Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Learning Kubernetes Security
  • Table Of Contents Toc
  • Feedback & Rating feedback
Learning Kubernetes Security

Learning Kubernetes Security - Second Edition

By : Raul Lapaz
Buy this Book
close
close
Learning Kubernetes Security

Learning Kubernetes Security

By: Raul Lapaz
Buy this Book

Overview of this book

With readily available services, support, and tools, Kubernetes has become a foundation for digital transformation and cloud-native development, but it brings significant security challenges such as breaches and supply chain attacks. This updated edition equips you with defense strategies to protect your applications and infrastructure while understanding the attacker mindset, including tactics like container escapes and exploiting vulnerabilities to compromise clusters. The author distills his 25+ years of experience to guide you through Kubernetes components, architecture, and networking, addressing authentication, authorization, image scanning, resource monitoring, and traffic sniffing. You’ll implement security controls using third-party plugins (krew) and tools like Falco, Tetragon, and Cilium. You’ll also secure core components, such as the kube-apiserver, CoreDNS, and kubelet, while hardening images, managing security contexts, and applying PodSecurityPolicy. Through practical examples, the book teaches advanced techniques like redirecting traffic from misconfigured clusters to rogue pods and enhances your support incident response with effective cluster monitoring and log analysis. By the end of the book, you'll have a solid grasp of container security as well as the skills to defend your clusters against evolving threats.
Table of Contents (18 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Get in touch
Icon
Stay relevant in a rapidly changing cybersecurity world – join 65,000+ SecPro subscribers
Lock Free Chapter
1
Kubernetes Architecture
chevron up
Icon
Kubernetes Architecture
Icon
Microservices model
Icon
Evolution from Docker to Kubernetes
Icon
What is Kubernetes?
Icon
Kubernetes components
Icon
The Kubernetes interfaces
Icon
Kubernetes objects
Icon
Kubernetes alternatives
Icon
Cloud providers and managed Kubernetes
Icon
Why worry about Kubernetes security?
Icon
Summary
Icon
Further reading
2
Kubernetes Networking
Icon
Kubernetes Networking
Icon
Overview of the Kubernetes network model
Icon
Technical requirements
Icon
Communicating inside a Pod
Icon
Communicating between Pods
Icon
Introducing the Kubernetes service
Icon
Introducing the CNI and CNI plugins
Icon
Summary
Icon
Further reading
3
Threat Modeling
Icon
Threat Modeling
Icon
Introduction to threat modeling
Icon
Component interactions
Icon
MITRE ATT&CK framework
Icon
Threat actors in Kubernetes environments
Icon
Threats in Kubernetes clusters
Icon
Threat modeling application in Kubernetes
Icon
Summary
Icon
Further reading
Icon
Subscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals
4
Applying the Principle of Least Privilege in Kubernetes
Icon
Applying the Principle of Least Privilege in Kubernetes
Icon
The principle of least privilege
Icon
The least privilege of Kubernetes subjects
Icon
The least privilege for Kubernetes workloads
Icon
Summary
Icon
Further reading
5
Configuring Kubernetes Security Boundaries
Icon
Configuring Kubernetes Security Boundaries
Icon
Introduction to security boundaries
Icon
Security boundaries versus trust boundaries
Icon
Kubernetes security domains
Icon
Kubernetes entities as security boundaries
Icon
Security boundaries in the system layer
Icon
Security boundaries in the network layer
Icon
Summary
Icon
Further reading
6
Securing Cluster Components
Icon
Securing Cluster Components
Icon
Technical requirements
Icon
Securing kube-apiserver
Icon
Securing kubelet
Icon
Introduction to kubeletctl
Icon
Securing etcd
Icon
Securing kube-scheduler
Icon
Securing kube-controller-manager
Icon
Securing CoreDNS
Icon
Benchmarking a cluster’s security configuration
Icon
Summary
Icon
Further reading
7
Authentication, Authorization, and Admission Control
Icon
Authentication, Authorization, and Admission Control
Icon
The request workflow in Kubernetes
Icon
Kubernetes authentication
Icon
Kubernetes authorization
Icon
Admission controllers
Icon
Introduction to OPA
Icon
Summary
Icon
Further reading
Icon
Subscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals
8
Securing Pods
Icon
Securing Pods
Icon
Hardening container images
Icon
Configuring the security attributes of Pods
Icon
Enforcement at admission time
Icon
Summary
Icon
Further reading
9
Shift Left (Scanning, SBOM, and CI/CD)
Icon
Shift Left (Scanning, SBOM, and CI/CD)
Icon
Technical requirements
Icon
Introducing container images and vulnerabilities
Icon
Scanning images with Trivy
Icon
SBOM with Syft
Icon
Grype, an image scanner
Icon
Integrating image scanning into the CI/CD pipeline
Icon
Image signing and validation using Cosign
Icon
Summary
Icon
Further reading
10
Real-Time Monitoring and Observability
Icon
Real-Time Monitoring and Observability
Icon
Technical requirements
Icon
Real-time monitoring and management in monolithic environments
Icon
Managing resources in Kubernetes
Icon
Monitoring resources in Kubernetes
Icon
Introduction to observability
Icon
Summary
Icon
Further reading
11
Security Monitoring and Log Analysis
Icon
Security Monitoring and Log Analysis
Icon
Technical requirements
Icon
The role of monitoring and log analysis in security posture
Icon
Logging in Kubernetes
Icon
Introducing Kubernetes auditing
Icon
Hands-on examples for Kubernetes security logging and monitoring
Icon
Summary
Icon
Further reading
Icon
Subscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals
12
Defense in Depth
Icon
Defense in Depth
Icon
Technical requirements
Icon
Enabling high availability in a Kubernetes cluster
Icon
Managing Secrets with Vault
Icon
Tetragon runtime protection
Icon
Detecting anomalies with Falco [4]
Icon
Handling false positive considerations in Runtime security
Icon
Summary
Icon
Further reading
13
Kubernetes Vulnerabilities and Container Escapes
Icon
Kubernetes Vulnerabilities and Container Escapes
Icon
Technical requirements
Icon
Understanding Kubernetes vulnerabilities
Icon
Container escape techniques
Icon
Practical exercises (escaping from containers)
Icon
Summary
Icon
Further reading
14
Third-Party Plugins for Securing Kubernetes
Icon
Third-Party Plugins for Securing Kubernetes
Icon
Technical requirements
Icon
Securing Kubernetes with plugins
Icon
Discovering the available kubectl plugins
Icon
Practical examples of security plugins
Icon
Summary
Icon
Further reading
15
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Stay relevant in a rapidly changing cybersecurity world – join 65,000+ SecPro subscribers
16
Index
Icon
Index
Icon
Download a Free PDF Copy of This Book
1
Appendix: Enhancements in Kubernetes 1.30–1.33
Icon
Appendix: Enhancements in Kubernetes 1.30–1.33
Icon
Kubernetes Enhancement Proposal
Icon
Understanding new non-security features
Icon
Learning about new security features
Icon
Summary
Icon
Further reading
Icon
Subscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals

Kubernetes components

Kubernetes follows a client-server architecture. In Kubernetes, multiple master nodes control multiple worker nodes. Each master and worker has a set of components required for the cluster to work correctly. A master node generally has kube-apiserver, etcd storage, kube-controller-manager, cloud-controller-manager, and kube-scheduler. The worker nodes have kubelet, kube-proxy, a Container Runtime Interface (CRI) component, a Container Storage Interface (CSI) component, and so on. The following is an architecture diagram of a Kubernetes cluster showing some of the core components:

Figure 1.2 – Kubernetes architecture with core components

Figure 1.2 – Kubernetes architecture with core components

Figure 1.2 presents a simplified diagram of a Kubernetes cluster’s control plane, highlighting its essential components, such as the API server, scheduler, etcd, and Controller Manager. The diagram also demonstrates the interaction between the control plane and a worker node, which includes critical components such as the kubelet, Kube-proxy, and several Pods running workloads. This interaction showcases how the control plane manages and orchestrates containerized applications across the cluster while ensuring smooth communication with worker nodes.

You can see that the API server is the most important component of the cluster, making connections with the rest of the components. The communications with the API server are usually inbound, meaning that the component creates the request to the API server. The Kube API server authenticates and validates the request.

Now, we will be explaining those components in more detail:

  • Cluster: A Kubernetes cluster is composed of multiple machines (or VMs) known as nodes. There are two types of nodes: master nodes and worker nodes. The main control plane, such as kube-apiserver, runs on the master nodes. The agent running on each worker node is called kubelet, working as a minion on behalf of kube-apiserver. A typical workflow in Kubernetes starts with a user (for example, DevOps) who communicates with kube-apiserver in the master node, and kube-apiserver delegates the deployment job to the worker nodes. This workflow is illustrated in the following diagram:
Figure 1.3 – Kubernetes user request workflow

Figure 1.3 – Kubernetes user request workflow

Figure 1.3 shows how a user sends a deployment request to the master node (kube-apiserver), which delegates the deployment execution to kubelet in some of the worker nodes:

  • kube-apiserver: The Kubernetes API server (kube-apiserver) is a control-plane component that validates and configures data for objects such as Pods, services, and controllers. It interacts with objects using REST requests.
  • etcd: etcd is a highly available key-value store used to store data such as configuration, state, secrets, metadata, and some other sensitive data. The watch functionality of etcd provides Kubernetes with the ability to listen for updates to configuration and make changes accordingly. However, while etcd can be made secure, it is not secure by default. Ensuring that etcd is secure requires specific configurations and best practices due to the sensitive information it holds. We will cover how to secure etcd in Chapter 6, Securing Cluster Components.
  • kube-scheduler is a default scheduler for Kubernetes. It looks for newly created pods and assigns pods to the nodes. The scheduler first filters a set of nodes on which the pod can run. Filtering includes creating a list of possible nodes based on available resources and policies set by the user. Once this list is created, the scheduler ranks the nodes to find the most optimal node for the pod.
  • Cloud-controller-manager: This feature is still in beta state. It is a core component (control plane component) that enables Kubernetes to interact with cloud provider resources and services, such as load balancers, storage volumes, and networking. Some of the responsibilities of this component include ensuring that nodes (either VMs or instances) are properly managed in the cloud provider. It is also responsible for configuring networking routes between nodes to ensure pods can communicate across the cluster.
  • Kubelet: This is the node agent for Kubernetes. It manages the life cycle of objects within the Kubernetes cluster and ensures that the objects are in a healthy state on the node. Its primary function is to ensure that containers are running as specified in the Pod definitions (manifest files) by interacting with the Kubernetes API server to receive the needed information, then managing the lifecycle of containers using container runtime environments, such as Docker or containerd.
  • Kube-proxy: This crucial component runs on each node to manage network connectivity and load balancing for Pods. It ensures that network traffic is correctly routed within the cluster, enabling communication between services and Pods by managing iptables or IPVS rules on nodes to direct traffic to the correct endpoints, ensuring seamless connectivity.
  • kube-controller-manager: The Kubernetes controller manager is a combination of the core controllers that watch for state updates and make changes to the cluster accordingly. Controllers that currently ship with Kubernetes include the following:

Controllers

Description

Replication controller

This maintains the correct number of Pods on the system for every replication controller object.

Node controller

This monitors changes to the nodes.

Endpoints controller

This populates the endpoint object, which is responsible for joining the service object and Pod object. We will cover services and Pods in more detail in the next section.

Service accounts token controller

This creates default accounts and API tokens for new namespaces.

Cloud controller manager

This enables Kubernetes to interact with cloud provider resources and services.

Table 1.1 – Controllers available within Kubernetes

In this section, you looked at the core components of Kubernetes. These components will be present in all Kubernetes clusters. Kubernetes also has some configurable interfaces that allow clusters to be modified to suit organizational needs. You will review these next.

Visually different images
CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Learning Kubernetes Security
End of Section 1
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist download Download options
font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon