NSA and CISA publish guidance on hardening Kubernetes following cloud infrastructure cyber attacks

Kubernetes on a smartphone screen

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a new report to help systems administrators harden their Kubernetes environments and know the risks to such infrastructure.

Kubernetes clusters are often deployed in public and private clouds, as they provide several flexibility and security benefits compared to traditional, monolithic software platforms. However, they are at risk from hackers looking to steal data.

According to a published report, the three most common compromise sources in Kubernetes are supply chain risks, malicious threat actors, and insider threats.

"Kubernetes is commonly targeted for three reasons: data theft, computational power theft, or denial of service," the agencies said in a joint announcement.

"Data theft is traditionally the primary motivation; however, cyber actors may attempt to use Kubernetes to harness a network's underlying infrastructure for computational power for purposes such as cryptocurrency mining."

The report recommended IT administrators scan containers and pods for vulnerabilities or misconfigurations, run containers and pods with the least privileges possible, and use network separation to control the damage a compromise can cause.

The report also urged administrators to use firewalls to limit unneeded network connectivity, encryption to protect confidentiality, and strong authentication and authorization to limit user and administrator access and limit the attack surface.


The Total Economic Impact™ of Mimecast

Cost savings and business benefits enabled by using Mimecast with Microsoft 365


Administrators should also use log auditing to monitor activity and be alerted to potential malicious activity. The guidance also suggested all Kubernetes settings should be periodically reviewed and “use vulnerability scans to help ensure risks are appropriately accounted for and security patches are applied.”

The advisory also went into more detail about particular threats. It said that with supply chain risks, an adversary may subvert any element that makes up a system, including product components, services, or personnel that help supply the end product.

"The security of applications running in Kubernetes and their third-party dependencies relies on the trustworthiness of the developers and the defense of the development infrastructure. A malicious container or application from a third party could provide cyber actors with a foothold in the cluster," said the advisory.

The advisory also warned that Kubernetes architecture exposes several APIs that cyber actors could potentially leverage for remote exploitation. The Kubernetes control plane has a variety of components that communicate to track and manage the cluster. “Cyber actors frequently take advantage of exposed control plane components lacking appropriate access controls,” the report said.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.