Skip to content

Instantly share code, notes, and snippets.

@frbayart

frbayart/CHECKLIST.md

Last active April 16, 2025 06:18
Show Gist options
  • Save frbayart/9a89073b9ce125cb011a010cf4953812 to your computer and use it in GitHub Desktop.
Save frbayart/9a89073b9ce125cb011a010cf4953812 to your computer and use it in GitHub Desktop.
Download ZIP
Kubernetes Hardening Checklist (NSA & CISA Guidance v1.2)
Raw
CHECKLIST.md

Kubernetes Hardening Checklist (NSA & CISA Guidance v1.2)

πŸ”’ Pod & Container Security

  • Ensure containers run as non-root users
  • Enable immutable container filesystems (where applicable)
  • Scan container images for vulnerabilities/misconfigurations
  • Disable privilege escalation and dangerous capabilities:
    • No privileged containers
    • No hostPID, hostIPC, hostNetwork
    • No allowedHostPath
  • Use AppArmor / SELinux / seccomp

🌐 Network Separation

  • Enforce firewall restrictions on control plane
  • Use separate networks for control plane and nodes
  • Restrict etcd access (TLS, RBAC, firewalls)
  • Encrypt etcd at rest
  • Create default deny network policies
  • Isolate namespaces using network policies

πŸ”‘ Authentication & Authorization

  • Disable anonymous authentication (--anonymous-auth=false)
  • Enable RBAC (--authorization-mode=RBAC)
  • Define and apply least-privilege roles
  • Use service accounts with minimal scopes

πŸ“œ Audit Logging

  • Enable audit logging in kube-apiserver
  • Configure and mount audit policy
  • Persist and aggregate logs to an external system
  • Monitor system and container logs
  • Use Seccomp in audit mode to monitor syscalls

πŸ” Secrets & Encryption

  • Store sensitive info in Kubernetes Secrets (not config maps or env vars)
  • Encrypt Secrets at rest using encryption-provider-config
  • Optionally integrate KMS provider for Secrets
  • Rotate Secrets regularly

πŸ›‘οΈ Control Plane Hardening

  • Enforce TLS for all control plane communications
  • Protect etcd with client certs and network isolation
  • Protect kubeconfig files from unauthorized access

🧱 Resource & Namespace Policies

  • Create and enforce LimitRange and ResourceQuota
  • Apply PID limits to pods and nodes

πŸ” Updates & Maintenance

  • Periodically apply security updates
  • Run vulnerability scans and penetration tests
  • Remove unused components

☁️ Cloud-Specific Hardening

  • Block pod access to cloud metadata API
  • Harden VM infrastructure and image sources
Raw
playbook.yaml
# kubernetes_hardening Role
## Structure
```
kubernetes_hardening/
β”œβ”€β”€ tasks/
β”‚ └── main.yml
β”œβ”€β”€ handlers/
β”‚ └── main.yml
β”œβ”€β”€ templates/
β”‚ β”œβ”€β”€ audit-policy.yaml.j2
β”‚ └── encryption-config.yaml.j2
β”œβ”€β”€ vars/
β”‚ └── main.yml
β”œβ”€β”€ defaults/
β”‚ └── main.yml
β”œβ”€β”€ meta/
β”‚ └── main.yml
└── README.md
```
---
### tasks/main.yml
```yaml
---
- name: Disable anonymous authentication
lineinfile:
path: /etc/kubernetes/manifests/kube-apiserver.yaml
regexp: '--anonymous-auth='
line: '--anonymous-auth=false'
- name: Enable RBAC
lineinfile:
path: /etc/kubernetes/manifests/kube-apiserver.yaml
regexp: '--authorization-mode='
line: '--authorization-mode=RBAC'
- name: Set audit policy file
lineinfile:
path: /etc/kubernetes/manifests/kube-apiserver.yaml
regexp: '--audit-policy-file='
line: "--audit-policy-file={{ audit_policy_path }}"
- name: Enable audit log file output
lineinfile:
path: /etc/kubernetes/manifests/kube-apiserver.yaml
regexp: '--audit-log-path='
line: '--audit-log-path=/var/log/kubernetes/audit.log'
- name: Deploy encryption config
template:
src: encryption-config.yaml.j2
dest: "{{ encryption_config_path }}"
mode: '0600'
notify: Restart kube-apiserver
- name: Set encryption provider config
lineinfile:
path: /etc/kubernetes/manifests/kube-apiserver.yaml
regexp: '--encryption-provider-config='
line: "--encryption-provider-config={{ encryption_config_path }}"
```
---
### handlers/main.yml
```yaml
---
- name: Restart kube-apiserver
command: systemctl restart kubelet
```
---
### templates/audit-policy.yaml.j2
```yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
resources:
- group: ""
resources: ["secrets"]
- level: RequestResponse
resources:
- group: ""
resources: ["pods", "services", "deployments"]
```
---
### templates/encryption-config.yaml.j2
```yaml
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
encryption:
providers:
- aescbc:
keys:
- name: key1
secret: {{ encryption_key | b64encode }}
- identity: {}
resources:
- secrets
```
---
### vars/main.yml
```yaml
audit_policy_path: /etc/kubernetes/audit-policy.yaml
encryption_config_path: /etc/kubernetes/encryption-config.yaml
encryption_key: "32byteslongbase64keymaterialhere"
```
---
### defaults/main.yml
```yaml
# Defaults (overridden by vars if needed)
audit_policy_path: /etc/kubernetes/audit-policy.yaml
encryption_config_path: /etc/kubernetes/encryption-config.yaml
encryption_key: "changeme"
```
---
### meta/main.yml
```yaml
---
dependency: []
```
---
### README.md
```markdown
# Kubernetes Hardening Role
This Ansible role implements NSA & CISA Kubernetes hardening controls:
- Disables anonymous access
- Enforces RBAC
- Sets audit policy
- Enables encryption of Secrets at rest
## Usage
```yaml
- hosts: kube_control_plane
roles:
- kubernetes_hardening
```
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment