IT organizations need to ensure that their Kubernetes clusters can resist cyberattacks that can compromise sensitive data and applications. These tips can help you build a compliant, secure cloud-native computing platform.
by Alex Tesch, Senior Solution Architect, Cloud Native Computing Practice, HPE Advisory & Professional Services
The time is already past in which corporations considered K8s simply as a development and testing platform to get ready for the cloud-native world. Developers have demonstrated time and again the benefits of Kubernetes as a container orchestrator and critical resource provider for their pipelines to bring new features and capabilities to their enterprise applications in record time.
As software development accelerated and developers found new uses for K8s, security, in most cases, was an afterthought. Nowadays, it is imperative to ensure that Kubernetes clusters are hardened to acceptable standards to reduce the risk of exploits that can compromise sensitive data and applications.
The Center for Internet Security provides the de-facto standards to benchmark security on IT systems; Kubernetes is not an exception. In order to harden a Kubernetes cluster according to the CIS benchmark 1.6 (the latest at the time of this writing), Kubernetes administrators can obtain this document from the CIS website:
https://www.cisecurity.org/cis-benchmarks
The document is 271 pages long, so performing the hardening manually is a really time-consuming endeavor.
Accelerate Kubernetes hardening with Kube-Bench
Luckily for K8s admins, there are faster ways to achieve Kubernetes hardening and bring it to CIS standards. Kube-Bench is an open-source project aimed at collaborating with the CIS community to automate the hardening tests, provide advice on how to fix failed test cases and bring the Kubernetes cluster to compliance. Written in GO language, the source code is hosted under:
https://github.com/aquasecurity/kube-bench
It is available for everyone to use under the Apache 2.0 license. Kube-Bench is open to feedback and ideas for improvement as well as code contributions to make it better.
The Kube-Bench tool is already containerized, and the manifests to run the deployments on Kubernetes are available on:
https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job-master.yaml
(to provide advice on Master/etcd hardening)
and
https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job-node.yaml
(to provide advice on workers hardening).
Assessing the security compliance of a Kubernetes cluster is as simple as running the Kube-Bench manifest using the kubectl client. The deployment will run for less than a minute, and upon completion it is possible to extract the logs from the pods. These logs will provide the recommendations for the failed tests and how to perform the configuration to make the Kubernetes cluster CIS compliant. Kube-Bench is definitely a faster way to perform the hardening tests and get insights into the best practices provided by the Center for Internet Security.
Take security to the next level with HPE Services
In order to operate a CIS-compliant, secure cloud-native computing platform, you won’t want to stop there. For some enterprise Kubernetes distributions, it is possible to draft the template with HPE Services’ K8s cluster design and request CIS 1.6 compliance. Rancher Kubernetes Engine 2 (also known as RKE Government) is one of the offerings that HPE Pointnext Services can help customers leverage. As part of the design and build of a customer’s Container Orchestration Platform, HPE Services Advisory & Professional Services can take CIS compliance into consideration before deploying the Kubernetes cluster. We can expedite the go-live of the production application in a hardened platform based on our cloud-native computing security reference architecture and its minimum viable functionalities (see below).
HPE Services Advisory & Professional Services can help you get the most out of your Kubernetes security strategy. We understand that once cloud-native workloads reach production maturity, care must be taken to comply with regulations and security guidelines. The HPE Container Adoption Service can help your team to design a container platform that will allow you to run your applications in production while taking care to address security compliance.
Learn more about technology services consulting from HPE – expert advice and implementation to take your digital transformation to the next level.
Read more about HPE Services and how we help you navigate what’s next.
ServicesExperts
HPE Services Team experts share their insights on the topics and technologies that matter most for your business.
