interest, some more info <a href="https:&#x2F;&#x2F;raesene.github.io&#x2F;" rel="nofollow">https:&#x2F;&#x2F;raesene.github.io&#x2F;</a>)<p>Some more details on these <a href="https:&#x2F;&#x2F;www.container-security.site&#x2F;general_information&#x2F;container_security_standards.html" rel="nofollow">https:&#x2F;&#x2F;www.container-security.site&#x2F;general_information&#x2F;cont...</a><p>Making security guidance for k8s is kind of tricky due to the number of distros and changes between versions (<a href="https:&#x2F;&#x2F;raesene.github.io&#x2F;blog&#x2F;2022&#x2F;09&#x2F;20&#x2F;Assessing-Kubernetes-Clusters-for-PCI-Compliance&#x2F;" rel="nofollow">https:&#x2F;&#x2F;raesene.github.io&#x2F;blog&#x2F;2022&#x2F;09&#x2F;20&#x2F;Assessing-Kubernet...</a>)

&gt; Kubernetes, frequently abbreviated “K8s” because there are 8 letters between K and S<p>I&#x27;ll be damned. I thought it was because the end kind of sounded like &quot;8-es&quot;

I find the fact that the Defense dept issues stuff like this almost more interesting than the content itself. Says a lot about what keeps them up at night

Is it possible to configure a Kubernetes cluster to run only _signed_ images? I.e., if someone has replaced a Docker in registry is should not be accepted by cluster.

For those who are implementing these security guidelines: how do you ensure they have been correctly implemented?<p>Do you have any kind of static check program that can check beforehand that you are going to deploy a hardened kubernetes cluster? Do you have a &quot;live&quot; checker that can verify the actual configuration of a running cluster? Does it run all the time oronce in a while? Also , if you have an automated way of verifying your configuration, which program do you use?<p>I only know about Chef&#x27;s Inspec and the CIS profiles that are available online, but the experience wasn&#x27;t extraordinary and I was wondering what is used in the wild?

Prior discussion: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=30692794" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=30692794</a>

Another guide may be the CIS benchmark guide [1].<p>I can&#x27;t attest to efficacy of this particular benchmark from defense.gov (we don&#x27;t use k8s at $DAYJOB), but we&#x27;ve leveraged other benchmarks from CIS for various flavors of Windows&#x2F; Linux.<p>[1] <a href="https:&#x2F;&#x2F;www.cisecurity.org&#x2F;benchmark&#x2F;kubernetes" rel="nofollow">https:&#x2F;&#x2F;www.cisecurity.org&#x2F;benchmark&#x2F;kubernetes</a>

The example of appendix A is a PoLA violation (Principle of Least Authority).<p>It has source code in the container. Use an external build server.

Well done. From the control plane section:<p>&gt;The Kubernetes API server runs on port 6443, which should be protected by a firewall to accept only expected traffic.<p>How are folks doing this in practice at scale? Managing ACLs for kubectl, admins, workflow systems, distributed worker nodes etc?

I didn&#x27;t read this, but it&#x27;s really tiresome to hear about having to &quot;harden&quot; systems in 2022. They should be &quot;hard&quot; by default. If you need to soften them to make them easier to work with internally, that should be what needs a checklist and instructions.