NSA Kubernetes Hardening (Distroless)
Scope: Distroless Image | Guidance Ver: 1.0 | Profile: Hardened Workload
Shared Responsibility: Infrastructure Scoping
The NSA/CISA Kubernetes guidance requires hardening at both the container and cluster levels. * In-Scope (Container): The Distroless image satisfies all static requirements by eliminating the shell, reducing binaries, and enforcing non-root execution. * Out-of-Scope (Cluster): Network isolation policies and API server configurations must be verified by the Cluster Admin. * Reference: Shared Responsibility Model
Production Risk Profile
-
Image Adherence --- 100% Automated Container Audit
-
Runtime Dependency --- 4
Cluster-Level Verifications
-
Actionable Violations --- Zero Immediate Remediation
Control Matrix
1. Automated Checks (Container Image Scope)
| ID | Hardening Control | Severity | Audit Status |
|---|---|---|---|
| 1.0 | Non-root containers | MEDIUM | |
| 1.1 | Immutable container file systems | LOW | |
| 1.2 | Preventing privileged containers | HIGH | |
| 1.3 | Share containers process namespaces | HIGH | |
| 1.4 | Share host process namespaces | HIGH | |
| 1.5 | Use the host network | HIGH | |
| 1.6 | Run with root privileges or with root group membership | LOW | |
| 1.7 | Restricts escalation to root privileges | MEDIUM | |
| 1.8 | Sets the SELinux context of the container | MEDIUM | |
| 1.9 | Restrict a container's access to resources with AppArmor | MEDIUM | |
| 1.10 | Sets the seccomp profile used to sandbox containers. | LOW | |
| 1.11 | Protecting Pod service account tokens | MEDIUM | |
| 1.12 | Namespace kube-system should not be used by users | MEDIUM | |
| 2.0 | Pod and/or namespace Selectors usage | MEDIUM | |
| 4.0 | Use ResourceQuota policies to limit resources | MEDIUM | |
| 4.1 | Use LimitRange policies to limit resources | MEDIUM | |
| 5.1 | Encrypt etcd communication | CRITICAL | |
| 6.1 | Check that encryption resource has been set | CRITICAL | |
| 6.2 | Check encryption provider | CRITICAL | |
| 7.0 | Make sure anonymous-auth is unset | CRITICAL | |
| 7.1 | Make sure -authorization-mode=RBAC | CRITICAL | |
| 8.1 | Audit log path is configure | MEDIUM | |
| 8.2 | Audit log aging | MEDIUM |
2. Manual / Cluster Scope (Out-of-Scope)
| ID | Hardening Control | Severity | Responsibility |
|---|---|---|---|
| 3.0 | Use CNI plugin that supports NetworkPolicy API (Manual) | CRITICAL | |
| 5.0 | Control plan disable insecure port (Manual) | CRITICAL | |
| 6.0 | Ensure kube config file permission (Manual) | CRITICAL | |
| 8.0 | Audit policy is configure (Manual) | HIGH |
Key Hardening Principles (Distroless)
By utilizing a Distroless base image, we natively address several NSA hardening requirements:
- Attack Surface Reduction: By removing shells (
/bin/sh,/bin/bash) and package managers (apk), the lateral movement capability of an attacker is significantly restricted. - Binary Integrity: Only the minimal required OpenSSL FIPS binaries are present, reducing the risk of unauthorized binary execution.
- Read-Only Compatibility: The image is optimized for
readOnlyRootFilesystem: true, a core NSA recommendation for immutable workloads.