NSA and CISA publish guidance on hardening Kubernetes following cloud infrastructure cyber attacks

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a new report to help systems administrators harden their Kubernetes environments and know the risks to such infrastructure.

Kubernetes clusters are often deployed in public and private clouds, as they provide several flexibility and security benefits compared to traditional, monolithic software platforms. However, they are at risk from hackers looking to steal data.

According to a published report, the three most common compromise sources in Kubernetes are supply chain risks, malicious threat actors, and insider threats.

"Kubernetes is commonly targeted for three reasons: data theft, computational power theft, or denial of service," the agencies said in a joint announcement.

"Data theft is traditionally the primary motivation; however, cyber actors may attempt to use Kubernetes to harness a network's underlying infrastructure for computational power for purposes such as cryptocurrency mining."

The report recommended IT administrators scan containers and pods for vulnerabilities or misconfigurations, run containers and pods with the least privileges possible, and use network separation to control the damage a compromise can cause.

The report also urged administrators to use firewalls to limit unneeded network connectivity, encryption to protect confidentiality, and strong authentication and authorization to limit user and administrator access and limit the attack surface.

Administrators should also use log auditing to monitor activity and be alerted to potential malicious activity. The guidance also suggested all Kubernetes settings should be periodically reviewed and “use vulnerability scans to help ensure risks are appropriately accounted for and security patches are applied.”

The advisory also went into more detail about particular threats. It said that with supply chain risks, an adversary may subvert any element that makes up a system, including product components, services, or personnel that help supply the end product.

"The security of applications running in Kubernetes and their third-party dependencies relies on the trustworthiness of the developers and the defense of the development infrastructure. A malicious container or application from a third party could provide cyber actors with a foothold in the cluster," said the advisory.

The advisory also warned that Kubernetes architecture exposes several APIs that cyber actors could potentially leverage for remote exploitation. The Kubernetes control plane has a variety of components that communicate to track and manage the cluster. “Cyber actors frequently take advantage of exposed control plane components lacking appropriate access controls,” the report said.