NSA Kubernetes Hardening (Development)
Scope: Development SDK | Guidance Ver: 1.0 | Profile: Build-Time Security
Shared Responsibility Disclaimer
The NSA/CISA hardening guidance for the Development Variant focuses on ensuring that the build-time environment doesn't introduce supply chain risks. * Image Scope: We enforce non-root users and immutable layers where possible. * Cluster Scope: Infrastructure controls (like NetworkPolicies) must be applied by the Cluster Admin during the CI/CD pipeline execution. * Reference: Shared Responsibility Model
Build-Time Risk Profile
-
Image Adherence --- 100% Verified SDK Configuration
-
Infrastructure Dependency --- 4
Cluster-Level Controls Required
-
Actionable Violations --- Zero Direct Container Risks
Control Matrix
1. Automated Checks (Container Image Scope)
| ID | Hardening Control | Severity | Audit Status |
|---|---|---|---|
| 1.0 | Non-root containers | MEDIUM | |
| 1.1 | Immutable container file systems | LOW | |
| 1.2 | Preventing privileged containers | HIGH | |
| 1.3 | Share containers process namespaces | HIGH | |
| 1.4 | Share host process namespaces | HIGH | |
| 1.5 | Use the host network | HIGH | |
| 1.6 | Run with root privileges or with root group membership | LOW | |
| 1.7 | Restricts escalation to root privileges | MEDIUM | |
| 1.8 | Sets the SELinux context of the container | MEDIUM | |
| 1.9 | Restrict a container's access to resources with AppArmor | MEDIUM | |
| 1.10 | Sets the seccomp profile used to sandbox containers. | LOW | |
| 1.11 | Protecting Pod service account tokens | MEDIUM | |
| 1.12 | Namespace kube-system should not be used by users | MEDIUM | |
| 2.0 | Pod and/or namespace Selectors usage | MEDIUM | |
| 4.0 | Use ResourceQuota policies to limit resources | MEDIUM | |
| 4.1 | Use LimitRange policies to limit resources | MEDIUM | |
| 5.1 | Encrypt etcd communication | CRITICAL | |
| 6.1 | Check that encryption resource has been set | CRITICAL | |
| 6.2 | Check encryption provider | CRITICAL | |
| 7.0 | Make sure anonymous-auth is unset | CRITICAL | |
| 7.1 | Make sure -authorization-mode=RBAC | CRITICAL | |
| 8.1 | Audit log path is configure | MEDIUM | |
| 8.2 | Audit log aging | MEDIUM |
2. Manual / Cluster Scope (Out-of-Scope)
| ID | Hardening Control | Severity | Responsibility |
|---|---|---|---|
| 3.0 | Use CNI plugin that supports NetworkPolicy API (Manual) | CRITICAL | |
| 5.0 | Control plan disable insecure port (Manual) | CRITICAL | |
| 6.0 | Ensure kube config file permission (Manual) | CRITICAL | |
| 8.0 | Audit policy is configure (Manual) | HIGH |
Hardening Principles (Development SDK)
The Development variant provides the tools necessary for building FIPS-compliant applications while maintaining a secure posture:
- Non-Root Execution: Despite being a development image, the container runs as a non-privileged user to limit potential exploit impact.
- Verified Toolchain: All binaries included (gcc, perl, etc.) are sourced from the hardened Wolfi ecosystem.
- SBOM Transparency: This image includes a full CycloneDX SBOM to track all included development dependencies.