If you haven’t already thumbed through the NSA’s recent Kubernetes Hardening Guide to learn more about today’s best practices in Kubernetes and cloud native technologies, don’t worry—we’ve got you covered. In the third installment of our five-part series on these emerging standards, we will discuss all things authentication and authorization, including how Fairwinds Insights, our Kubernetes governance platform, which can help your organization meet the NSA’s stringent recommendations.
ICYMI: NSA Hardening Guide: Locking Down Network Access with Fairwinds Insights
ICYMI: NSA Hardening Guide: Three Ways Fairwinds Insights Can Root Out Poor Pod Security
As the primary mechanisms to restrict access to cluster resources, best practices around authentication and authorization are critical. If a Kubernetes cluster is misconfigured, which happens all the time, bad actors can (and do) scan for well-known Kubernetes ports and access the cluster’s database or make API calls without authentication. Yes, several user authentication mechanisms are supported—but they are not enabled by default.
The NSA has made several key recommendations around login procedures, the creation of certain policies and the need for strong authentication, all of which are specifically addressed through the capabilities of Fairwinds Insights. Follow us as we outline the different ways our Kubernetes governance software can help your organizations comply with these modern practices, now considered to be the gold standard for Kubernetes ownership.
NSA: Disable Anonymous Login. Anonymous requests are requests that are not rejected by other configured authentication methods and are not tied to any individual user or Pod. Leaving anonymous requests enabled could allow a cyber actor to access cluster resources without authentication.
Kubernetes offers multiple methods for users to authenticate to the cluster, and there are built-in users like system:unauthenticated and roles like system:public- info-viewer, which allow public access to things like health and version APIs.
On self-managed clusters, anonymous login can be disabled via the --anonymous- auth flag. The process can be more involved in managed services like GKE.
Fairwinds Insights can help ensure that the --anonymous-auth flag has been set on your clusters through its kube-bench integration. Specifically, check 4.2.1 will ensure this flag is set to false, and raise an action item if not.
Want all the NSA recommendations at once? Download our white paper:Steps to Meeting NSA Kubernetes Hardening Guidelines
NSA: Use strong user authentication. Administrators must implement an authentication method or delegate authentication to a third-party service. Kubernetes assumes that a cluster- independent service manages user authentication.
Getting cluster authentication right is critical to both security and the day-to- day productivity of engineers who have to interact with the cluster. Kubernetes provides a number of different options here. If you’re using a managed Kubernetes provider like GKE or EKS, we recommend using the cloud provider’s built-in identity and access management (IAM). For example, the Kubernetes team provides aws-iam-authenticator for managing cluster access via existing AWS groups and roles.
If you’re not using a managed Kubernetes provider, or if IAM isn’t an option, we recommend using OpenID Connect (OIDC) alongside an SSO provider like Google Workspace.
NSA: Create RBAC policies with unique roles. Role-based Access Control (RBAC), enabled by default, is one method to control access to cluster resources based on the roles of individuals within an organization. RBAC can be used to restrict access for user accounts and service accounts.
Once users are able to connect to the cluster using an authentication method described above, you’ll need to set up RBAC to ensure they have the permissions they need to do their job, while still adhering to the principle of least privilege.
We strongly recommend setting up Roles and ClusterRoles which are tied to specific job descriptions at your company. For example, you might have a Developer role, which is allowed to view logs and status; an SRE role which is allowed to make changes in application namespaces; and an Admin role which is granted a wide range of access.
RBAC Manager can help craft RBAC profiles with a friendlier syntax, and Fairwinds Insights provides a dashboard for auditing RBAC configurations, surfacing up Roles and ClusterRoles that have high levels of access.
If you would like to learn more about how Fairwinds Insights can help your business achieve compliance with the NSA’s recent guidelines, read our newest white paper, Steps to Meeting NSA Kubernetes Hardening Guidelines.
Our NSA white paper also provides information on meeting all the NSA recommendations, not just those surrounding authentication and authorization. The paper includes detailed discussion on other areas like pod security, network access, audit logging, threat detection and other application security practices.