Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Learning Kubernetes Security
  • Table Of Contents Toc
Learning Kubernetes Security

Learning Kubernetes Security - Second Edition

By : Raul Lapaz
Buy this Book
close
close
Learning Kubernetes Security

Learning Kubernetes Security

By: Raul Lapaz
Buy this Book

Overview of this book

With readily available services, support, and tools, Kubernetes has become a foundation for digital transformation and cloud-native development, but it brings significant security challenges such as breaches and supply chain attacks. This updated edition equips you with defense strategies to protect your applications and infrastructure while understanding the attacker mindset, including tactics like container escapes and exploiting vulnerabilities to compromise clusters. The author distills his 25+ years of experience to guide you through Kubernetes components, architecture, and networking, addressing authentication, authorization, image scanning, resource monitoring, and traffic sniffing. You’ll implement security controls using third-party plugins (krew) and tools like Falco, Tetragon, and Cilium. You’ll also secure core components, such as the kube-apiserver, CoreDNS, and kubelet, while hardening images, managing security contexts, and applying PodSecurityPolicy. Through practical examples, the book teaches advanced techniques like redirecting traffic from misconfigured clusters to rogue pods and enhances your support incident response with effective cluster monitoring and log analysis. By the end of the book, you'll have a solid grasp of container security as well as the skills to defend your clusters against evolving threats.
Table of Contents (18 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Get in touch
Icon
Stay relevant in a rapidly changing cybersecurity world – join 65,000+ SecPro subscribers
Lock Free Chapter
1
Kubernetes Architecture
chevron up
Icon
Kubernetes Architecture
Icon
Microservices model
Icon
Evolution from Docker to Kubernetes
Icon
What is Kubernetes?
Icon
Kubernetes components
Icon
The Kubernetes interfaces
Icon
Kubernetes objects
Icon
Kubernetes alternatives
Icon
Cloud providers and managed Kubernetes
Icon
Why worry about Kubernetes security?
Icon
Summary
Icon
Further reading
2
Kubernetes Networking
Icon
Kubernetes Networking
Icon
Overview of the Kubernetes network model
Icon
Technical requirements
Icon
Communicating inside a Pod
Icon
Communicating between Pods
Icon
Introducing the Kubernetes service
Icon
Introducing the CNI and CNI plugins
Icon
Summary
Icon
Further reading
3
Threat Modeling
Icon
Threat Modeling
Icon
Introduction to threat modeling
Icon
Component interactions
Icon
MITRE ATT&CK framework
Icon
Threat actors in Kubernetes environments
Icon
Threats in Kubernetes clusters
Icon
Threat modeling application in Kubernetes
Icon
Summary
Icon
Further reading
Icon
Subscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals
4
Applying the Principle of Least Privilege in Kubernetes
Icon
Applying the Principle of Least Privilege in Kubernetes
Icon
The principle of least privilege
Icon
The least privilege of Kubernetes subjects
Icon
The least privilege for Kubernetes workloads
Icon
Summary
Icon
Further reading
5
Configuring Kubernetes Security Boundaries
Icon
Configuring Kubernetes Security Boundaries
Icon
Introduction to security boundaries
Icon
Security boundaries versus trust boundaries
Icon
Kubernetes security domains
Icon
Kubernetes entities as security boundaries
Icon
Security boundaries in the system layer
Icon
Security boundaries in the network layer
Icon
Summary
Icon
Further reading
6
Securing Cluster Components
Icon
Securing Cluster Components
Icon
Technical requirements
Icon
Securing kube-apiserver
Icon
Securing kubelet
Icon
Introduction to kubeletctl
Icon
Securing etcd
Icon
Securing kube-scheduler
Icon
Securing kube-controller-manager
Icon
Securing CoreDNS
Icon
Benchmarking a cluster’s security configuration
Icon
Summary
Icon
Further reading
7
Authentication, Authorization, and Admission Control
Icon
Authentication, Authorization, and Admission Control
Icon
The request workflow in Kubernetes
Icon
Kubernetes authentication
Icon
Kubernetes authorization
Icon
Admission controllers
Icon
Introduction to OPA
Icon
Summary
Icon
Further reading
Icon
Subscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals
8
Securing Pods
Icon
Securing Pods
Icon
Hardening container images
Icon
Configuring the security attributes of Pods
Icon
Enforcement at admission time
Icon
Summary
Icon
Further reading
9
Shift Left (Scanning, SBOM, and CI/CD)
Icon
Shift Left (Scanning, SBOM, and CI/CD)
Icon
Technical requirements
Icon
Introducing container images and vulnerabilities
Icon
Scanning images with Trivy
Icon
SBOM with Syft
Icon
Grype, an image scanner
Icon
Integrating image scanning into the CI/CD pipeline
Icon
Image signing and validation using Cosign
Icon
Summary
Icon
Further reading
10
Real-Time Monitoring and Observability
Icon
Real-Time Monitoring and Observability
Icon
Technical requirements
Icon
Real-time monitoring and management in monolithic environments
Icon
Managing resources in Kubernetes
Icon
Monitoring resources in Kubernetes
Icon
Introduction to observability
Icon
Summary
Icon
Further reading
11
Security Monitoring and Log Analysis
Icon
Security Monitoring and Log Analysis
Icon
Technical requirements
Icon
The role of monitoring and log analysis in security posture
Icon
Logging in Kubernetes
Icon
Introducing Kubernetes auditing
Icon
Hands-on examples for Kubernetes security logging and monitoring
Icon
Summary
Icon
Further reading
Icon
Subscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals
12
Defense in Depth
Icon
Defense in Depth
Icon
Technical requirements
Icon
Enabling high availability in a Kubernetes cluster
Icon
Managing Secrets with Vault
Icon
Tetragon runtime protection
Icon
Detecting anomalies with Falco [4]
Icon
Handling false positive considerations in Runtime security
Icon
Summary
Icon
Further reading
13
Kubernetes Vulnerabilities and Container Escapes
Icon
Kubernetes Vulnerabilities and Container Escapes
Icon
Technical requirements
Icon
Understanding Kubernetes vulnerabilities
Icon
Container escape techniques
Icon
Practical exercises (escaping from containers)
Icon
Summary
Icon
Further reading
14
Third-Party Plugins for Securing Kubernetes
Icon
Third-Party Plugins for Securing Kubernetes
Icon
Technical requirements
Icon
Securing Kubernetes with plugins
Icon
Discovering the available kubectl plugins
Icon
Practical examples of security plugins
Icon
Summary
Icon
Further reading
15
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Stay relevant in a rapidly changing cybersecurity world – join 65,000+ SecPro subscribers
16
Index
Icon
Index
Icon
Download a Free PDF Copy of This Book
1
Appendix: Enhancements in Kubernetes 1.30–1.33
Icon
Appendix: Enhancements in Kubernetes 1.30–1.33
Icon
Kubernetes Enhancement Proposal
Icon
Understanding new non-security features
Icon
Learning about new security features
Icon
Summary
Icon
Further reading
Icon
Subscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals

Microservices model

One of the most important aspects of Kubernetes to understand is that it is a distributed system. This means it comprises multiple components distributed across different infrastructure, such as networks and servers, which could be either virtual machines, bare metal, or cloud instances. Together, these elements form what is known as a Kubernetes cluster.

Before you dive deeper into Kubernetes, it’s important for you to understand the growth of microservices and containerization.

Traditional applications, such as web applications, are known to follow a modular architecture, splitting code into an application layer, business logic, a storage layer, and a communication layer. Despite the modular architecture, the components are packaged and deployed as a monolith. A monolithic application, despite being easy to develop, test, and deploy, is hard to maintain and scale.

When it comes to a monolithic application, developers face the following inevitable problems as the applications evolve:

  • Scaling: A monolithic application is difficult to scale. It’s been proven that the best way to solve a scalability problem is via a distributed method.
  • Operational cost: The operation cost increases with the complexity of a monolithic application. Updates and maintenance require careful analysis and enough testing before deployment. This is the opposite of scalability; you can’t scale down a monolithic application easily as the minimum resource requirement is high.
  • Security challenges: Monolithic applications present several security challenges, particularly when addressing vulnerabilities. For instance, rebooting for patching can be complex and time-consuming, while encryption key rotation is often difficult to implement. Additionally, monolithic architectures face increased risks of denial-of-service (DoS) attacks due to scaling limitations, which can impact availability. Here are some clear examples of issues that you may face:
    • Centralized logging and monitoring can be more challenging in monolithic applications, making it harder to detect and respond to security incidents in a timely manner
    • Implementing the principle of least privilege (where each component has only the permissions it needs) is more difficult in a monolithic application because all components run within the same process and share the same permissions
    • Monolithic applications may not easily support modern security practices such as microservices, containerization, or serverless architectures, which can provide better isolation and security controls
  • Longer release cycle: The maintenance and development barriers are significantly high for monolith applications. When there is a bug, it takes a lot of time for developers to identify the root cause in a complex and ever-growing code base. The testing time increases significantly. Regression, integration, and unit tests take significantly longer to pass with a complex code base. When the customer’s requests come in, it takes months or even a year for a single feature to ship. This makes the release cycle long and impacts the company’s business significantly.

These problems create a huge incentive to break down monolithic applications into microservices. The benefits are obvious:

  • With a well-defined interface, developers only need to focus on the functionality of the services they own.
  • The code logic is simplified, which makes the application easier to maintain and easier to debug. Furthermore, the release cycle of microservices has shortened tremendously compared to monolithic applications, so customers do not have to wait for too long for a new feature.

The issues with a monolith application and the benefits of breaking it down led to the growth of the microservices architecture. The microservices architecture splits application deployment into small and interconnected entities, where each entity is packaged in its own container.

However, when a monolithic application breaks down into many microservices, it increases the deployment and management complexity on the DevOps side. The complexity is evident; microservices are usually written in different programming languages that require different runtimes or interpreters, with different package dependencies, different configurations, and so on, not to mention the interdependence among microservices. This is exactly where Docker comes into the picture. Container runtimes such as Docker and Linux Containers (LXC) ease the deployment and maintenance of microservices.

Further, orchestrating microservices is crucial for handling the complexity of modern applications. Think of it like Ludwig van Beethoven leading an orchestra, making sure every member plays at the right moment to create beautiful music. This orchestration guides all the connected and independent components of an application to work together, completely integrated. Without it, the service will have many issues communicating and cooperating, causing performance problems and a messy network of dependencies that make scaling and managing the application very difficult.

The increasing popularity of microservices architecture and the complexity mentioned here led to the growth of orchestration platforms such as Docker Swarm, Mesos, and Kubernetes. These container orchestration platforms help manage containers in large and dynamic environments.

Having covered the fundamentals of microservices, in the upcoming section, you will now gain insights into how Docker has evolved during past years.

Visually different images
CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Learning Kubernetes Security
End of Section 1
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist download Download options
font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon