What Are the NSA K8s Guidelines and Why Should You Care?

The NSA released its Kubernetes Hardening Guidelines almost a year ago and made updates to it this March. The purpose of the document is to provide an overview of what Kubernetes users need to do to ensure security. As described within, “the report is designed to help organizations handle Kubernetes-associated risks and enjoy the benefits of using this technology.”

What Are the Guidelines?

The guidelines are extensive; a 66 page document. There are some main categories that are covered throughout including pod security, network separation and hardening, authentication and authorization, audit logging, threat detection, upgrading and application security. 

AppSec/API Security 2022

Within each section, the NSA outlines advice. For example, it explains that to ensure pod security, you should use containers built to run applications as non-root users. It says, “By default, many container services run as the privileged root user, and applications execute inside the container as root despite not requiring privileged execution. Preventing root execution by using non-root containers or a rootless container engine limits the impact of a container compromise.”

Another example is around locking down access. It says, “[Role-based access control] RBAC, enabled by default, is one method to control access to cluster resources based on the roles of individuals within an organization. RBAC can be used to restrict access for user accounts and service accounts.”

The list is extensive, which can feel overwhelming and might leave you wondering whether the NSA’s advice is truly important or if it’s just overkill.

Why the NSA Kubernetes Guidelines Matter

The CNCF says in its 2021 annual report that “the usage of Kubernetes is continuing to grow and reached its highest level ever, with 96% of organizations using or evaluating the technology.” However, security continues to be top of mind for organizations. In a Red Hat report, “… 94% of respondents stated they have experienced a security incident in their Kubernetes and container environments during the last 12 months.”

Companies want to use and are adopting Kubernetes, but security must be a top priority. By producing this guide, the NSA is essentially endorsing the technology. It sees the value of using Kubernetes but wants it done securely. This is huge for the cloud-native landscape and for Kubernetes adoption. The guidelines provide not only U.S. federal organizations a path to secure usage of Kubernetes, but any company that wants to use the technology, too. 

Complying With the Guide

So, the next logical question is how to tick the boxes on the guide? With approximately 20 different requirements around the five categories, it can seem like a big undertaking. 

The first step to complying with the guide is to understand your Kubernetes environment. For example, how many clusters do you have? Do you have any containers running as root? Do you have role-based access control in place? And are you doing all of this consistently? Many of the issues around Kubernetes involve a lack of visibility into the environment and ability to understand if policies are being implemented habitually. 

Unfortunately for many organizations running environments with three or more clusters, it is too hard to answer this question. The genius of a Kubernetes environment is its ephemeral nature; the downside is things are constantly changing. 

DevOps teams wanting to implement NSA hardening guidelines should spend time auditing their environment for misconfigurations. Many organizations fall into the trap of doing this manually but should look to tools that automatically scan clusters and infrastructure-as-code for misconfiguration and vulnerabilities. 

Providing Kubernetes Guardrails

Once a Kubernetes environment is understood, how do you achieve compliance? First, DevOps teams should look for tools that help them enable developers to use Kubernetes safely. This is where Kubernetes guardrails come into play. Guardrails enable DevOps teams to turn policy from a piece of paper into a safety net. Instead of moving to production with a manual review, guardrails can be put in place to guide the entire development life cycle. Developers can ensure container security configuration is set, for example, before it ever gets to production. It helps to free up DevOps time and enables developers to ship applications faster. 

Next, by combining automated scans with guardrails, teams can document their journey to compliance. It becomes a much easier process as unknowns in Kubernetes become knowns. 

Understanding the importance of the NSA hardening guidelines and knowing how to implement them are two different things. In my next article, I’ll dig into some specific examples around the five main categories of the report. 

Robert Brennan

Robert Brennan is director of open source software at Fairwinds, a cloud-native infrastructure solution provider. He focuses on the development of open source tools that abstract the complexity from underlying infrastructure to enable an optimal experience for developers. Before Fairwinds, he worked as a software engineer at Google in AI and natural language processing. He is the co-founder of DataFire.io, an open source platform for building API’s and integrations, and LucyBot, developer of a suite of automated API documentation solutions deployed by Fortune 500 companies. He is a graduate of Columbia College and Columbia Engineering where he focused on machine learning.

Robert Brennan has 11 posts and counting. See all posts by Robert Brennan