KubernetesOverview
A container-optimized OS is an operating system image that is designed for secure managed hosting of containers on compute instances.
Use cases for container-optimized OSes might include:
- Docker container or Kubernetes support with minimal setup.
- A small-secure container footprint.
- An OS that is tested, hardened, and verified for running Kubernetes nodes in your compute instances.
Rationale
Container-optimized OSes have a smaller footprint which will reduce the instance's potential attack surface. The container runtime is pre-installed and security settings like locked-down firewall are configured by default. Container-optimized images may also be configured to automatically update on a regular period in the background.
Impact
A container-optimized OS may have limited or no support for package managers, execution of non-containerized applications, or ability to install third-party drivers or kernel modules. Conventional remote access to the host (i.e. ssh) may not be possible, with access and debugging being intended via a management tool.
Audit
If a container-optimized OS is required examine the nodes in EC2 and click on their AMI to ensure that it is a container-optimized OS like Amazon Bottlerocket; or connect to the worker node and check its OS.
References
Remediation guidance
Depending on the provider and service that you use, check out the following resources:
AWS
- You can launch Auto Scaling groups of Bottlerocket nodes that register with your Amazon EKS cluster. After the nodes join the cluster, you can deploy Kubernetes applications to them. For more information, see Launching self-managed Bottlerocket nodes
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Kubernetes
Use admission policies, baseline cluster configuration, GitOps templates, and namespace or workload guardrails so new deployments follow the control by default.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Kubernetes nodes without container-optimized OS
Connectors
Covered asset types
Expected check: eq []
{
kubernetesNodes(where: { osImage_NOT_STARTS_WITH: "Bottlerocket" }) {
...AssetFragment
}
}
