One of the challenges with container security and its standards is keeping current with new releases and products. New versions of the Docker and Kubernetes CIS Benchmarks were released recently to capture changes in the new versions of those projects, both to keep things current and to expand coverage to help people keep their environments secure.
New recommendations in the CIS Docker Benchmark v1.3
It’s been a while since the Docker benchmark received an update because the parent project’s release cycle is somewhat slower than it used to be. This version of the benchmark carried out some housekeeping activities and added new controls to take account of the new features in Docker 20.10.
The housekeeping focused on the removal of the Docker Enterprise section, which is no longer needed due to changes in the ownership of that project. This helps to simplify the content of the benchmark as well as the profiles used, which is always welcome.
In terms of new changes, there are a couple of areas where we’ve added some new recommendations to take advantage of Docker’s added capabilities and increased coverage of the product:
- 2.1 – Running the Docker daemon as non-root. With Docker’s addition of support for rootless operation, there’s an opportunity for users to improve the security of their Docker hosts. While it won’t work for every installation, it’s definitely one to look at where possible.
- 23, 3.24 – New checks have been added for permissions to ContainerD files that are installed with Docker. It’s easy to overlook the ContainerD socket when reviewing Docker security, but unauthorised access to it has the same serious effects as access to the Docker socket, so securing those files is important.
Main changes in the CIS Kubernetes Benchmarks
As time goes on, the suite of benchmarks for Kubernetes distributions increases, with recent additions being Azure Kubernetes Service (AKS) and OpenShift. In addition to different benchmarks for specific distributions, another recent change is having version-specific general Kubernetes benchmarks, with a new benchmark released specifically for version 1.20.
This means that if you’re looking for a benchmark for a Kubernetes 1.16-1.19 cluster, the correct one to use is the Kubernetes Benchmark v1.6.1, and if you’re looking for a benchmark for a Kubernetes 1.20 cluster, the correct version is the Kubernetes v1.20 Benchmark v1.0.0. This may be slightly confusing, but hopefully as time goes by and more versioned benchmarks are released, it’ll be easier for people to find the appropriate one for their cluster.
In terms of additions to the new Kubernetes v1.20 Benchmark, there have been a couple of notable changes around how role-based access control (RBAC) is managed in your clusters.
- 1.7 – This has been added to address the use of the hard-coded system:masters group. Membership in this group is very risky and should be avoided wherever possible.
- 1.8 – A new recommendation about avoiding grants of some special RBAC verbs that can allow for privilege escalation. While the impersonate verb is well-known, the escalate and bind verbs are less understood and can have serious security consequences if misused.
Getting involved with the CIS Benchmarks
A common question about the CIS Benchmarks is how do people get involved in creating and maintaining them. This is actually a really simple process. If you notice something in a benchmark that isn’t right, or you have an idea for a new area that the benchmarks should cover, you can sign up at the CIS Benchmark WorkBench site, join the community and start contributing.
Wrapping up
The CIS Benchmarks are an important part of the overall container security landscape, and maintaining them is a long-term effort. With the usual rapid pace of change in products such as Kubernetes, it’s important to update these documents regularly to keep them relevant and accurate.
kube-bench, Aqua’s open source tool for running Kubernetes CIS Benchmark tests, already implements a new version of the benchmark to check whether Kubernetes is deployed securely.