The US National Security Agency has released its first hardening guidance for organizations relying on Kubernetes. This announcement will help organizations protect their infrastructure from unauthorized access and exploitation in the wake of increased attacks on the open-source platform.
The guidance was issued jointly with the DHS’s Cybersecurity and Infrastructure Security Agency (CISA). It provides users with a variety of security considerations that they should implement to minimize risk.
The agencies noted that the primary goals of attackers are information theft and cryptocurrency mining.
“Kubernetes is commonly targeted for three reasons: data theft, computational power theft, or denial of service,” the agencies note in a joint announcement. “Data theft is traditionally the primary motivation; however, cyber actors may attempt to use Kubernetes to harness a network’s underlying infrastructure for computational power for purposes such as cryptocurrency mining.”
CIM recently wrote that cybersecurity researchers warned about attackers who were increasingly using misconfigured Kubernetes deployments to plant crypto-miners onto enterprise hardware.
The report offers guidance on how to harden environments in the context of cloud deployments. The recommendations cover the various components of Kubernetes, including the control plane, the worker nodes, and the pods.
Security experts advise minimizing risks by applying patches and updates, performing routine assessments of containers and pods for vulnerabilities or misconfigurations, implementing network separation, firewalls, 2-factor authentication, and auditing logs.
The NSA and the CISA also remind that there are supply chain risks associated with deploying third-party dependencies and hardware.
“The security of applications running in Kubernetes and their third-party dependencies relies on the trustworthiness of the developers and the defense of the development infrastructure. A malicious container or application from a third party could provide cyber actors with a foothold in the cluster,” the agencies note.
The report also warns that attackers can target components of the control plane that lack proper access controls. They can also target worker nodes that reside outside the locked down control plane. Pods are particularly vulnerable to exploitation, the agencies note.
Agencies also recommend running rootless container engines and non-root containers to prevent code execution as the privileged root user.