We use cookies to ensure that we give you the best experience on our website.

Kubernetes Security: Deployment Cyber Risks and Metmox’s Recommendations

The Cybersecurity and Infrastructure Security Agency (CISA) shared that Kaseya's VSA software was used to push a malicious PowerSheII script The VSA software

Kubernetes can be a valuable target for data and/or compute power theft. While data theft is traditionally the primary motivation, cyber actors seeking computational power (often for cryptocurrency mining) are also drawn to Kubernetes to harness the underlying infrastructure.

In addition to resource theft, cyber actors may also target Kubernetes to cause a denial of service.

Pods are the smallest deployable Kubernetes unit and consist of one or more containers. Pods are often a cyber actor’s initial execution environment upon exploiting a container. For this reason, Pods should be hardened to make exploitation more difficult and to limit the impact of a successful compromise.

Three common sources of compromise in Kubernetes are supply chain risks, malicious threat actors, and insider threats.

Supply chain risks are often challenging to mitigate and can arise in the container build cycle or infrastructure acquisition.

Malicious threat actors can exploit vulnerabilities and misconfigurations in components of the Kubernetes architecture, such as the control plane, worker nodes, or containerized applications. Insider threats can be administrators, users, or cloud service providers.

Insider threats can be administrators, users, or cloud service providers. Insiders with special access to an organization’s Kubernetes infrastructure may be able to abuse these privileges.

Here are the recommended hardening measures and mitigations suggested by CISA and NSA:

  • Scan containers and Pods for vulnerabilities or misconfigurations.
  • Run containers and Pods with the least privileges possible.
  • Use network separation to control the amount of damage a compromise can cause.
  • Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality.
  • Use strong authentication and authorization to limit user and administrator access as well as to limit the attack surface.
  • Use log auditing so that administrators can monitor activity and be alerted to potential malicious activity.
  • Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for and security patches are applied.

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Technical Report, “Kubernetes Hardening Guidance” – click here

Metmox's Recommendations For Seamless Security:

On the Control Plane:

  • TLS Everywhere
  • Enable RBAC with Least Privilege, Disable ABAC, and Monitor Logs
  • Use Third Party Auth for API Server
  • Separate and Firewall your etcd Cluster
  • Rotate Encryption Keys

On Workloads:

  • Use Linux Security Features and PodSecurity Policies
  • Statically Analyse YAML
  • Run Containers as a Non-Root User
  • Use Network Policies
  • Scan Images and Run IDS
  • Run a Service Mesh