Kubernetes Hardening Guide

[raesene]

What would you like to be added

As part of SIG-Security-Docs, we've been discussing the creation of a hardening guide for Kubernetes. We've got an initial document for the guide's creation here https://docs.google.com/document/d/1teb42X_c5_k8PNOSEEEbVnEr9aVAwWJXezBuf5fdmZU/edit

Why is this needed

The goal of the hardening guide is to provide guidance to cluster operators about how they can improve the security of their clusters. This will be done by discussing the major areas of security relating to a Kubernetes cluster, looking at the options available for hardening and the trade-offs inherent in them. In contrast to existing 3rd party documentation in this area (the CIS benchmark) which is a prescriptive audit style document, this guide should provide a more discursive approach.

Table of Areas

Section	Assignee	PR(s)
Threat Model	@cailynse
Control Plane Configuration
API Server Configuration
Scheduler Configuration	@AnshumanTripathi
Controller Manager Configuration
File Permissions
Worker Node Configuration
PKI Management
Cluster Authentication	@raesene
Authorization	@bjornsen @vinayakankugoyal
Workload Security Configuration
Network Policy Configuration	@cailynse
Resource Limits
Add-On Configuration

cc @savitharaghunathan @sftim

[sftim]

/sig security

[sftim]

/triage accepted

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

[savitharaghunathan]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[savitharaghunathan]

/remove-lifecycle rotten

[savitharaghunathan]

/transfer sig-security

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[sftim]

/remove-lifecycle rotten

Hope that's OK

[cailynse]

I'd be really interested in helping with this one!

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[cailynse]

/remove-lifecycle rotten

@savitharaghunathan - is this something we could work on in the next cycle with SIG Security Docs?

[cailynse]

/assign

[ericsmalling]

I'm interested in helping, even if just to help review and learn.

[cailynse]

Awesome! @ericsmalling feel free to pick up a section! I've just been researching and trying to fill in the TODOs from the top down!

[cailynse]

Threat Modelling PR: https://github.com/kubernetes/website/pull/39087

I'll also take Network Policy Configuration, please and thank you!

[bjornsen]

I'm interested in Authorization.

[raesene]

1st Draft for the Authentication section is open for comment on Hackmd https://hackmd.io/kxo4SRN3T3ipJHca2JNPTg

[raesene]

@bjornsen cool! I've added that assignment to the table at the top.

[vinayakankugoyal]

@bjornsen and me are going to be collaborating on Authorization.

[PushkarJ]

This might be of interest to the group here: https://github.com/cncf/tag-security/issues/1054

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[savitharaghunathan]

/remove-lifecycle stale

[raesene]

Hey all, so I've done some more fix-ups on the authentication section (https://hackmd.io/kxo4SRN3T3ipJHca2JNPTg?both) seems like it's probably in a decent enough spot to open a PR?

I know we had a quick chat about where in the docs site these pages should go, but I'm not sure we came to any firm conclusion.

[savitharaghunathan]

I think concepts -> security is a good home for the hardening guide. If needed we can create a folder and add items there. eg concepts -> security -> hardening guide -> auth mechanisms. @reylejano WDYT? should we bring this up in a sig-docs meeting or create a draft PR to get feedback on the content as well as the location?

[sftim]

I think concepts -> security is a good home for the hardening guide

:+1:

A guide like this might then link to specific task pages, eg “Enable audit logging” “Configure KMS encryption for API objects”.

[reylejano]

I think concepts -> security is a good home for the hardening guide. If needed we can create a folder and add items there. eg concepts -> security -> hardening guide -> auth mechanisms. @reylejano WDYT? should we bring this up in a sig-docs meeting or create a draft PR to get feedback on the content as well as the location?

I think concepts -> security -> hardening guide works which translates to/docs/concepts/security/hardening-guide

[sftim]

I wonder if we want to add a section to the list: cluster network security. That's different from network policy.

For example, you can harden Kubernetes by using MACsec between nodes, with appropriately frequent rekeying (lots of alternatives exist).

[raesene]

yeah I could see cluster network security being a good addition, as the topic is wider than just netpol.

On the organization of the page, that makes sense to me, I'll do a PR for the Authentication section with that structure and we can see if it works well :).

[raesene]

Opened the PR here https://github.com/kubernetes/website/pull/42486

[ashish493]

I've opened a PR for Authorization Guide - kubernetes/website/#43623. Reviews and feedback are appreciated.

[ashish493]

I'm planning to pick the Resource Limits topic next. If anyone else is working on this topic, let me know if I can be of any help.

[slashben]

I am happy to work on

• Workload Security Configuration
• API server configuration

[AnshumanTripathi]

I volunteer to work on Scheduler Configuration.