NSA Hardening Guide: Three Ways Fairwinds Insights Can Root Out Poor Pod Security

Written By: Robert Brennan

Fairwinds
4 min readMay 3, 2022

The NSA has released a stringent set of guidelines for hardening your Kubernetes clusters. The 38-page document outlines a strong defense-in-depth approach to minimize the chances of a breach-and to ensure the blast radius remains as small as possible if an attacker does manage to infiltrate your Kubernetes clusters. But the trickier part is learning how these guidelines, now considered to be the gold standard of industry best practices, can be achieved using SaaS solutions like Fairwinds Insights, open-source tools, and other cloud-native technologies.

This blog dedicated to pod security kicks off a five-part series focused on the new NSA Kubernetes Hardening Guide, including how critical security areas like network separation, authentication, authorization, audit logging, and threat detection can be optimized in any organization running containerized workloads.

As a practical guide to complying with NSA best practices, this blog series will discuss how practitioners can utilize Fairwinds Insights, in conjunction with other best-of-breed commercial and open-source software, to reach compliance with the NSA’s stringent recommendations-effectively and affordably.

Want all the NSA recommendations at once? Download our newest white paper, Steps to Meeting NSA Kubernetes Hardening Guidelines.

What are the NSA recommendations around pod security?

NSA: Use containers built to run applications as non-root users. Specifically, the NSA recommends the use of containers that are built to run applications as non-root users. By default, many container services run as the privileged root user, meaning applications often execute inside the container as root despite not requiring privileged execution. Preventing root execution by using non-root containers or a rootless container engine limits the impact of a container compromise.

Fairwinds Insights integrates with Polaris, a popular open-source project for validating Kubernetes configuration. This open-source tool comes with a built-in check for detecting containers that are allowed to run as root. By adopting Polaris via Fairwinds Insights, users can see precisely which workloads in your clusters have permission to run as root. Further, you can use Insights to run the same policy in your CI/CD pipeline, ensuring infrastructure-as-code changes don’t introduce new resources with the ability to run as root.

Once you’ve locked down the ability to run as root across all applicable workloads, we recommend turning on Polaris in the Insights Admission Controller, which provides the strongest defense against workloads that run as root.

And for workloads that truly need root access, Insights can be configured to allow specific exemptions. We strongly recommend using an allow-list for this purpose and denying the ability to run as root by default. You can tune Insights to make decisions based on namespaces, labels, annotations, cluster names, and more.

NSA: Run containers with immutable file systems. Containers, by default, are permitted mostly unrestricted execution within their own context. An attacker who has gained execution in a container can create files, download scripts and modify the application within the container. Kubernetes can lock down a container’s file system, thereby preventing many post-exploitation activities.

Again, Polaris addresses this issue with a built-in check for writable file systems, which integrates into Fairwinds Insights the same way as the check described above for containers running as root. Enabling this open source tool in the Insights in-cluster agent allows users to detect which workloads currently have the ability to write to the local file system, and which have been locked down. The Insights CI/CD plugin will also help prevent any code changes that would allow a workload to modify the file system.

The admission controller feature offers strong defense against any new resources being added to the cluster that violate this policy. If some particular workload truly needs the ability to modify the file system, Insights should be configured with an allow-list and deny write-able file systems by default. These allow-lists can be constructed based on namespaces, labels, annotations, cluster names, and more.

NSA: Scan container images for possible vulnerabilities. In addition to using trusted repositories to build containers, image scanning is key to ensuring deployed containers are secure. Throughout the container build workflow, images should be scanned to identify known vulnerabilities.

Insights also integrates with Trivy, another open-source tool that scans all container images for known vulnerabilities. Trivy introspects the image, comparing it against a large database of CVEs, and surfaces any issues in order of severity. Insights scans containers at build time (i.e. during CI/CD) as well as at runtime. This is important because often a CVE will be announced the image has been scanned and deployed to your environment, which means a container that successfully made it through the CI and Admission steps is now running inside your cluster-and known to be vulnerable. The Insights Agent can detect these cases and surface an alert to your security and operations teams.

The NSA also recommends enforcing a set of “trusted repositories” in order to prevent workloads from deploying untrusted containers. Fairwinds Insights integrates with OPA, which allows users to create custom policies specifying precisely which repositories are allowed. These OPA policies can be enforced in CI/CD, and in the Insights Admission Controller, and can be used to scan all existing resources for violations using the in-cluster Agent.

Try Fairwinds Insights

Don’t take our word for it- demo Insights today and find out how your organization can reach the gold standard of pod security with less aggravation and overall cost.

--

--

Fairwinds
Fairwinds

Written by Fairwinds

Fairwinds — The Kubernetes Enablement Company | Editor of uptime 99

No responses yet