Top 8 RBAC Tools Every Kubernetes Admin Should Know
Role-Based Access Control (RBAC) is important for managing permissions in Kubernetes environments, ensuring that users...
Aug 1, 2023
This post compares popular Kubernetes security and compliance frameworks, how they differ, when to use them, common goals, and suggested tools.
The challenge of administering security and maintaining compliance in a Kubernetes ecosystem is typically the same: an increasingly dynamic, ever-changing, ephemeral landscape. Changes can be rooted in new approaches to cyberattacks or changing regulations.
Kubernetes security requires a complex and multifaceted approach since an effective strategy needs to:
Security and compliance are two closely related concepts in Kubernetes. Security refers to the measures taken to protect a Kubernetes environment from unauthorized access, data breaches, and other malicious attacks. Compliance refers to the adherence to a set of security standards or regulations. While organizations may choose how they administer security, regulatory bodies are the ones who set and enforce mandatory compliance standards. These standards are designed to protect sensitive data and ensure the security of crtical infrastructure. By adhering to these regulations, organizations signal to customers that they care about ensuring business continuity and determining an application’s level of risk. This can also enhance an organization’s reputation, as a by product.
To help with this, various institutions offer standardized frameworks and guidelines for administering security in the complex and dynamic Kubernetes ecosystem. This post reviews popular Kubernetes security guidance frameworks, the principles on which they are built, and the benefits and challenges of adopting them.
Since Kubernetes follows a loosely coupled architecture, securing the ecosystem involves a combination of best practices, tools, and processes. It is also recommended to consider frameworks that issue specific guidelines for easing the complexity of administering the security and compliance of a Kubernetes ecosystem. Such frameworks help organizations create flexible, iterative, and cost-efficient approaches to keeping clusters and applications safe and compliant while ensuring optimum performance.
A typical framework’s guidance on Kubernetes security and compliance should essentially consider:
The foundations of these frameworks are built upon real-world observations. As a result, organizations referring to them remain up-to-date with the changing threat landscape—without losing focus on core organizational goals.
As more data-driven applications go cloud-native, organizations are driven to pay more attention to security in order to protect their assets and information. To deal with this, every vendor or organization often develops and adopts its own security practices. While that’s a justifiable approach, it is susceptible to missing things in the changing threat landscape and leaving things unaccounted for. On the other hand, using frameworks for guidance, enables organizations to adhere to the expected security standards. This enables monitoring of security controls, enhanced team-level accountability, and efficient vulnerability assessment.
Additionally, organizations will often need to comply with respective industry standards as part of their regulatory obligations. Examples for this are: HIPAA for healthcare and PCI DSS for finance. While there are a number of frameworks that offer security guidelines for a cloud-native environment, the following are some of the most popular frameworks that offer focused guidance on securing Kubernetes workloads. All of these frameworks are free to use, offered by reputable (and objective) organizations, and have been created based on real-world events and the changing security landscape.
Since the mid-2000s, the Center for Internet Security (CIS) has been working closely with the IT community and publishing security benchmarks and best practices. CIS Benchmarks offer precise configuration recommendations that serve as guidance for many technologies, including operating systems, cloud services, network devices, and more. In the case of Kubernetes, these benchmarks offer a comprehensive guide for hardening Kubernetes environments. They outline recommendations for configuring cluster components securely. CIS also lists tools that can automatically check cluster resources to see if they comply with the set benchmarks and raise alerts for non-compliant components. As of 2020 the Center for Internet Security has rolled out a sub-set of benchmarks aimed specifically at cloud managed Kubernetes distributions. Starting with EKS, following with AKS and others.
Securing clusters starts with identifying the Kubernetes distribution and referring to the related best practice recommendations. The best practices are then prioritized according to recommendation level:
Recommendations are scored based on how much a failure to comply will affect the final benchmark score. The security team then outlines the values that specify the status of the recommendations in production.
Some benefits of the CIS Benchmark for Kubernetes include:
However, one of the primary concerns with this benchmark is its rigidity. The CIS benchmarks are designed to provide a one-size-fits-all approach to security, but Kubernetes environments can vary greatly in their architecture and requirements. This inflexibility can lead to unnecessary restrictions or limitations that may hinder the efficiency and functionality of an organization’s specific deployment. Additionally, keeping up with the frequent updates and changes in the CIS benchmark can be challenging for organizations already struggling with limited resources and time constraints. Furthermore, blindly adhering to these benchmarks may give a false sense of security, as they cannot account for every possible misconfiguration or threat scenario.
CIS Security Benchmarks are globally acknowledged security standards for defending web applications. CIS also offers tools, such as CIS-CAT, that enable security teams to compare system configurations with CIS standards. Kubescape is also a popular open-source tool for running CIS benchmark tests on Kubernetes workloads.
The MITRE ATT&CK framework is a comprehensive knowledge base built on various hacking mechanisms and tactics based on real-world events. The framework forms the foundation for an organization’s threat model by simulating adversary behavior and mitigation practices. While MITRE outlines various matrices for niche domains, such as Cloud, Windows, etc., the Kubernetes framework focuses on various phases of an attack lifecycle exploiting Kubernetes platforms.
MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) outlines various attack mechanisms commonly leveraged by attack vectors in a Kubernetes ecosystem, including:
The ATT&CK matrix is particularly popular due to the level of depth each tactic goes into. By regularly updating the threat models, the MITRE matrix considers regular industry trends to build a comprehensive list of cyberattack techniques and sub-techniques.
Some benefits of the MITRE ATT&CK framework include:
However, due to the number of adversary data, techniques, and sub-techniques, the MITRE ATT&CK framework is large, complex, and often costly to implement. The framework is also less comprehensive when compared with CIS and often may offer ambiguous approaches rather than proposing exact steps to protect/evaluate a security control (Read more on Kubernetes security cost).
The matrix lists various attack tactics that can potentially compromise a cloud-native environment based on real-world observations. By offering Indicators of Compromise and Indicators of Attack, the list helps security teams identify and study the mechanisms used by hackers across various stages of a cyber attack. The matrix also offers an adversarial approach that can be used by penetration testers, security defenders, cyber intelligence teams, red teams, and internal teams to create robust threat models and improve security posture. Besides adopting the practices outlined by the framework, organizations can also leverage open-source tools like Kubescape, which follows MITRE guidance to specifically harden Kubernetes clusters.
The Payment Card Industry Data Security Standard (PCI DSS) compliance framework outlines the technical and operational requirements to enable security and data protection for the payment industry. PCI DSS compliance is based on the following principles:
An inherent challenge with respect to open-source packaging, container lifespan, and container sprawl is that certain attributes complicate regulatory compliance in a Kubernetes environment. To help simplify this, the PCI DSS framework outlines focused goals that are relevant to Kubernetes, including:
Organizations adopting the cloud are often wary of the challenges in maintaining PCI DSS compliance. This is because when processing payments, containers communicate with many things on the platform, creating a tangled web of connections. To truly meet PCI standards, securing just containers isn’t enough. You also need to prioritize securing the tools managing them, like Kubernetes.
Adopting the PCI DSS compliance framework for Kubernetes brings a number of benefits to organizations, including:
While adopting PCI DSS for Kubernetes brings enhanced data security, compliance benefits, and operational efficiencies, it’s not without challenges. These include the need for specialized expertise, increased operational overhead, potential performance impacts, complex integrations, and challenges in managing alerts and keeping up with the evolving landscape. However, weighing these drawbacks against the substantial security and compliance benefits can help organizations make an informed decision about whether PCI compliance is the right choice for their specific Kubernetes environment. Remember, even without cardholder data, robust security practices inspired by PCI DSS principles are vital for any organization running sensitive workloads on Kubernetes.
PCI DSS outlines various computing guidelines that organizations should follow to be compliant. These guidelines apply to all organizations that store, process, or transmit cardholder data such as payment gateways, banks, merchants, and developers.
The National Institute of Standards and Technology (NIST) publishes a special Risk Management Framework for containers and containerized environments. This publication, also known as the NIST Application Container Security Guide, highlights security risks associated with containerized applications and practical recommendations to address them.
NIST categorizes security risks for containerized technologies across multiple layers of a platform, including:
Countermeasures and NIST recommended practices for a secure container orchestration include:
Benefits & drawbacks
Adopting the NIST security framework for containers helps organizations via several benefits, including:
A drawback of the NIST security framework is that it includes requirements that can be approached in multiple ways, making it difficult to identify the specific controls needed to ensure compliance.
The NIST Cybersecurity Framework is a voluntary standard that can be adopted by any IT organization leveraging container-led workflows. The NIST Risk Management Framework includes guidelines on how to conduct a comprehensive risk assessment, with a baseline integrated into the organization’s security strategy, before implementing security controls.
NSA offers general guidance on technical cybersecurity to help enterprises (in both the private and public sector) harden Kubernetes clusters and applications. The guidance includes the security challenges teams face when setting up Kubernetes clusters and strategies to avoid known misconfigurations. The report includes recommendations for comprehensive cluster hardening, such as:
Benefits of using the NSA-CISA Kubernetes hardening guide include:
A major drawback of the NSA-CISA framework is that it does not include recommendations for container lifecycle security management.
The NSA-CISA guidance outlines vulnerabilities within a Kubernetes ecosystem while recommending best practices on configuring a cluster for robust security. With recommendations on vulnerability scanning, identifying misconfigurations, log auditing, and authentication, the report ensures that common security challenges are appropriately addressed to mitigate risks. Besides adopting the practices outlined by the framework, organizations can also leverage open-source tools like Kubescape, which follows the NSA-CISA guidance to specifically harden Kubernetes clusters.
Kubernetes security frameworks help define executive processes by outlining how organizations can maintain robust security and remain compliant. Each of the frameworks discussed above offers a unique approach to categorize various components of a Kubernetes ecosystem, as well as guidance on how to keep them secure. While emphasizing a proactive approach to mitigating risks, each framework essentially highlights the importance of efficient vulnerability scanning and comprehensive threat modeling as key practices in enhancing an organization’s security posture.
In addition, because of their focus on cybersecurity and Kubernetes cluster hardening, these frameworks have overlapping features and principles.
Security Frameworks | |||||
CIS | MITRE | PCI DSS | NIST | NSA-CISA | |
GOAL | Provide configuration benchmarks | Enumerate all real-world attack tactics, techniques, and procedures | Protect cardholder data | Issue guidelines for a risk management framework | Enable the hardening of Kubernetes Cluster |
WHEN TO USE | Pre-production | In production | Development, testing, and production | Testing and vulnerability scanning | Pre-production |
FOCUS AREAS | Auditing configuration management | Threat modeling | Access control, vulnerability management | Risk management | Configuration management |
HOW TO USE | Compare CIS standards with system configuration | Use the prescribed techniques for pen tests and threat management | Use guidelines to create policies for data protection | Use the RMF to establish a baseline for security posture | Use example configurations of hardened clusters |
TOOLS | Kubescape | Kubescape | Twistlock | NIST SRE Tools | Kubescape |
However, as they were derived from the threat patterns of different industries, these guidance frameworks are often considered more appropriate for specific use cases rather than as a global standard for keeping any Kubernetes environment secure and compliant.
Kubernetes continues to be the leading container orchestrator, being used or evaluated by used by over 96% of organziations today. While it offers a range of features in managing complex workloads, security and compliance remain a major concern with Kubernetes adoption. Since its introduction Kubernetes rapidly gained unprecedented popularity. Many disciplines, including security are still catching up.As a result, most frameworks do not yet offer focused guidelines toward the security and compliance of a Kubernetes ecosystem.
With the multiple integrations, built-in components, and processes of a Kubernetes environment, security is a complex undertaking. Although adopting a certain framework’s guidance will suit most organizations, adopting a multi-framework strategy for comprehensive security is also not uncommon. In the end, the goal is always the same: to achieve a robustly secure and compliant Kubernetes cluster that supports highly efficient and scalable applications.
The only runtime-driven, open-source first, cloud security platform:
Continuously minimizes cloud attack surface
Secures your registries, clusters and images
Protects your on-prem and cloud workloads
Role-Based Access Control (RBAC) is important for managing permissions in Kubernetes environments, ensuring that users...
This guide explores the challenges of RBAC implementation, best practices for managing RBAC in Kubernetes,...
CIS Benchmarks are a focused set of guidelines for the secure configuration, vulnerability detection, and...