OpenShift and the NSA-CISA ‘Kubernetes Hardening Guidance’

Red Hat applauds the recent release of Kubernetes hardening guidance from the US National Security Agency (NSA) and the US Cybersecurity and Infrastructure Agency (CISA) to improve the nation’s cybersecurity through their collaborative efforts. Cybersecurity is a team sport and Red Hat is pleased to help foster government and industry collaboration. This guidance will be especially useful to security practitioners in both public and private sectors who can benefit from the experience of leading cybersecurity experts.

Red Hat has long recognized the need to provide our customers and users with robust documentation and guidance. It is what makes our products “enterprise ready.” We start with doing the hard work of analyzing security concerns with open source technologies.

Red Hat has developed a significant amount of hardening guidance for OpenShift Container Platform (OCP) (its distribution of Kubernetes), with a strong alignment to the new guidance from NSA and CISA on the technical security controls, including, for example, a combination of the default settings for OCP and existing profiles for use with the OpenShift Compliance Operator, such as the Center for Internet Security (CIS) benchmarks. 

Red Hat also continues to prioritize software life cycle development practices and utilize automation to make the application of security policy easier to do and govern at scale. Automation in OCP via OpenShift platform operators may be used to apply security guidance or monitor for configuration drift. The OpenShift Compliance Operator (powered by SCAP security content built via an open source community at ComplianceAsCode), the OpenShift File Integrity operator and tools like StackRox (now Red Hat Advanced Cluster Security) or Advanced Cluster Manager (ACM) assist in delivering policy-based security, governance and risk management to minimize errors, apply consistency and lower total level of effort.

As Kubernetes is a core component of Red Hat’s OpenShift Container Platform (OCP), Red Hat has already made huge investments. Red Hat engineering teams test and evaluate the security attributes of these technologies using techniques such as static code analysis, automated CI/CD testing, and performance reliability testing among other approaches. We work to equip our enterprise products with hardened defaults, or security baselines like validated STIGs or CIS benchmarks. OpenShift Security Context Constraints (SCCs) (comparable to Kubernetes Pod Security Policies) exemplify Red Hat’s commitment to security. SCCs are on by default and are used to control permissions for pods. Although Kubernetes Pod Security Policies are deprecated, Red Hat continues to support Security Context Constraints in OCP for the entirety of its lifecycle. 

In the event organizations are unable or don’t want to dedicate resources to install, configure, and develop the skills required to maintain and manage their Kubernetes adoption on their own, Red Hat offers OpenShift managed service options. 

N.B. This is an updated version of an earlier blog.