Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Auditing Kubernetes for Secure Configurations

Over the last few years, container technology has gained traction in enterprise environments. And, as a result, use of containerized applications has exploded in the enterprise. Naturally, as its adoption increased, management platforms such as Kubernetes were developed to manage containerized applications. They’ve now become critical to any modern DevOps-focused infrastructure. Tenable recently released an audit to help customers secure this key piece of infrastructure in their environments.

What’s Kubernetes?

Kubernetes is an open-source orchestration platform for deploying, maintaining and scaling containerized applications. Kubernetes was originally developed by Google, and later donated to the Cloud Native Computing Foundation. By leveraging Kubernetes, organizations can:

  • Deploy applications in a predictable manner
  • Scale workloads up and down
  • Limit resource utilization
  • Increase availability through self-healing capabilities

Why use Kubernetes?

Organizations choose Kubernetes over other orchestration platforms for many reasons:

  • Kubernetes is open source, and part of the Cloud Native Computing Foundation, which has an impressive list of member organizations
  • Vendor lock-in is reduced, as deployments can leverage bare metal, virtual machines and public or private cloud – or a combination thereof
  • Kubernetes can be used for all size deployments – from single cluster to a scaled-up, federated platform orchestrating multiple geographically diverse clusters
  • Vanilla Kubernetes can easily be extended with enterprise-grade options such as Tectonic, Rancher and OpenShift

Why audit Kubernetes configuration?

Depending on the workloads run on Kubernetes, you may consider it a core piece of network infrastructure. After all, it could be hosting the external applications that generate revenue for your business, sensitive internal applications, customer information and more.

Auditing security configurations of such platforms should therefore be an important part of any organization’s security program. A secure configuration audit provides a level of assurance that an information system is configured based on industry standard best practice recommendations.

To protect an information system, you need to account for every flaw that may exist, while an attacker may only need to find a single flaw to exploit. As an example, a recommended configuration is to only allow https traffic to the API server. If the traffic was not encrypted, it may be possible for an attacker to obtain sensitive information such as secrets and keys, and potentially take over control of the cluster. The good news is that Tenable customers now have the ability to perform a configuration audit of your Kubernetes based on the Center for Internet Security (CIS) benchmark.

CIS Kubernetes Benchmark

The CIS recently released the CIS Kubernetes Benchmark, which provides detailed guidance to securely configure core components of Kubernetes, including the Master Node, Worker Node and Federated Deployments.

Master Node(s)

Responsible for managing the workload within the cluster. Services include:

  • etcd: A key-value data store for cluster configuration
  • API server: A REST service that provides an interface into Kubernetes; state is stored in etcd
  • Scheduler: Intelligently determines which nodes workloads should be assigned to
  • Controller manager: A process that controllers like the DaemonSet and Replication controller run in; controllers access the API to manage resources

Worker Nodes

Responsible for running workloads within the cluster. Services include:

  • Kubelet: Responsible for monitoring the health of containers
  • Kube-proxy: Acts as proxy and load balancer for the containers running on the node
  • Container runtime: The service which runs the containers, such as Docker

Federated Deployments

Function similar to Master Nodes, except they manage clusters instead of worker nodes. Services include:

  • Federation API server
  • Federation Controller Manager

Federation is not required in all deployments, so this section may not apply to your organization.

How to get started

To get started, log into Tenable.io and create a new Policy Compliance Auditing scan. In your scan configuration, select the Compliance tab. Under UNIX, CIS Kubernetes Benchmarks are now available. Due to Kubernetes’ deployment flexibility, the audit utilizes variables to ensure the checks are specific to your deployment.

Once the configuration is saved, run the scan and review the results.  Below is sample output from a scan. For simplicity, only results from the worker node are displayed.

Current Checks

Below is a closer view of one of the results. This page shows:

  • Pass/fail status
  • Remediation steps, if necessary
  • Individual results from the systems scanned
Check 147

Also, note the reference to cybersecurity frameworks and standards on the right (in the Reference Information section). In this example, the controls listed are:

  • ITSG-33: CM-6 – configuration settings
  • CIS CSCv6 - 9.1 – ensure that only ports, protocols and services with validated business needs are running on each system
  • NIST 800-50: CM-6 – configuration settings
  • NIST CSF: PR.IP-1 – a baseline configuration of information technology/industrial control systems is created and maintained
  • NIST 800-171: 3.4.2 – establish and enforce security configuration settings for IT products employed in organizational information systems

 

Depending on the cybersecurity framework your organization follows, you can map these compliance results to the controls to assist you in demonstrating compliance.

Wrap-up: Planning a Kubernetes deployment

When planning a Kubernetes deployment, it’s important to:

  • Create or adopt a secure configuration
  • Determine how you’ll monitor the configuration
  • Establish how frequently you’ll review the configuration

At Tenable, we regularly update our policy compliance audits to match the newest versions by Center for Internet Security (CIS) and Defense Information Systems Agency (DISA). In some cases, we produce our own best practice audits. We also realize there are many cybersecurity frameworks available for organizations to follow, so we regularly map the checks in the policy compliance audits to various framework controls.

Learn more about Tenable.io.



Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training