The adoption of Kubernetes creates a highly dynamic, unpredictable IT environment. This creates many challenges related to security and compliance. Kubernetes administrators and operators are looking for ways to adapt to evolving cyber attacks and changing regulations.
Kubernetes security requires a multi-layered approach. At the start of the software development lifecycle (SDLC), it requires strict adherence to code quality standards, security scanning of all components and container images, and digital certificates to confirm authenticity of components.
Later on, when software is running in Kubernetes clusters, there is a need to achieve full observability of the containerized environment, maintain audit trails, and closely monitor networks and data flows to avoid unauthorized access.
While organizations choose how they manage their security, regulators are the ones that set and enforce the required compliance standards. To help manage compliance, security research bodies provide standardized frameworks and guidelines for managing security in the Kubernetes ecosystem. We’ll cover several of these frameworks, and review best practices for successfully adopting them.
In this article:
The Center for Internet Security (CIS) is a global security organization that provides industry-standard recommendations for configuring cluster components. It aims to provide objective, consensus-based guidelines to improve the security posture of Kubernetes deployments.
The Kubernetes benchmark has two categories of recommendations:
CIS also provides tools to verify that Kubernetes cluster resources meet security requirements, generating alerts for components that do not meet the requirements. The CIS framework works with any Kubernetes distribution.
The National Institute of Standards and Technology (NIST) has published a special risk management framework for containers and containerized environments. Also known as the NIST Application Container Security Guide, this publication highlights the security risks associated with containerized applications and practical recommendations for addressing them.
Adopting the NIST Security Framework for Containers provides organizations with several benefits:
Related content: Read our guide to Container Compliance
The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) recently published Kubernetes hardening guidelines that describe specific threats to Kubernetes clusters and provide mitigation guidance in five key areas:
This report focuses on supply chain risks at the infrastructure level, both from external attackers and insider threats. It identifies common vulnerabilities and recommends best practices to prevent security misconfigurations.
MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) describes attack mechanisms commonly used by attack vectors in the Kubernetes ecosystem. These include:
The ATT&CK matrix is especially popular due to the depth of each tactic. By regularly updating threat models, the MITRE Matrix creates a comprehensive list of cyberattack techniques and sub-methods, taking into account general industry trends.
The Payment Card Industry Data Security Standard (PCI DSS) comprises a set of operational and technical requirements for any organization that stores, processes, or transmits payment card data.
The nature of Kubernetes environments, including elements like open source packages, container lifetimes, container sprawl, and open connectivity, all complicate PCI DSS compliance. Although containers and microservices are not directly covered by the core PCI DSS standard, it provides a Cloud Computing Guidelines supplement with guidelines for container security.
A key principle is to segment the environment in which cardholder data is stored and processed. In Kubernetes, this is done using logical, network, and service level segmentation.
The guidelines explain how to achieve PCI DSS requirements in a containerized environment. For example, when running one or more containers on dedicated Kubernetes servers, it is important to ensure that scoping, segmentation, and validation meet PCI DSS requirements, and customer data is effectively isolated.
Learn more in our detailed guide to PCI Compliance
Kubernetes has built-in security features, including log auditing, RBAC, and centralized Syslog collection, handled by Kubernetes API server. Take advantage of these available features to aggregate and analyze activity logs across all containers for evidence of attacks or misconfigurations. Address non-compliance issues and runtime activity by applying new protection policies or security patches.
Another important security measure is to ensure Kubernetes is closely coordinated with external resource requests and registries, using Kubernetes’s built-in Admission Controller. This approach is more effective at preventing vulnerabilities and unauthorized access in application deployments.
In most cases, you should leverage additional tools, beyond the default Kubernetes security features, to enable security and continuous compliance auditing of containerized applications.
The cloud platform hosting Kubernetes will typically take responsibility for its own systems and ensure ongoing compliance. However, it is too risky to assume that these cloud hosting practices are secure enough to meet your organization’s compliance responsibilities.
In fact, many cloud providers offer a shared responsibility model that places the responsibility of protecting application access, network operations, and other cloud assets directly on the customer. This makes it important to validate that cloud systems are really secure and meet compliance requirements.
An attack kill chain often starts with unrecognized container network connections or process startups. These malicious processes increase their access level by writing or modifying existing files or by using unsecured entry points. They use network traffic to forward captured data to external IP addresses, to achieve data exfiltration.
The kill chain also typically includes man-in-the-middle attacks against Kubernetes API services, zero-day attacks, insider attacks, and cryptomining attacks. Attacks using Apache Log4j vulnerabilities are also on the rise.
To prevent data loss, you can combine web application firewall (WAF) and data loss prevention (DLP) tools. These tools provide the policies and visibility you need to identify active kill chains. They can also provide an automated response by preparing to block suspicious processes and traffic before they lead to a compromise.
Many compliance frameworks explicitly require organizations to implement WAF and DLP capabilities to secure Kubernetes environments and containers. These include PCI DSS, GDPR, and SOC 2. HIPAA also strongly recommends DLP.
Implementing the right tools can provide the real-time threat response and continuous monitoring needed to achieve continuous compliance. For example:
Alongside the use of these tools, continue to validate your Kubernetes configuration with custom compliance checks and CIS benchmarks.
Through log analysis and signature-based detection, the zero trust model shifts the focus from merely reacting to detected threats to a strategy that blocks all attacks. It allows only authorized traffic and processes to be active in the environment. A fully cloud-native stack should have zero trust protections, along with access control like RBAC. The result is a more robust approach to continuous compliance.
Learn more in our detailed guide to Kubernetes security best practices
Calico supports major compliance standards including PCI DSS, HIPAA, GDPR, SOC 2, CCPA, and any custom frameworks. Calico Cloud provides Kubernetes users with the following features to address compliance requirements:
Get updates on blog posts, workshops, certification programs, new releases, and more!