The U.S. National Security Agency (NSA) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued new guidance on improving Kubernetes security. The guidance document includes best practices for securing container environments and blocking key threats such as supply chain attacks, data theft, and malicious attacks by insiders.
Kubernetes is an open-source container-orchestration system used to automate the deployment, scaling, and management of containerized applications. While offering many benefits, securing Kubernetes environments can be challenge. Oftentimes container environments are misconfigured and vulnerabilities are not addressed, which gives hackers an opportunity. Mistakes securing Kubernetes environments are being actively exploited and cyber threat actors are actively targeting Kubernetes environments to steal sensitive data and hijack the computing power of Kubernetes environments for cryptocurrency mining.
Several campaigns have been identified in recent weeks where cyber threat actors have targeted Kubernetes. Cryptocurrency miners were deployed by one threat actor using misconfigured Argo Workflows. Siloscape malware was developed specifically for use in attacks on Kubernetes containers and another threat actor created a new malware variant called Black-T, which was integrated with open-source cloud-native tools and used in cryptomining attacks on Kubernetes environments.
Hackers often take advantage of exposed APIs in control panels, misconfigured worker nodes hosting the kubelet and kube-proxy service, and vulnerabilities in containerized applications outside clusters before elevating privileges and conducting attacks within the cluster.
Insider threats are also a risk, with the high-level privileges of administrators abused in attacks. Even users with high levels of privileges can abuse their access, and attacks can be conducted by infrastructure providers to gain access to systems then pivot to the Kubernetes environment.
One of the biggest risks, and one of the hardest to mitigate, is supply chain attacks. Containers and applications from third-party service providers can give attackers the foothold they need to conduct attacks. If the software or hardware hosting Kubernetes is compromised, hackers can then gain access to the cluster.
The 52-page guidance document details the threats to Kubernetes environments, covers best practices for setting up Kubernetes, and provides effective strategies for hardening defenses. These include scanning for misconfigurations and vulnerabilities, network separation, effective authentication, log auditing, and applying the principle of least privilege.
The key recommendations in the Kubernetes Hardening Guidance document for improving security include:
- Scanning containers and pods to identify vulnerabilities and misconfigurations
- Running containers and pods with the least privileges possible
- Denying container features frequently exploited to breakout, such as hostPID, hostIPC, hostNetwork, allowedHostPath
- Using network separation to minimize damage in the event of an attack
- Deploying firewalls to limit unauthorized network connectivity
- Using encryption to protect sensitive data
- Implementing strong authentication and authorization to restrict user and administrator access and disable anonymous login
- Conducting periodic reviews of all Kubernetes settings and remove components when they are no longer needed
- Applying patches immediately
- Performing log auditing and set up alerts to identify potential malicious activity