Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Learning Kubernetes Security
  • Table Of Contents Toc
  • Feedback & Rating feedback
Learning Kubernetes Security

Learning Kubernetes Security - Second Edition

By : Raul Lapaz
Buy this Book
close
close
Learning Kubernetes Security

Learning Kubernetes Security

By: Raul Lapaz
Buy this Book

Overview of this book

With readily available services, support, and tools, Kubernetes has become a foundation for digital transformation and cloud-native development, but it brings significant security challenges such as breaches and supply chain attacks. This updated edition equips you with defense strategies to protect your applications and infrastructure while understanding the attacker mindset, including tactics like container escapes and exploiting vulnerabilities to compromise clusters. The author distills his 25+ years of experience to guide you through Kubernetes components, architecture, and networking, addressing authentication, authorization, image scanning, resource monitoring, and traffic sniffing. You’ll implement security controls using third-party plugins (krew) and tools like Falco, Tetragon, and Cilium. You’ll also secure core components, such as the kube-apiserver, CoreDNS, and kubelet, while hardening images, managing security contexts, and applying PodSecurityPolicy. Through practical examples, the book teaches advanced techniques like redirecting traffic from misconfigured clusters to rogue pods and enhances your support incident response with effective cluster monitoring and log analysis. By the end of the book, you'll have a solid grasp of container security as well as the skills to defend your clusters against evolving threats.
Table of Contents (18 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Get in touch
Icon
Stay relevant in a rapidly changing cybersecurity world – join 65,000+ SecPro subscribers
Lock Free Chapter
1
Kubernetes Architecture
chevron up
Icon
Kubernetes Architecture
Icon
Microservices model
Icon
Evolution from Docker to Kubernetes
Icon
What is Kubernetes?
Icon
Kubernetes components
Icon
The Kubernetes interfaces
Icon
Kubernetes objects
Icon
Kubernetes alternatives
Icon
Cloud providers and managed Kubernetes
Icon
Why worry about Kubernetes security?
Icon
Summary
Icon
Further reading
2
Kubernetes Networking
Icon
Kubernetes Networking
Icon
Overview of the Kubernetes network model
Icon
Technical requirements
Icon
Communicating inside a Pod
Icon
Communicating between Pods
Icon
Introducing the Kubernetes service
Icon
Introducing the CNI and CNI plugins
Icon
Summary
Icon
Further reading
3
Threat Modeling
Icon
Threat Modeling
Icon
Introduction to threat modeling
Icon
Component interactions
Icon
MITRE ATT&CK framework
Icon
Threat actors in Kubernetes environments
Icon
Threats in Kubernetes clusters
Icon
Threat modeling application in Kubernetes
Icon
Summary
Icon
Further reading
Icon
Subscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals
4
Applying the Principle of Least Privilege in Kubernetes
Icon
Applying the Principle of Least Privilege in Kubernetes
Icon
The principle of least privilege
Icon
The least privilege of Kubernetes subjects
Icon
The least privilege for Kubernetes workloads
Icon
Summary
Icon
Further reading
5
Configuring Kubernetes Security Boundaries
Icon
Configuring Kubernetes Security Boundaries
Icon
Introduction to security boundaries
Icon
Security boundaries versus trust boundaries
Icon
Kubernetes security domains
Icon
Kubernetes entities as security boundaries
Icon
Security boundaries in the system layer
Icon
Security boundaries in the network layer
Icon
Summary
Icon
Further reading
6
Securing Cluster Components
Icon
Securing Cluster Components
Icon
Technical requirements
Icon
Securing kube-apiserver
Icon
Securing kubelet
Icon
Introduction to kubeletctl
Icon
Securing etcd
Icon
Securing kube-scheduler
Icon
Securing kube-controller-manager
Icon
Securing CoreDNS
Icon
Benchmarking a cluster’s security configuration
Icon
Summary
Icon
Further reading
7
Authentication, Authorization, and Admission Control
Icon
Authentication, Authorization, and Admission Control
Icon
The request workflow in Kubernetes
Icon
Kubernetes authentication
Icon
Kubernetes authorization
Icon
Admission controllers
Icon
Introduction to OPA
Icon
Summary
Icon
Further reading
Icon
Subscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals
8
Securing Pods
Icon
Securing Pods
Icon
Hardening container images
Icon
Configuring the security attributes of Pods
Icon
Enforcement at admission time
Icon
Summary
Icon
Further reading
9
Shift Left (Scanning, SBOM, and CI/CD)
Icon
Shift Left (Scanning, SBOM, and CI/CD)
Icon
Technical requirements
Icon
Introducing container images and vulnerabilities
Icon
Scanning images with Trivy
Icon
SBOM with Syft
Icon
Grype, an image scanner
Icon
Integrating image scanning into the CI/CD pipeline
Icon
Image signing and validation using Cosign
Icon
Summary
Icon
Further reading
10
Real-Time Monitoring and Observability
Icon
Real-Time Monitoring and Observability
Icon
Technical requirements
Icon
Real-time monitoring and management in monolithic environments
Icon
Managing resources in Kubernetes
Icon
Monitoring resources in Kubernetes
Icon
Introduction to observability
Icon
Summary
Icon
Further reading
11
Security Monitoring and Log Analysis
Icon
Security Monitoring and Log Analysis
Icon
Technical requirements
Icon
The role of monitoring and log analysis in security posture
Icon
Logging in Kubernetes
Icon
Introducing Kubernetes auditing
Icon
Hands-on examples for Kubernetes security logging and monitoring
Icon
Summary
Icon
Further reading
Icon
Subscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals
12
Defense in Depth
Icon
Defense in Depth
Icon
Technical requirements
Icon
Enabling high availability in a Kubernetes cluster
Icon
Managing Secrets with Vault
Icon
Tetragon runtime protection
Icon
Detecting anomalies with Falco [4]
Icon
Handling false positive considerations in Runtime security
Icon
Summary
Icon
Further reading
13
Kubernetes Vulnerabilities and Container Escapes
Icon
Kubernetes Vulnerabilities and Container Escapes
Icon
Technical requirements
Icon
Understanding Kubernetes vulnerabilities
Icon
Container escape techniques
Icon
Practical exercises (escaping from containers)
Icon
Summary
Icon
Further reading
14
Third-Party Plugins for Securing Kubernetes
Icon
Third-Party Plugins for Securing Kubernetes
Icon
Technical requirements
Icon
Securing Kubernetes with plugins
Icon
Discovering the available kubectl plugins
Icon
Practical examples of security plugins
Icon
Summary
Icon
Further reading
15
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Stay relevant in a rapidly changing cybersecurity world – join 65,000+ SecPro subscribers
16
Index
Icon
Index
Icon
Download a Free PDF Copy of This Book
1
Appendix: Enhancements in Kubernetes 1.30–1.33
Icon
Appendix: Enhancements in Kubernetes 1.30–1.33
Icon
Kubernetes Enhancement Proposal
Icon
Understanding new non-security features
Icon
Learning about new security features
Icon
Summary
Icon
Further reading
Icon
Subscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals

What is Kubernetes?

Kubernetes is an open-source orchestration platform for containerized applications that support automated deployment, scaling, and management. It was originally developed by Google in 2014 and is now maintained by the Cloud Native Computing Foundation (CNCF) after Google donated it to the latter in March 2015. Kubernetes is the first CNCF project that graduated in 2018. Kubernetes is written in the Go language and is often abbreviated as K8s, counting the eight letters between the K and the s.

Many technology companies deploy Kubernetes at scale in production environments. Major cloud providers, including Amazon’s Elastic Kubernetes Service (EKS), Microsoft’s Azure Kubernetes Service (AKS), Google Kubernetes Engine (GKE), Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE), Alibaba Cloud Kubernetes, and DigitalOcean Kubernetes (DOKS), each offer their own managed Kubernetes services to support enterprise needs and streamline Kubernetes operations.

A Kubernetes cluster consists of two main components: control plane nodes (often referred to as the master node) and worker nodes. Each of these nodes plays a critical role in the operation of the Kubernetes environment, ensuring that applications run efficiently and reliably across diverse infrastructures, including those that support multi-tenant environments.

Here are some of the features of Kubernetes:

  • Automated scheduling: Kubernetes assigns containers to different parts of your system to make sure resources are used efficiently.
  • Self-healing: If a container fails or stops responding, Kubernetes automatically fixes it by restarting, replacing, or rescheduling it.
  • Horizontal scaling: Need more or fewer resources? Kubernetes can automatically or manually adjust the number of containers to match demand.
  • Service discovery and load balancing: It has built-in tools to help containers find each other and manage the flow of traffic to keep everything running smoothly.
  • Storage orchestration: Kubernetes can automatically connect your containers to the right storage, whether it’s local, from the cloud, or a network system.
  • Automated rollouts and rollbacks: Updating your applications is a breeze with Kubernetes, which can smoothly roll out new updates or revert to previous versions if something goes wrong.
  • Secret and configuration management: It keeps sensitive information, and configurations secure without exposing it in your application code.

In short, Kubernetes takes care of the hard work to keep your containerized applications running.

Kubernetes adoption

When the first edition of this book was published back in 2019, the adoption of Kubernetes occupied a whopping 77% share of orchestrators in use. The market share was close to 90% if OpenShift (a variation of Kubernetes from Red Hat) was included:

Figure 1.1 – Chart showing the share of Kubernetes adoption in 2019

Figure 1.1 – Chart showing the share of Kubernetes adoption in 2019

According to the CNCF Organization, looking ahead to 2025, we expect Kubernetes and the cloud-native ecosystem to continue to grow and evolve.

By now, you should have a solid understanding of the core concepts of Kubernetes. In the next section, we will get into the architectural components that constitute a Kubernetes cluster, providing a detailed overview of their roles and interactions within the system.

Visually different images
CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Learning Kubernetes Security
End of Section 1
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist download Download options
font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon