Kubernetes (K8s) has become the de facto standard for container orchestration. In federal environments where FedRAMP (Federal Risk and Authorization Management Program) is mandated, you cannot deploy your Kubernetes clusters without ensuring they meet all its requirements.
In this post, we will explore FedRAMP and how to implement FedRAMP guidelines for your Kubernetes clusters.
What we’ll cover:
FedRAMP establishes standardized security requirements for cloud-native services used by government agencies. It is a US-based government-wide program built on NIST Special Publications, specifically NIST SP 800-53 for system control and NIST SP 800-37 for risk management.
How does FedRAMP impact your Kubernetes clusters?
In FedRAMP, your infrastructure must comply with the security requirements imposed by the program, and that includes Kubernetes. Your Kubernetes clusters must adhere to policies around:
- Access control – Who or what can interact with the K8s cluster’s API and its pods
- System and information integrity – Secure container images, admission controllers, and runtime security measures implementation
- Audit and accountability – Comprehensive logging and monitoring of all K8s activities, from API server requests to network traffic
- Risk assessment – Continuous vulnerability scanning of all your K8s infrastructure, container images, and even deployed applications
- Incident response – A formal process for detecting, responding to, and recovering from security incidents that affect your K8s clusters
- Configuration management – How manifests, Helm charts, and operator configurations are versioned and deployed
To align Kubernetes with FedRAMP compliance, prioritize the following security best practices:
- Secure container images
- Harden your Kubernetes control plane
- Apply network segmentation and enforce traffic policies
- Control deployments with Admission Controllers
- Maintain pod and namespace isolation
- Enforce pod security standards
- Implement cluster runtime security and continuous monitoring
Ensuring FedRAMP compliance begins with how you build and store the underlying container images used by your K8s clusters. Always start from minimal base images, implement a secure supply chain that uses signed images from a secure registry, and include continuous vulnerability scanning with tools like Trivy, Clair, or the Anchore Engine.
Here is an example Trivy scan that shows you the vulnerabilities identified in your image:
$ trivy image registry.example.gov/myapp:1.2.3
HIGH: CVE-2023-4911 (glibc buffer overflow)
CRITICAL: CVE-2023-38545 (curl heap buffer overflow)
Total: 2 vulnerabilities (1 HIGH, 1 CRITICAL)To ensure the security of your container images, you should implement a CI/CD pipeline for building and pushing them. A mandatory step for that pipeline in FedRAMP is to scan your images for vulnerabilities before pushing them to the registry you are using.
You also need an independent scan job that runs against the images in your registry to discover new vulnerabilities.
To harden your K8s control plane, start by implementing the CIS Kubernetes Benchmark, which provides guidelines for implementing powerful security measures. You should enable audit logging for your API server to capture all requests and responses, and ensure you implement the required verbosity level.
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: RequestResponse
resources:
- group: ""
resources: ["pods", "services", "secrets"]
- group: "apps"
resources: ["deployments", "replicasets"]To ensure your Kubernetes cluster follows FedRAMP guidelines, you should always implement network policies to control traffic between your K8s resources, such as pods, namespaces, and even external services.
You should start with deny policies and use explicit allow rules for required communications.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- EgressIn addition to network policies, you should use service meshes like Istio or Linkerd to implement mTLS between your services, providing encryption and authentication for all service communication.
With these tools, you address FedRAMP requirements for implementing protection for data in transit.
FedRAMP environments require strict policy enforcement to reduce misconfigurations. In Kubernetes, you can use admission controllers either by using OPA/Gatekeeper or by leveraging solutions like Kyverno to enforce rules at object creation time.
This example creates a constraint template that verifies the image’s signature:
package k8simageintegrity
deny[msg] {
container := input.review.object.spec.containers[_]
image := container.image
not signatureVerified(image)
msg := sprintf("Container image %v is not signed or trusted", [image])
}If you are unfamiliar with OPA’s language, Rego, and you don’t want to learn it, there are many examples you can use.
Kyverno uses YAML to define policy, and you can use this instead. In this example, we are ensuring that images cannot use the :latest tag.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: enforce
rules:
- name: validate-image-tag
match:
resources:
kinds:
- Pod
validate:
message: "Using ':latest' tag is not allowed. Use a specific image tag instead."
pattern:
spec:
containers:
- image: "!*:latest"Isolation is one of the most important cornerstones of FedRAMP. Isolating your environments minimizes the blast radius.
To implement isolation, you can take advantage of Kubernetes RBAC by defining granular roles and cluster roles, creating service accounts with minimum necessary permissions, and using different namespaces to isolate your workloads.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: fedramp-operator-read-only
labels:
purpose: "fedramp-readonly"
rules:
- apiGroups: [""]
resources:
- pods
- services
- endpoints
- configmaps
- secrets
- persistentvolumeclaims
- namespaces
verbs:
- get
- list
- watchFor example, the above ClusterRole lets you read all core objects in all namespaces.
Implementing pod security standards gives you a more straightforward approach to securing your container workflows. Implementing these at the namespace level allows you to enforce security measures easily across all the pods that are deployed in that particular namespace.
apiVersion: v1
kind: Namespace
metadata:
name: secure-workloads
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restrictedIn the example above, we are using the restricted policy profile to enforce non-root containers, read-only file systems, and other security best practices. This feature is available from Kubernetes 1.23, and the policies here are also versioned, so you can easily use different versions by passing labels like this:
pod-security.kubernetes.io/enforce-version: v1.33Responding to anomalous behavior immediately is a prerequisite in FedRAMP. For Kubernetes, this means that you should take action fast if something is happening with your pods.
Falco is a CNCF project that helps you with runtime security, by identifying suspicious activity and detecting policy violations in real time:
- rule: Privilege Escalation Detected
desc: Detect attempts to escalate privileges
condition: >
spawned_process and
proc.name in (sudo, su, doas) and
container
output: >
Privilege escalation attempt detected (user=%user.name command=%proc.cmdline
container=%container.name image=%container.image.repository)
priority: CRITICALIn the example above, we have a rule that detects if any privilege escalations are happening for your pods. By integrating Falco alerts with Slack or PagerDuty, you detect violations immediately.
By leveraging tools such as Grafana, Prometheus, or the ELK stack, you ensure continuous monitoring is in place, and any deviation from FedRAMP requirements can be easily detected before it becomes a critical finding.
It’s also important to ensure that your Kubernetes nodes are enforced with AppArmor, SELinux, or Seccomp policies. By using these, you provide kernel-level protection that complements Kubernetes’ built-in security features.
To achieve FedRAMP compliance, it’s not enough to implement everything we’ve discussed: In addition to appropriate tools and processes, there must be a cultural shift toward a shared security responsibility. Development teams should be aware of how their code affects security, and operations teams need to provide guardrails that enable secure development practices.
Your Kubernetes operations don’t have to sacrifice agility to achieve FedRAMP compliance. You just need the proper products, tools, and processes to help you do so. This requires discipline, automation, comprehensive monitoring, and collaboration across all teams involved in the platform.
Spacelift is a one-stop shop for provisioning, configuring, and orchestrating your entire infrastructure. With Spacelift’s self-service capabilities, you can ensure the speed your development teams need without sacrificing control.
This, combined with the OPA engine, the vast variety of examples available for securing your infrastructure, collaboration features, and dependency workflows with shareable outputs, equips you with everything you need to shift to a shared security vulnerability.
As a fintech with strict compliance and security requirements, Airtime Rewards appreciates how Spacelift policies enable the company to leverage the benefits of CI/CD — but with guardrails. Spacelift utilizes OPA to support a range of policy types, enabling Airtime Rewards to codify its rules and decision-making to execute them in an automated way.
Achieving FedRAMP for Kubernetes is a strict process, but it doesn’t have to be excessively difficult. With the right combination of tools, processes, and cultural practices, your Kubernetes clusters can deliver the scalability and efficiency you need while meeting all FedRAMP requirements.
If you are looking for a product that can help you achieve FedRAMP for provisioning, configuring, and container orchestration, Spacelift can help. Create a free account or book a demo with one of our engineers to learn more.
Solve your infrastructure challenges
Spacelift is a flexible orchestration solution for IaC development. It delivers enhanced collaboration, automation, and controls to simplify and accelerate the provisioning of cloud-based infrastructures.
