OWASP Kubernetes Security Projects

As Kubernetes becomes more popular, organizations that focus on security are starting to expand their knowledge base and documentation to include it. OWASP is one such organization. OWASP has introduced a Kubernetes Security Cheat Sheet as well as two community-run projects (both in the incubation stage) that focus on improving security in Kubernetes clusters: the Kubernetes Top 10 and the Kubernetes Security Testing Guide.

In this article, we will explore some of the resources that OWASP provides, including the OWASP Top 10 list (which is what they are best known for), their Secure Coding Practices Quick Reference, and other up-and-coming projects in the Kubernetes space.

What – Or Who – Is OWASP?

According to OWASP.org,

“The Open Web Application Security Project^® (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.”

As mentioned in their intro, OWASP’s work falls into three categories:

• Tools and Resources
• Community and Networking
• Education & Training

The OWASP Top 10

The OWASP Top 10 is a widely respected and frequently cited list of the most high-risk areas that impact application security. The list is designed to be easily digested by developers. The most recent version, which was updated in 2021, includes the following:

• A01 Broken Access Control
• A02 Cryptographic Failures
• A03 Injection
• A04 Insecure Design
• A05 Security Misconfiguration
• A06 Vulnerable and Outdated Components
• A07 Identification and Authentication Failures
• A08 Software and Data Integrity Failures
• A09 Security Logging and Monitoring Failures
• A10 Server Side Request Forgery (SSRF)

OWASP Secure Coding Practices Quick Reference

The purpose of the OWASP Secure Coding Practices Quick Reference is to provide a technology-agnostic checklist that covers what needs to be considered from a security perspective when developing an application. At only 17 pages, it is definitely a quick reference. (In comparison, the CIS Kubernetes Benchmark is 254 pages.)

The idea behind the list is to focus on best practices, not specific vulnerabilities and threats. If you follow the secure coding practices it outlines, you shouldn’t be at risk for anything that appears on the OWASP Top 10. Still, performing additional checks and scans is always advisable because even the most diligent organizations can miss things.

The Secure Coding Practices Quick Reference is available for download on the main project page as a PDF or MS Word document. In addition to the English version, you can find Chinese, Korean, Portuguese, and Spanish translations.

OWASP Kubernetes Security Cheat Sheet

The Cheat Sheet Series is another project released under the OWASP umbrella. This project creates essential guides for many popular technologies and concepts. These guides address issues that need to be taken into consideration in order to deploy and run the technology securely. Along with topics as diverse as PHP, JSON, and Threat Modeling, the project has now published a cheat sheet on Kubernetes Security.

The Kubernetes Security Cheat Sheet starts with a basic overview of the Kubernetes architecture, followed by a section on securing components, and then three groups of best practices based on when you’ll use them. The best practices for the build phase cover foundational pieces like types of container images and registry scanning. The best practices for the deploy phase address areas including access control, when to use a service mesh, and even the value of namespaces. Finally, the best practices for the runtime phase include topics like logging, sandboxing, and rotating credentials, among many others.

OWASP Kubernetes Security Testing Guide

The Kubernetes Security Testing Guide is still in its incubation stage. The project’s mission is to “create a comprehensive manual for Kubernetes Cluster Security Assessment.” The current version of the guide is designed to provide a top-down approach to validating the security of a Kubernetes cluster, including information about all tools, techniques, and procedures that are needed to perform the assessment. It also contains a secondary deliverable in the form of a checklist that testers can use during an engagement to ensure they cover everything required.

The following sections of the testing guide highlight the kind of information that’s being correlated:

• Common Resources
• Kubernetes Threat Model
• Discovery

The OWASP Kubernetes Top 10

The OWASP Kubernetes Top 10 provides a prioritized list of the most common areas that should be addressed to secure the workloads running in a Kubernetes cluster. Below, we’ll list these areas and give a brief description of what each one entails.

K01:2022 Insecure Workload Configurations

The overall security context of a workload has a major impact on how much risk it presents to the entire cluster. Running containers with access to root file systems or with enhanced privileges adds risk where there doesn’t need to be any. Configuring a container’s security context so that it allows exactly the right access it needs to function and no more will prevent vulnerabilities that exist within the container from being used as stepping stones to gain access to core and critical systems.

K02:2022 Supply Chain Vulnerabilities

Developing a software implies various components, and the more components, the more vulnerabilities can appear. Establishing a solid and proven supply chain through a mix of approaches (including the creation of SBOMs and the use of only trusted providers) will drastically reduce the chances of introducing vulnerabilities in this way.

K03:2022 Overly Permissive RBAC Configurations

From a security point of view, setting access controls according to the principle of least privilege is always the best approach. OWASP details what’s available out of the box in Kubernetes and how to improve it.

K04:2022 Lack of Centralized Policy Enforcement

Having a centralized way to consistently push out security policies across all Kubernetes clusters in any given infrastructure is key to securing any environment.

K05:2022 Inadequate Logging and Monitoring

It’s essential to know which types of logs and metrics can and should be generated from all of your Kubernetes components and underlying infrastructure. These provide valuable insights that can potentially detect bad actors before they successfully exploit any existing vulnerabilities.

K06:2022 Broken Authentication Mechanisms

Authentication in Kubernetes is flexible by design. This flexibility, however, can present challenges when it comes to maintaining the best security profile. The best way to ensure that key components (like the API server) have proper access controls and are fully locked down is to follow best practices and use tools like Keycloak or Dex.

K07:2022 Missing Network Segmentation Controls

When running multiple distinct applications and services within a single cluster, it’s not a good idea to have a wide-open network. Using network segmentation with network policies or a full service mesh like Istio will provide a level of isolation and control that will minimize the attack surface.

K08:2022 Secrets Management Failures

Kubernetes uses something called secrets to store sensitive information (like an API key) in an obfuscated way to stop casual disclosure. There are several ways to protect secrets, such as using Role-Based Access Control (RBAC), limiting them to a single namespace, and encrypting data at rest. If necessary, there are enterprise-class tools (like Vault) that can supplement native secrets.

K09:2022 Misconfigured Cluster Components

There are a lot of moving pieces in even the simplest Kubernetes cluster. It’s considered good security hygiene to at least check that all your cluster components have sensible defaults in place. This will help improve the cluster’s security profile.

K10:2022 Outdated and Vulnerable Kubernetes Components

Once you’ve established a trusted software supply chain, you can then combine tools like Dependabot with approaches like GitOps to automatically update to the latest patch version of a package. This means that you’ll have the latest security fixes staged and ready to go into development and test environments, which will reduce the amount of time it takes between discovering that a vulnerability exists in an upstream component and rolling out the fix in production.

Next Steps

Now you know what is OWASP and what they offer for Kubernetes, but that’s not the end of the journey. There is still much to discover, and your next step could be learn how the OWASP Kubernetes Top 10 is applied.