Book Image

The Kubernetes Book

By : Nigel Poulton, Pushkar Joglekar
Book Image

The Kubernetes Book

By: Nigel Poulton, Pushkar Joglekar

Overview of this book

Kubernetes is the leading orchestrator of cloud-native apps. With knowledge of how to work with Kubernetes, you can easily deploy and manage applications on the cloud or in your on-premises data center. The book begins by introducing you to Kubernetes and showing you how to install it. You’ll learn how to use Kubernetes Services and bring stable and reliable networking to apps that are deployed on Kubernetes. You'll delve deep into the powerful storage subsystem of Kubernetes and learn how to leverage the variety of external storage backends in your applications. As the book progresses, it shows you how to use features such as DaemonSets, Helm, and RBAC to enhance your Kubernetes applications. You'll explore the six categories of identifying vulnerabilities and look at a few ways to prevent and mitigate them. You'll also look at ways to secure the software delivery pipeline by discussing some image-related best practices. The book ends by sharing with you some resources that’ll help take your Kubernetes knowledge to the next level. By the end of the book, you’ll have the confidence and skills to leverage all the features of Kubernetes to develop scalable applications.
Table of Contents (23 chapters)
Free Chapter
1
Chapter 1
3
Chapter 2
5
Chapter 3
7
Chapter 4
9
Chapter 5
11
Chapter 6
13
Chapter 7
15
Chapter 8
17
Chapter 9
19
Chapter 10
21
Chapter 11

Real-World Example

A great example of a container-related vulnerability, which can be prevented by implementing some of the best practices we've discussed, occurred in February 2019. CVE-2019-5736 allows a container process running as root to escape its container and gain root access to the host and all containers running on that host.

As dangerous as the vulnerability is, the following things that we covered in this chapter would've prevented the issue:

  • Vulnerability scanning
  • Not running processes as root
  • Enabling SELinux

As the vulnerability has a CVE number, security scanning tools would've found it and alerted on it. Also, organizations that did not allow container processes to run as root will have been protected, as the issue only affects processes running as root. Finally, common SELinux policies, such as those that ship with RHEL and CentOS, prevented the issue.

All in all, this is a great real-world example of the benefits of defence...