Tanzu Kubernetes Grid Compliance and Hardening recommends a baseline security posture for an environment on which you deploy Tanzu Kubernetes Grid (TKG) with management clusters and provides guidance for hardening TKG to achieve Authority to Operate (ATO).

TKG releases are continuously validated against the Defense Information Systems Agency (DISA) Kubernetes Security Technical Implementation Guide (STIG), NSA/CISA Kubernetes Hardening Guide, and the National Institute of Standards and Technology (NIST) guidelines.

The information in Tanzu Kubernetes Grid Compliance and Hardening only applies to Tanzu Kubernetes Grid with standalone management clusters. If you are using TKGS with vSphere Supervisor (formerly known as vSphere with Tanzu), see the vSphere with Tanzu STIG Hardening Reports.

Disclaimer

Following the hardening guidance provided in this document may not be effective in all cases and could impact the functionality of your software and applications. It is your responsibility to test STIG settings and hardening results to ensure that your application still functions properly as it maintains system security.

Intended audience

This publication is intended for the Information System Security Officer/Manager (ISSO/ISSM) who is responsible for implementing security controls. Its content enables the ISSO/ISSM to understand and authorize best-practice decisions to enable security plans and perform risk analysis.

This publication also links to hardened images and security updates, for use by security administrators.

Risk management framework

The Risk Management Framework (RMF) provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development lifecycle. The diagram below shows the RMF workflow that you would follow to reach ATO.

To facilitate the RMF process and the creation of your accreditation package, VMware supports the following steps and provides artifacts for them as shown below.

Implement

The following topics cover how-to information for hardening TKG clusters to address STIG and NSA/CISA standards, hardening results and exceptions, and artifacts for use to achieve your compliance goals.

• STIG and NSA/CISA Hardening
• STIG Results and Exceptions
• CIS Results and Exceptions
• NIST 800-53 Inheritance Model (.xlsx)
  • This model applies to TKG v2.1-v2.2.

For STIG compliance, the method you use to harden your cluster depends on whether the cluster is class-based or plan-based. For information about class-based and plan-based clusters, see Workload Cluster Types in the Tanzu Kubernetes Grid documentation.

Assess

TKG is hardened to the following STIG benchmarks:

• Ubuntu 20.04 Ver 1, Rev 6
• Kubernetes Ver 1, Rev 9

During the RMF Assess step, cybersecurity personnel can use mitigation and control text from the following checklists (.ckl) to fill out their accreditation package. This data represents VMware best practices, and your individual implementation may differ. Verify all security settings in your production environment to support the functionality of your system.

Results of hardening TKG to VMware best practices

The following checklist files align to VMware security best practices:

• Ubuntu 20.04 STIG checklist
• Control plane Kubernetes STIG checklist
• Worker node Kubernetes STIG checklist

These checklists apply to TKG v2.1-v2.5.

Mitigation for current open findings

The following exceptions and control responses provide mitigations for open findings:

• STIG Exceptions with OS Hardening
• STIG Exceptions with Kubernetes Hardening
• Control text summary information IAW NIST 800-53 (.xlsx)
  • This information applies to TKG v2.1-v2.5.

Ports

For information about ports, see Ports, protocols, and services management(PPSM).

Monitor

VMware continuously monitors our products for security-relevant events and configuration changes that negatively affect security posture. For security updates, see TKG release notes.