Kubernetes Compliance

Kubernetes Compliance: Frameworks and 5 Critical Best Practices

What Is Kubernetes Compliance?

The adoption of Kubernetes creates a highly dynamic, unpredictable IT environment. This creates many challenges related to security and compliance. Kubernetes administrators and operators are looking for ways to adapt to evolving cyber attacks and changing regulations.

Kubernetes security requires a multi-layered approach. At the start of the software development lifecycle (SDLC), it requires strict adherence to code quality standards, security scanning of all components and container images, and digital certificates to confirm authenticity of components.

Later on, when software is running in Kubernetes clusters, there is a need to achieve full observability of the containerized environment, maintain audit trails, and closely monitor networks and data flows to avoid unauthorized access.

While organizations choose how they manage their security, regulators are the ones that set and enforce the required compliance standards. To help manage compliance, security research bodies provide standardized frameworks and guidelines for managing security in the Kubernetes ecosystem. We’ll cover several of these frameworks, and review best practices for successfully adopting them.

In this article:

Kubernetes Compliance and Security Frameworks

The Center for Internet Security (CIS) Kubernetes Benchmark

The Center for Internet Security (CIS) is a global security organization that provides industry-standard recommendations for configuring cluster components. It aims to provide objective, consensus-based guidelines to improve the security posture of Kubernetes deployments.

The Kubernetes benchmark has two categories of recommendations:

  • Level 1 – Recommendations that are relatively easy to implement and provide significant benefits without impacting business functionality.
  • Level 2 – Defense-in-depth recommendations for mission-critical environments, which are more complex to implement.

CIS also provides tools to verify that Kubernetes cluster resources meet security requirements, generating alerts for components that do not meet the requirements. The CIS framework works with any Kubernetes distribution.

NIST Application Container Security for Kubernetes

The National Institute of Standards and Technology (NIST) has published a special risk management framework for containers and containerized environments. Also known as the NIST Application Container Security Guide, this publication highlights the security risks associated with containerized applications and practical recommendations for addressing them.

Adopting the NIST Security Framework for Containers provides organizations with several benefits:

  • Standardizing the organization’s approach to risk management.
  • Evaluating areas of the Kubernetes ecosystem that require enhanced security controls.
  • Prioritizing Kubernetes security controls and determining what level of rigor is required.

Related content: Read our guide to Container Compliance

NSA & CISA Kubernetes Hardening Guidance

The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) recently published Kubernetes hardening guidelines that describe specific threats to Kubernetes clusters and provide mitigation guidance in five key areas:

  1. Kubernetes pod security
  2. Network isolation and hardening
  3. Authentication and authorization
  4. Log auditing
  5. Upgrades and application security

This report focuses on supply chain risks at the infrastructure level, both from external attackers and insider threats. It identifies common vulnerabilities and recommends best practices to prevent security misconfigurations.

The MITRE ATT&CK® Matrix for Kubernetes

MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) describes attack mechanisms commonly used by attack vectors in the Kubernetes ecosystem. These include:

  • Weak cloud credentials
  • Corrupted registry image
  • Kubeconfig vulnerabilities
  • Vulnerable applications
  • Exposed dashboards
  • Kubernetes CronJob
  • Privileged containers
  • Cluster-admin bindings
  • Reading writable mounts from nodes

The ATT&CK matrix is especially popular due to the depth of each tactic. By regularly updating threat models, the MITRE Matrix creates a comprehensive list of cyberattack techniques and sub-methods, taking into account general industry trends.

PCI DSS Compliance for Kubernetes

The Payment Card Industry Data Security Standard (PCI DSS) comprises a set of operational and technical requirements for any organization that stores, processes, or transmits payment card data.

The nature of Kubernetes environments, including elements like open source packages, container lifetimes, container sprawl, and open connectivity, all complicate PCI DSS compliance. Although containers and microservices are not directly covered by the core PCI DSS standard, it provides a Cloud Computing Guidelines supplement with guidelines for container security.

A key principle is to segment the environment in which cardholder data is stored and processed. In Kubernetes, this is done using logical, network, and service level segmentation.

The guidelines explain how to achieve PCI DSS requirements in a containerized environment. For example, when running one or more containers on dedicated Kubernetes servers, it is important to ensure that scoping, segmentation, and validation meet PCI DSS requirements, and customer data is effectively isolated.

Learn more in our detailed guide to PCI Compliance

5 Kubernetes Security Best Practices to Ensure Compliance

1. Leverage Kubernetes’s Built-In Security Features

Kubernetes has built-in security features, including log auditing, RBAC, and centralized Syslog collection, handled by Kubernetes API server. Take advantage of these available features to aggregate and analyze activity logs across all containers for evidence of attacks or misconfigurations. Address non-compliance issues and runtime activity by applying new protection policies or security patches.

Another important security measure is to ensure Kubernetes is closely coordinated with external resource requests and registries, using Kubernetes’s built-in Admission Controller. This approach is more effective at preventing vulnerabilities and unauthorized access in application deployments.

In most cases, you should leverage additional tools, beyond the default Kubernetes security features, to enable security and continuous compliance auditing of containerized applications.

2. Verify the Security of Cloud Hosts

The cloud platform hosting Kubernetes will typically take responsibility for its own systems and ensure ongoing compliance. However, it is too risky to assume that these cloud hosting practices are secure enough to meet your organization’s compliance responsibilities.

In fact, many cloud providers offer a shared responsibility model that places the responsibility of protecting application access, network operations, and other cloud assets directly on the customer. This makes it important to validate that cloud systems are really secure and meet compliance requirements.

3. Address the Entire Cyber Kill Chain

An attack kill chain often starts with unrecognized container network connections or process startups. These malicious processes increase their access level by writing or modifying existing files or by using unsecured entry points. They use network traffic to forward captured data to external IP addresses, to achieve data exfiltration.

The kill chain also typically includes man-in-the-middle attacks against Kubernetes API services, zero-day attacks, insider attacks, and cryptomining attacks. Attacks using Apache Log4j vulnerabilities are also on the rise.

To prevent data loss, you can combine web application firewall (WAF) and data loss prevention (DLP) tools. These tools provide the policies and visibility you need to identify active kill chains. They can also provide an automated response by preparing to block suspicious processes and traffic before they lead to a compromise.

Many compliance frameworks explicitly require organizations to implement WAF and DLP capabilities to secure Kubernetes environments and containers. These include PCI DSS, GDPR, and SOC 2. HIPAA also strongly recommends DLP.

4. Use Automated Tools

Implementing the right tools can provide the real-time threat response and continuous monitoring needed to achieve continuous compliance. For example:

  • Automated vulnerability detection and security policies should be integrated into the pipeline as code.
  • Events and audit logs should be processed using automated Kubernetes log analyzers.
  • SIEM technology powered by machine learning (ML) can detect attack patterns automatically.

Alongside the use of these tools, continue to validate your Kubernetes configuration with custom compliance checks and CIS benchmarks.

5. Adopt Zero Trust

Through log analysis and signature-based detection, the zero trust model shifts the focus from merely reacting to detected threats to a strategy that blocks all attacks. It allows only authorized traffic and processes to be active in the environment. A fully cloud-native stack should have zero trust protections, along with access control like RBAC. The result is a more robust approach to continuous compliance.

Learn more in our detailed guide to Kubernetes security best practices

Kubernetes Compliance with Calico

Calico supports major compliance standards including PCI DSS, HIPAA, GDPR, SOC 2, CCPA, and any custom frameworks. Calico Cloud provides Kubernetes users with the following features to address compliance requirements:

  • Continuous compliance – Monitor and log changes to security policies based on your organization’s time-based requirements. Maintain your security posture to meet compliance requirements.
  • Compliance reports – Define customer compliance reports and run reports on demand to provide proof of compliance.
  • Policy implementation – Create policies that are Kubernetes-native and based on metadata and labels instead of IP addresses.
  • CIS Benchmark reports – Get out-of-the-box CIS benchmark compliance reports. Use the GlobalReport resource to schedule reports and set compliance thresholds.

Next steps:

Join our mailing list​

Get updates on blog posts, workshops, certification programs, new releases, and more!