Kubernetes Security - CIS Benchmarks - Part 1

Kubernetes clusters can be very secure, but the default configuration is not safe at all. You have to play around with it to make it safe, and there are millions of variations that you can configure. How can you be sure that you are safe? If you want to learn how, please keep reading.

 

kubernetes-security-is-a-trap

 

This post will tell you what the Kubernetes CIS Benchmarks are and talk about how and why you should take it seriously.

 

Who is this blog post for?

I assume that you have a basic understanding of Kubernetes components and architecture. If some of the terms are confusing for you, I’d recommend you step back and check the basics first. 

 

TL;DR

Even though I tried to keep the post short if you’d instead get the bottom line here it is;

Kubernetes is NOT secure by default. It gives you the ability to make it. You are responsible for securing your Kubernetes Clusters, and CIS Kubernetes Benchmarks point you to the right direction.

 

What is CIS?

The Center for Internet Security (CIS) is a community-driven, nonprofit organisation that creates the security best practices. The CIS Benchmarks are very popular within the professionals.

 

How does it relate to Kubernetes?

CIS releases benchmarks for security best practice recommendations for Kubernetes as well. Here you can find the official CIS Kubernetes Benchmark web page, which gives recommendations for configuring Kubernetes to make it safe. 

 

Be careful with the versioning!

You should keep in mind that the benchmark recommendations are tied to a specific Kubernetes release. That means you have to use the related benchmark for your version of Kubernetes.

You should also be careful with the CIS Benchmark version, though, it is different than the Kubernetes version.

 

Is it enough to check CIS Benchmark only?

Of course not! You should accept CIS recommendations as a starting point and go beyond. You should always ensure best practices are applied.

Please always keep in mind that security is a continuous defence game. As soon as you stop, you are in serious danger.

security-is-a-continuous-defence-game

 

Before moving forward, you can download the latest CIS Kubernetes Benchmark here

Understanding the CIS Benchmark

CIS Benchmark has 5 main sections;

  1. Control Plane Components
  2. ETCD
  3. Control Plane Configuration
  4. Worker Nodes
  5. Policies

Benchmark has many recommendations for each section, and each of them is structured with the Profile Applicability, Description, Rationale, Audit, Remediation, Impact, Default Value, References and CIS Controls sub-sections.

The first section consists of security recommendations for Kubernetes control plane processes’ direct configuration, the master node itself, API Server, Controller Manager and Scheduler.

If you provision your cluster using AWS EKS, GCP GKE, Azure AKS or similar managed service concept, these recommendations may not be directly applicable as your provider handles the maintenance of these components.

You can also check the related CIS Benchmark for those providers from this link.

The second section is directly related to ETCD, you can find all the necessary recommendations in this section.

The third section focuses on the cluster-wide configuration like authentication, authorisation, auditing and logging. Note that all the recommendations in this section apply to all clusters even if you have a managed service.

The fourth section has recommendations for the worker node components such as node itself and kubelet. 

An important reminder here, these components may also run on master nodes, so you know what to do! 

Last but not least, the fifth section is all about various policies that have critical importance for Kubernetes security. Here are some of them; 

  • Role-based access control (RBAC)
  • Service accounts
  • Pod security policies
  • Network policies (double-checking, if you haven’t read our post yet, please do it now)
  • CNI
  • Secrets management
  • Admission control
  • Some other general policies

Be careful, it’s harder than it looks!

The CIS Benchmark document is massive (version 1.6 is 270 pages long) as you have to go through it one by one, it is not easy to keep track. At this point, the benchmark gives you a summary table so you can check the ones you pass and fail. Easier to follow. 

It’s absolutely amazing to have all the recommendations. It makes our job much more manageable. But honestly, it is not enough. 

As you can check all the recommendations manually one by one, it doesn’t make any sense. We live in 2021, and we should automate everything we can! 

 

What is the solution?

Many open-sourced tools do the checks for your based on the CIS Kubernetes Benchmark. Aqua security’s kube-bench is my favourite. It checks all the recommendations from the 270-page document and shows you which ones are passed and which ones are failed with descriptions and remediations. 

 

automation-tool

 

Sounds pretty simple, doesn’t it? It is! Part 2 will contain a detailed explanation and implementation examples of kube-bench with the best practices to use it.

If you are excited about it, wait for the second part. In the meantime, please subscribe so we can let you know as soon as it is ready! 

Also, we offer a Free Kubernetes Security Audit as well, if you’d like to hear more about it, please take a look at it here.

Leave a Comment