NSA Kubernetes Hardening
Scope: Standard Image | Guidance Ver: 1.0 | Profile: Pod Security & Network Hardening
Scope of Responsibility (Shared Responsibility Model)
The NSA/CISA Kubernetes Hardening Guidance covers the entire infrastructure lifecycle.
* In-Scope (Container Level): Image configurations like non-root execution, dropped capabilities, and filesystem immutability are handled directly by this OpenSSL FIPS image.
* Out-of-Scope (Cluster Level): Controls related to etcd encryption, NetworkPolicies, and API server configurations are Runtime/Infrastructure responsibilities. They appear in this report for completeness but must be enforced via your Kubernetes manifests (e.g., Deployment / PodSecurityContext) and Cluster configuration.
Risk Mitigation Profile
-
Image Adherence ---
100%
Container-Level Controls
-
Passed Controls --- 23 / 23
Static Configurations Verified
-
Runtime Dependency --- 4
Cluster & Deployment Dependent
Control Matrix
1. Automated Checks (Container Image Scope)
These controls are statically verified against the Docker image layers.
| ID | Hardening Control | Severity | Audit Status |
|---|---|---|---|
| 1.0 | Non-root containers | MEDIUM | |
| 1.1 | Immutable container file systems | LOW | |
| 1.2 | Preventing privileged containers | HIGH | |
| 1.3 | Share containers process namespaces | HIGH | |
| 1.4 | Share host process namespaces | HIGH | |
| 1.5 | Use the host network | HIGH | |
| 1.6 | Run with root privileges or with root group membership | LOW | |
| 1.7 | Restricts escalation to root privileges | MEDIUM | |
| 1.8 | Sets the SELinux context of the container | MEDIUM | |
| 1.9 | Restrict a container's access to resources with AppArmor | MEDIUM | |
| 1.10 | Sets the seccomp profile used to sandbox containers. | LOW | |
| 1.11 | Protecting Pod service account tokens | MEDIUM | |
| 1.12 | Namespace kube-system should not be used by users | MEDIUM | |
| 2.0 | Pod and/or namespace Selectors usage | MEDIUM | |
| 4.0 | Use ResourceQuota policies to limit resources | MEDIUM | |
| 4.1 | Use LimitRange policies to limit resources | MEDIUM | |
| 5.1 | Encrypt etcd communication | CRITICAL | |
| 6.1 | Check that encryption resource has been set | CRITICAL | |
| 6.2 | Check encryption provider | CRITICAL | |
| 7.0 | Make sure anonymous-auth is unset | CRITICAL | |
| 7.1 | Make sure -authorization-mode=RBAC | CRITICAL | |
| 8.1 | Audit log path is configure | MEDIUM | |
| 8.2 | Audit log aging | MEDIUM |
2. Manual / Infrastructure Checks (Cluster Scope) (1)
These controls cannot be satisfied by the container image alone. They require proper securityContext settings in your Kubernetes YAML and secure cluster administration.
| ID | Hardening Control | Severity | Responsibility |
|---|---|---|---|
| 3.0 | Use CNI plugin that supports NetworkPolicy API (Manual) | CRITICAL | |
| 5.0 | Control plan disable insecure port (Manual) | CRITICAL | |
| 6.0 | Ensure kube config file permission (Manual) | CRITICAL | |
| 8.0 | Audit policy is configure (Manual) | HIGH |
Policy Categories
The controls above map to the following NSA threat models:
- Non-Root Execution: Ensures containers do not run with UID 0 (Configured via Dockerfile
USER). - Immutable Filesystems: Prevents runtime modification of binaries (Must be enforced via
readOnlyRootFilesystem: truein K8s). - Network Isolation: Ensures CNI plugins support NetworkPolicies (Cluster Architecture).
(1) Refer to the Shared Responsibility Model for Cloud Native workloads.