> and encryption to protect confidentiality

Probably the hardest part about this. Private networks with private domains. Who runs the private CA, updates DNS records, issues certs, revokes, keeps the keys secure, embeds the keychain in every container's cert stack, and enforces validation?

That is a shit-ton of stuff to set up (and potentially screw up) which will take a small team probably months to complete. How many teams are actually going to do this, versus just terminating at the load balancer and everything in the cluster running plaintext?

Who scans the vulnerability scanners? Genuine question. How does the community/ecosystem solve this problem of auditability?

I am mostly non technical person but why do we need to resort to firewalls etc. if we can employ UNIX like file permission system for network access? Wouldn't it be awesome if we can allow any installed software to contact ONLY whitelisted domains? Of course this excludes web browsers but you get the idea.

How about our mainstream OSes incorporate that kind of permission system similar to what we have in mobile OSes already have today?

> - Use network separation to control the amount of damage a compromise can cause.

> - Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality.

Are we still on this? Why isn't anyone pushing for zero trust? A concept made significantly easier to achieve thanks to container orchestration.

I do all those things in the pro version of my RBI (remote browser isolation) product, but i don't use k8s.

- Scan for vulns and misconfigs: I regularly update the underlying distro images, and use security scanning software to monitor dependencies, and regularly update them.

- Run with least privilege: I create a separate, temporary user account (no login, no shell) for each browser and service which has no elevated privileges, as well as run that browser and its service in a group and cgroup that restricts disk, bandwidth, CPU, and memory using block quotas, cgroups, tc, iptables and active monitoring and termination.

- Use network separation to isolate: RBI is basically a network isolation layer between the client (where the human interacts), and the server (where the browser actually runs.) I also don't have any privileges (service accounts, SSH keys, trusted IPs) on any of the machines and they're all single tenant and run inside GCE.

- Use firewalls to lock down connectivity + encryption: I use GCE firewall rules and iptables drop rules to block access to GCP metadata endpoints, as well as to other machines in the subnet. Also, every network request is encrypted (HTTP is https/TLS, WebSocket is wss/TLS, WebRTC is encrypted by default).

- Use strong auth to limit user access: For running the processes I use temporary users. For persistent browser sessions I use persistent users (either system native, or in a DB, always with bcrypt salted hashed passwords). For SaaS and resource control I use high entropy random API keys between each service layer. But I could improve my game for keeping secrets out of private git repos and separating code and config, ideally automatically. I could also improve my game to limit administrator access (right now I just have a single role, with God power, but I should create an admin role with power limited to a project, ideally even on a per-customer level).

- Use log autditing: I do this, but only manually, using various grepping and inspection of various logs, including last and lastb, as well as the service internal logs. This is likely something I could improve as well.

- Review all k8s settings: I don't use k8s or docker, just run services in this custom sandbox on GCE instances. I see that as both a way to limit attack service and complexity as well as minimize some overheads for maintenance and performance. In the longer term these things are worth exploring.

Thanks a lot for the TLDR. For more info on my RBI work check out https://github.com/i5ik/ViewFinder

We've actually already moved the official guidance from PSPs to OPA and that's what the primary DevSecOps reference implementation has used for about two months now.

"We" being the DoD, but our guidance is the NSA guidance. I'm not sure why it hasn't made it into the policy pdf, but the actual official IAC has been using OPA since April.

> Some useful guidance here, although worth noting that some of it is a bit dated.

Is there any digital security guidance from the feds that doesn't apply to? :)

In-tree replacement is coming in v1.22...as in, just a few weeks away. It uses admission controllers, just like OPA/Kyverno et al, hence the current guidance to use one of those.

PaaS solutions can't cover everything that PSP was covering though.

The DoD maintains its own registry of hardened container images they call the Iron Bank. I guess they can't issue guidelines to the general public that you should use these, but the DoD has to use them. Which kind of sucks, because they may be hardened, but they also break all the time because the people responsible for hardening them can't possibly understand all the myriad subleties involved in building and deploying software packaged with dependencies in the same way the actual software vendors do. They make some serious rookie mistakes, like just straight copying executables out of a Fedora image into a UBI images, which works perfectly fine when a brand-new UBI release happens and it's on the same glibc as Fedora, then immediately stops working and all your containers break when Fedora updates.

there are good free/oss container scanners. check out Trivy.—no reason not to use one.

This is a great point. And containers don't even really exist in the first place, so really there should be (at least one of) a family of docs about securing the various namespaces, cgroups etc in modern Linux releases, and a doc about how to secure them in combination with each other.

You don't use this guide as a bible but take it into account and compare with other common security advice in the field. If you get similar results it most likely a good list of advice.

This isn't for regular people, this is telling third parties what they need, in order for them to try to sell something to the nsa.

How did you (/they) come up with the name Polaris?

In general the NSA functions more like 2 agencies, one focused on the "red" side (hacking, breaking crypto, sigint stuff) and one focused on the "blue" side (protecting US assets from being hacked, developing better/new crypto, providing guidance on security).

Both sides are good at their jobs and for what it's worth, my understanding is that the blue side really does want to keep your shit from being hacked.

They've been doing that for at least a decade, but probably quite a bit longer. Here are their hardening guidelines for RHEL 5, from 2011:

https://apps.nsa.gov/iaarchive/library/ia-guidance/security-...

They have similar guidance for Windows, web browsers, industrial control systems, etc.

For what it's worth, SELinux originated from the R&D Labs of the NSA.

> Not sure I’ve ever read the NSA providing hardening guidance on anything before.

The NSA made SELinux, SHA-1, and SHA-256.

SHA-1 was specifically a slight change to SHA-0 that was unjustified at the time but over the next 3-5 years some attacks on SHA-0 that SHA-1 was not vulnerable to surfaced.

It's fine to trust them right up until they give you a magic number.

It's perfectly possible, laudable even, to read things with a healthy dose of salt and still expand your understanding.

I think this document gives a good general overview, often missing in the fast-paced, crowded and noisy Kubernetes landscape.

Like many large organizations, The government has many groups, often with many of them working to some extent against each other.

AES also has been blessed by the NSA, and I bet you use that extensively too - if you want to or not?

Reasonable. But then again they did come up with selinux and I haven't seen any backdoors in that.

not sure why you are downvoted. Completely agreed.

Keeping 0-days for yourself and making security standards weaker, will just weaken your standing.

Even if this information might be useful (and without backdoors or bad advice), I just cannot trust them (so I won't click on the link).

In terms of security, I trust the hacker community much more (going by ccc or other groups advice is definitely better).

Just search for ‘* awesome list’

https://github.com/magnologan/awesome-k8s-security

(Unaffiliated with above, just popped up for k8s hardening awesome list)

Wow that's dumb. I've done some reading on 3d computational geometry for hobbyist game engine reasons, and in my admittedly limited experience, very few of the algorithms involved are intuitive enough to be derivable in an interview setting.

This sucks -- it is a lose-lose situation. I've seen this kind of thing happen all too often.

You interview them as well. You give me dumb, unrelated coding questions - you are out.

Yes but in most circumstances, quick security is better than linear security; not sure about bubble security though.

Thanks! Yeah, articles like this I would have studies in greater detail in the past but this year I realize In need to improve my leetcode/algo times so long term I'll keep focused on security and important topics. But in the meantime ... time to zig-zag a binary tree :(

At my company the head of security is also the chief programmer. Not sure if that's a good thing but he's got 30 years experience and likes to tell war stories.

There was a famous case about 6 years ago where Google didn't hire the author of Homebrew because he couldn't whiteboard a leetcode type question. He posted to Twitter, then it was discussed heavily on tech sites:

https://www.reddit.com/r/programming/comments/39d0u1/google_...

In my opinion the problem has gotten worse. I spoke with a former Microsoft Product Manager early this year and he mentioned "Highly experienced engineers give the worst interviews" .. based on the current environment. He mentioned it's because the questions that come up are stuff people learned 20 years ago and never used in real-life.

I was invited by several FAANG companies this year to interview and did one interview (and turned down others) but had to cram for 2 months doing leetcode.

I realize it's a game but have mixed feelings. I think the interviews are bad if it's the only option but part of me knows the interview process is so bad it will likely discourage people from being Software Engineers and keep salaries high for many more years.

Leetcode is an algorithm-driven hiring preparation website

leetcode is a website that acts as a programming dojo of sorts where programmers can prove their skill in a measurable way and thus increase their odds of being hired.

Employers use it to loosely gauge a programmer's basic skill level, as well as their competency to think clearly and cleverly.

It has its pros and cons.

> If so, then the effort of hardening is very similar. It doesn't really matter where you do it.

Nope. If the clusters are separate it limits how damaging a compromise of the cluster is. This is why cloud providers don’t stick you on the same k8s cluster as another tenant.

> Multiple clusters may have a smaller blast radius, but will have a larger attack surface. Things may be shared between them (accounts? network tunnels? credentials to a shared service?) in which case an intrusion in one puts everyone else at risk.

It’s not really clear what you’re trying to say here. If someone compromises credentials shared between all clusters that’s the same as compromising credentials used by one mega cluster.

The one benefit you get is protection from bugs in Kubernetes itself and a reduced blast radius. Even if you could produce a secure and H/A cluster, you still leave yourself open to Kubernetes bugs and configuration mistakes such as adding a network policy that blocks all communication across all namespaces.

Multiple clusters protects you from these types of configuration mistakes by reducing the blast radius and providing an additional landing zone to roll out changes over time.

Except for security and fault isolation of course.

>a single cluster correctly

Can you elaborate?

"Nauarch, in ancient Greece, an admiral or supreme commander of the navy, used as an official title primarily in Sparta in the late 5th and early 4th centuries bc." - google cites britannica (!)

Cluster-as-a-Service :-)

Hive for OpenShift [0] - Provisioning of the K8s Fleet

Advanced Cluster Management [1] - Management of the K8s Fleet

[0] https://cloud.redhat.com/blog/openshift-hive-cluster-as-a-se...

[1] https://cloud.redhat.com/products/advanced-cluster-managemen...

[Disclosure: I'm an IBMer]

One of the several tools in this space is called Admiralty:

https://caylent.com/kubernetes-cluster-federation-with-admir...

Google says the Greek for that is Ναυαρχείο. Now if you see a product named Navarxeio or Navarcheio, you'll know what it is.

It exists, sort of.

https://cluster-api.sigs.k8s.io/

Rancher.

This is how GKE Anthos works on prem

I get a "cannot find requested file" page when trying to get the actual file. The IAD library stopped being updated in 2018 and the link has apparently bitrotted. Cryptome still has a copy, FWIW [0].

Having said that, the last thing I tried implementing from the NSA was a simple systemd service to disable ptrace [1]. The provided service definition had at least three errors, and the instructions themselves were incomplete. Not exactly a confidence builder, but I'll take a look at this one so thank you.

[0] https://cryptome.org/2016/01/nsa-16-0114.pdf

[1] https://media.defense.gov/2019/Jul/16/2002158062/-1/-1/0/CSI...

To add to this, GP: it is enough to simply state facts and how they influence your opinion.

No individual can speak for all readers here on how they view this agency. Attempting to weakens the comment.

Yes, there is a logical fallacy here. Yet, that does not mean that the initial comment doesn't have a point.

(that's another logical fallacy ...) https://www.logicallyfallacious.com/logicalfallacies/Argumen...