Security is always on the top of our minds, but with recent world events the importance of hardening our own infrastructure has been put front and center. Today, we wanted to share some guidelines and benchmarks that you can use when trying to figure out if you've implemented the industry best practices in your clusters. So here we go, let's talk about the best practices in securing a Kubernetes cluster.
When looking to harden a Kubernetes distribution, start here. These CIS benchmarks are the basics, and all of your clusters should be operating within these levels. None of these are likely to impact normal operations of a cluster, and they’re a great start and baseline for security best practices.
If you’re running a managed cluster, or already have a Kubernetes cluster running, kube-bench is a handy utility from the folks at Aqua security that will tell you if your cluster is in conformance with the aforementioned CIS benchmarks. This is a good way to regularly (not just once) check if your cluster is conforming to all of the recommended best practices. I'm curious and would love to learn how everyone runs kube-bench and similar utilities regularly. Let us know on Twitter if you have some best practices or tips to share.
Recently updated, the NSA has published a list of guidelines that you should follow to have a secure Kubernetes cluster. A number of their recommendations come down to implementing the principle of least privilege and also defense in depth. Don't trust any single layer, and never give more access than is absolutely needed. There's a lot more in this guide, and it's all great advice. ⚔️
A great write up that came out after the NSA/CISA Hardening guide was initially released. There's some great and practical advice here digging into why the advice was given and how to implement it. Highlights range from network to auditing – it’s a pretty dense article, but a must read in today's landscape. ⛏
Since we shared the NSA and CISA Guide, we also wanted to share this blog post that we found helpful. There's a lot included in this extension, and it focuses quite a bit on how to handle authentication (authn) and authorization (authz) in a cluster. There's some good advice here, and we'd recommend taking a look. ⛔️
From the US DISA (Defense Information Systems Agency) these are similar in concept to the NSA/CISA recommendations, but from a different user. There is some overlap between these recommendations and the NSA and CIS guides, but there also is some unique and really valuable recommendations here. Heads up: this is a ZIP file that contains multiple PDFs – remember to always check your domains before you click!
Let's start writing our CFPs for Motor City in October!