Source: https://cobaltstrike.net/2022/03/17/nsa-and-cisa-updated-kubernetes-security-guide/
The US National Security Agency, together with the Cybersecurity and Infrastructure Security Agency (CISA), has published an updated guide on the security of Kubernetes clusters.
The new edition is an updated Kubernetes security guide released by the NSA and CISA last August. It contains additional details and explanations based on community feedback, as well as more detailed information about threat detection.
Some updates are quite minor, but very important for specialists involved in ensuring the security of Kubernetes clusters. The key points of the original manual remained unchanged.
Kubernetes protection is considered in the context of a typical cluster design, which includes a control panel, worker nodes (for running container applications) and modules for containers hosted on these nodes. These clusters are often hosted in the cloud, or even in several clouds in AWS, Azure, Google and other places.
As noted by the NSA and CISA, Kubernetes is usually subject to data theft, theft of computing power, or denial of service attacks. Historically, vulnerabilities in Kubernetes and various dependencies, as well as misconfigurations, have been used by attackers to deploy cryptominers in the victim’s infrastructure. In addition, Kubernetes is at risk of supply chain attacks, since clusters usually have software and hardware dependencies on third-party developers.
In addition to the risks associated with supply chains, Kubernetes is also exposed to external and internal threats, for example, when workloads that are not managed by a given cluster use the same physical network. In this case, the workload may have access to kubelet and control panel components, such as the API server. In this regard, the NSA and CISA recommend isolation at the network level.
The manual contains tips on how to ensure strict isolation of the workload between modules running on the same node in the cluster, given that Kubernetes does not guarantee such separation by default.
Regular review of Kubernetes settings and scanning for vulnerabilities are also recommended.