When I want to get into my phone, I use a passcode or face ID to authenticate. When I want to get into my home, I use a key because no person should be able to access my home without being authorized. So when the NSA released its Kubernetes Hardening Guidelines, it made sense that they consider authentication and authorization to be pivotal to a strong defense.
There are three main suggestions the NSA guidelines recommend for every organization: disabling anonymous logins, strong user authentication and using role-based access control. Here we break each down and suggest ways for you to implement these recommendations.
Disable Anonymous Login
The NSA says, “anonymous requests are requests that are not rejected by other configured authentication methods and are not tied to any individual user or Pod. Leaving anonymous requests enabled could allow a cyber actor to access cluster resources without authentication.”
Kubernetes clusters can easily be left open to the public internet, creating a risk of intrusion. Self-managed clusters should have anonymous login disabled via the — anonymous-auth flag. Clusters using managed services like GKE or EKS should be kept inside a VPC.
DevOps managers can use open source tooling to ensure that the –anonymous-auth flag is set on clusters. If managing multiple clusters across many users, a Kubernetes governance platform can be helpful.
Use Strong User Authentication
“Administrators must implement an authentication method or delegate authentication to a third-party service. Kubernetes assumes that a cluster-independent service manages user authentication,” per the guidelines.
This is critical to both the security and day-to-day productivity of engineers and there are a number of different options here that DevOps teams can implement.
- Managed services (GKE, EKS)—Use the cloud provider’s built-in identity and access management (IAM). For example, the Kubernetes team provides aws-iam-authenticator for managing cluster access via existing AWS groups and roles.
- Not using a managed provider (or when IAM isn’t an option)—Use OpenID Connect (OIDC) alongside an SSO provider like Google Workspace.
Create RBAC Policies With Unique Roles
Finally, the NSA guide says, “RBAC, enabled by default, is one method to control access to cluster resources based on the roles of individuals within an organization. RBAC can be used to restrict access for user accounts and service accounts.”
Role-based access controls (RBAC) regulates access to Kubernetes resources based on the roles of individual users within your organization, but it is one of the most common areas we see organizations struggling with Kubernetes. For many organizations, it’s so difficult and confusing that RBAC is often not even implemented, or only implemented halfway. For the organizations that do manage to properly lock down RBAC configuration, they often find the configuration difficult to maintain.
When getting started, make sure steps one and two have been implemented to ensure authentication. Then you’ll need to set up RBAC to ensure they have the permissions needed to do their job, while still adhering to the principle of least privilege. (The principle of least privilege forces code and users to work with the lowest privilege/permission level possible).
We strongly recommend setting up Roles and ClusterRoles which are tied to specific job descriptions at your company. For example, you might have a developer role that is allowed to view logs and status; an SRE role that is allowed to make changes in application namespaces and an admin role that is granted a wide range of access.
RBAC Manager, an open source project from Fairwinds, can help craft RBAC profiles with a friendlier syntax. A Kubernetes governance platform can also provide a dashboard for auditing RBAC configurations, surfacing Roles and ClusterRoles that have high levels of access.
Create a Strong Defense Whatever Industry
While you might not feel that the NSA guidelines are helpful to your organization, the reality is they are helpful to anyone using Kubernetes. It outlines good practices that every DevOps engineer should follow. There are a number of resources available if you more help on steps to meeting NSA Kubernetes Hardening Guidelines.