* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Cloud Security](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Computing](https://origin-researchcenter.paloaltonetworks.com/blog/category/cloud-computing-2/)
* Implementing NSA/CISA Kub...

# Implementing NSA/CISA Kubernetes Hardening Guidance

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fimplementing-nsa-cisa-kubernetes-hardening-guidance%2F)  
[](https://twitter.com/share?text=Implementing+NSA%2FCISA+Kubernetes+Hardening+Guidance&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fimplementing-nsa-cisa-kubernetes-hardening-guidance%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fimplementing-nsa-cisa-kubernetes-hardening-guidance%2F&title=Implementing+NSA%2FCISA+Kubernetes+Hardening+Guidance&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/implementing-nsa-cisa-kubernetes-hardening-guidance/&ts=markdown)  
\[\](mailto:?subject=Implementing NSA/CISA Kubernetes Hardening Guidance)  
Link copied  
By [Paul Fox](https://www.paloaltonetworks.com/blog/author/paul-fox/?ts=markdown "Posts by Paul Fox")  
Oct 06, 2021  
5 minutes  
[Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown)  
[DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)  
[Federal](https://www.paloaltonetworks.com/blog/tag/federal/?ts=markdown)  
[Kubernetes](https://www.paloaltonetworks.com/blog/tag/kubernetes/?ts=markdown)

On August 3, 2021 the National Security Agency (NSA) and the Cybersecurity and Infrastructure Agency (CISA) released the [Kubernetes Hardening Guidance](https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF) Cybersecurity Technical Report. The document, which is intended for wide distribution, details common threats to Kubernetes environments and provides configuration guidance to minimize the risks they present.

We have independently reviewed the report and produced a whitepaper that explains at length how to implement the guidance using Palo Alto Networks technologies. We invite you to download the paper, [Implementing NSA/CISA Kubernetes Hardening Guidance with Prisma Cloud](https://www.paloaltonetworks.com/resources/whitepapers/implementing-nsa-cisa), to familiarize yourself with the best practices outlined in the report and to understand how Prisma Cloud, industry's only comprehensive Cloud Native Security Platform, effectively supports a defense-in-depth approach.

### Why NSA and CISA Created Guidance for Kubernetes

[Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes) is a portable, extensible platform for managing [containerized workloads](https://www.paloaltonetworks.com/cyberpedia/containerization) and services. It has seen a meteoric rise since it was first released in 2015, and today Kubernetes deployments, called clusters, are running in almost every computational environment you can imagine. From managed Kubernetes services offered by public cloud service providers to isolated and classified environments, even within datacenters and on bare metal, Kubernetes powers some of the internet's most widely used applications. This popularity is driven, in large part, by its unsurpassed ability to manage computational resources rapidly and automatically (i.e., scale up or down based on demand).

But, because it is so commonly used, and there are so many moving parts, Kubernetes deployments have become a large target for cybercriminals. As [federal organizations continue to adopt cloud native development methodologies](https://cloud.cio.gov/strategy/), it is important that they have a standardized set of recommendations for managing these security challenges.

The NSA/CISA Kubernetes Hardening Guidance, then, describes security challenges that administrators will likely face setting up and securing a Kubernetes cluster, and lists strategies for hardening development pipelines. While it is primarily intended to guide system administrators and developers of National Security Systems, the recommendations are applicable to any Kubernetes environment.

### How Prisma Cloud Aligns with NSA/CISA Guidance on Kubernetes

Palo Alto Networks developed Prisma Cloud, a [cloud native security platform](https://www.paloaltonetworks.com/cyberpedia/what-is-a-cloud-native-security-platform), to consolidate what had previously been disparate functionality for securing cloud native applications and development pipelines.

Among other functions, it combines tools for cloud visibility and governance with specialized protections for containerized application development, including Kubernetes. The platform can be delivered via SaaS, or, more importantly for federal organizations, it can be self-hosted and thus deployed in isolated or air-gapped environments. Prisma Cloud is purpose built for cloud native security and has been structured to support the best practices outlined in the NSA/CISA guidance. It is also a FedRAMP authorized software-as-a-service (categorized for moderate impact).

The following are a few examples in which existing Prisma Cloud capabilities align with the NSA/CISA guidance:

## **Kubernetes Pod Security**

[Cloud Workload Protection](https://www.paloaltonetworks.com/prisma/cloud/cloud-workload-protection-platform) delivers holistic protection across hosts, containers, and serverless deployments in any cloud, throughout the application lifecycle---again, including isolated environments. The platform is API-enabled and capable of protecting cloud workloads regardless of underlying compute technology or operating environment, including Kubernetes.

For example, the NSA/CISA guidance encourages developers to build containers to execute as a non-root user. Within Prisma Cloud, you can simply turn on pre-built security policies to alert on and/or block the instantiation of containers attempting to run as root.
![Turning on pre-built policies within Prisma Cloud](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/10/graphical-user-interface-application-description.png)
Turning on pre-built policies within Prisma Cloud ![An error message within the developer environment, generated by a pre-built Prisma Cloud policy ](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/10/text-description-automatically-generated.png)
An error message within the developer environment, generated by a pre-built Prisma Cloud policy

### **Protecting Sensitive Cloud Infrastructure**

A significant number of [Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes) clusters run on public cloud service provider (CSP) environments (e.g., Amazon Web Services, Google Cloud, Microsoft Azure). A complete defense-in-depth approach to securing Kubernetes requires that you first secure your implementation of a given CSP's services. The [cloud security posture management (CSPM)](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-security-posture-management) functionality within Prisma Cloud provides the necessary visibility and control over the security posture of every cloud resource, regardless of the CSP.

### **Network Separation and Hardening**

As mentioned, organizations benefit most from a comprehensive approach to securing Kubernetes clusters, including at the network-level. Depending on your particular architecture, the Palo Alto Networks [VM-Series](https://www.paloaltonetworks.com/prisma/vm-series) and [CN-Series](https://www.paloaltonetworks.com/network-security/cn-series) Next Generation Firewalls are both excellent solutions for monitoring and protecting all communications traveling in and out of the cluster.
![A simplified Kubernetes architecture with VM-Series and CN-Series overlaid](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/10/diagram-description-automatically-generated.png)
A simplified Kubernetes architecture with VM-Series and CN-Series overlaid

## **Industry Leadership**

Our team has been deeply involved in container security for many years. Palo Alto Networks is a member of the Cloud Native Computing Foundation's [Governing Board](https://www.cncf.io/people/governing-board/), and we were a major contributing author to the National Institute for Standards and Technology [Special Publication 800-190, Application Container Security Guide](https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-190.pdf).

In addition, [Palo Alto Networks Unit 42](https://unit42.paloaltonetworks.com/category/unit-42/) cloud threat team actively researches emerging threats to ensure Prisma Cloud offers the absolute latest protections. For example, the team recently discovered [Hildegard](https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/), a malware that attempts to discover and collect Kubernetes service account tokens as part of its Credentials Access process.

![Illustrating attack paths used with the Hildegard malware](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/10/a-picture-containing-text-indoor-screenshot-des.png)

Illustrating attack paths used with the Hildegard malwareAs [microservice-based](https://www.paloaltonetworks.com/cyberpedia/what-are-microservices) attacks are uncovered, our guidance and platform capabilities are automatically updated to help secure your environments without additional effort.

## Read All About It

The integrated Prisma Cloud platform enables security operations and [DevOps](https://www.paloaltonetworks.com/cyberpedia/what-is-devops) teams to stay agile, collaborate effectively and accelerate cloud native application development and deployment across hybrid and multi-cloud architectures---even within isolated and air-gapped environments.

We invite you to download the [Implementing NSA/CISA Kubernetes Hardening Guidance with Prisma Cloud](https://www.paloaltonetworks.com/resources/whitepapers/implementing-nsa-cisa) whitepaper to learn more about Kubernetes security best practices and how Prisma Cloud is uniquely positioned to implement them.

*** ** * ** ***

## Related Blogs

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### AppSec and CloudSec 101: Blurring the Lines Between Cloud-Native App Layers](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/application-infrastructure-security-101-blurring-cloud-native-app-layers/)

### [Announcement](https://www.paloaltonetworks.com/blog/cloud-security/category/announcement/?ts=markdown), [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Event](https://www.paloaltonetworks.com/blog/category/event/?ts=markdown)

[#### Join Prisma Cloud at KubeCon North America in Chicago](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/kubecon-na-2023/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Using Your Pipelines To Harden Your Pipelines: The Importance of CI/CD Security for Your Software Supply Chain](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/shift-left-ci-cd-security-for-your-software-supply-chain/)

### [Containers](https://www.paloaltonetworks.com/blog/category/containers/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Infrastructure Security Advantages of Leveraging Kubernetes](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/advantages-of-kubernetes-infrastructure-security/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Infrastructure as Code Security and AppSec: Streamlined DevSecOps From App to Infra](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/infrastructure-as-code-security-and-appsec-streamlined-devsecops/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### 6 Key Kubernetes DevSecOps Principles: People, Processes, Technology](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/kubernetes-devsecops-principles/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language