The U.S. National Security Agency and Cybersecurity and Infrastructure Security Agency has released a guide that can help IT administrators and cybersecurity professionals minimize risk in Kubernetes environments as attacks targeting the open-source system are increasing.
The guide comes as threat actors are looking for new ways into IT networks, including Kubernetes via supply chain risks, malicious threat actors and insider threats, the agencies say in an advisory.
The agencies say supply chain risks arise in the container build cycle or infrastructure acquisition and can be tough to mitigate. Meanwhile, threat actors can exploit vulnerabilities and misconfigurations in components of the Kubernetes architecture, including the control plane, worker nodes or containerized applications. Threats can also come from the inside from administrators, users, or cloud service providers with special access to an organization’s Kubernetes infrastructure.
Data theft is the main attack that system admins need to mitigate, but criminals are also seeking compute power for cryptocurrency mining or to cause a denial of service.
The guide is meant for system administrators and developers of National Security Systems, but IT departments and cybersecurity professionals in other sectors can take away some meaningful advice from the advisory as well.
“Although this guidance is tailored to National Security Systems and critical infrastructure organizations, administrators of federal and state, local, tribal, and territorial (SLTT) government networks are also encouraged to implement the recommendations provided,” the advisory says. “Kubernetes clusters can be complex to secure and are often abused in compromises that exploit their misconfigurations.”
According to CISA and the NSA, system administrators should do the following to harden their Kubernetes architecture and mitigate some of these attacks.
- Scan containers and Pods for vulnerabilities or misconfigurations
- Run containers and Pods with the least privileges possible
- Use network separation to control the amount of damage a compromise can cause
- Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality
- Use strong authentication and authorization to limit user and administrator access as well as to limit the attack surface.
- Use log auditing so that administrators can monitor activity and be alerted to potential malicious activity
- Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for and security patches are applied.
Read the advisory for more information on how to harden your Kubernetes infrastructure.