Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Learning Kubernetes Security
  • Table Of Contents Toc
  • Feedback & Rating feedback
Learning Kubernetes Security

Learning Kubernetes Security - Second Edition

By : Raul Lapaz
Buy this Book
close
close
Learning Kubernetes Security

Learning Kubernetes Security

By: Raul Lapaz
Buy this Book

Overview of this book

With readily available services, support, and tools, Kubernetes has become a foundation for digital transformation and cloud-native development, but it brings significant security challenges such as breaches and supply chain attacks. This updated edition equips you with defense strategies to protect your applications and infrastructure while understanding the attacker mindset, including tactics like container escapes and exploiting vulnerabilities to compromise clusters. The author distills his 25+ years of experience to guide you through Kubernetes components, architecture, and networking, addressing authentication, authorization, image scanning, resource monitoring, and traffic sniffing. You’ll implement security controls using third-party plugins (krew) and tools like Falco, Tetragon, and Cilium. You’ll also secure core components, such as the kube-apiserver, CoreDNS, and kubelet, while hardening images, managing security contexts, and applying PodSecurityPolicy. Through practical examples, the book teaches advanced techniques like redirecting traffic from misconfigured clusters to rogue pods and enhances your support incident response with effective cluster monitoring and log analysis. By the end of the book, you'll have a solid grasp of container security as well as the skills to defend your clusters against evolving threats.
Table of Contents (18 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Get in touch
Icon
Stay relevant in a rapidly changing cybersecurity world – join 65,000+ SecPro subscribers
Lock Free Chapter
1
Kubernetes Architecture
chevron up
Icon
Kubernetes Architecture
Icon
Microservices model
Icon
Evolution from Docker to Kubernetes
Icon
What is Kubernetes?
Icon
Kubernetes components
Icon
The Kubernetes interfaces
Icon
Kubernetes objects
Icon
Kubernetes alternatives
Icon
Cloud providers and managed Kubernetes
Icon
Why worry about Kubernetes security?
Icon
Summary
Icon
Further reading
2
Kubernetes Networking
Icon
Kubernetes Networking
Icon
Overview of the Kubernetes network model
Icon
Technical requirements
Icon
Communicating inside a Pod
Icon
Communicating between Pods
Icon
Introducing the Kubernetes service
Icon
Introducing the CNI and CNI plugins
Icon
Summary
Icon
Further reading
3
Threat Modeling
Icon
Threat Modeling
Icon
Introduction to threat modeling
Icon
Component interactions
Icon
MITRE ATT&CK framework
Icon
Threat actors in Kubernetes environments
Icon
Threats in Kubernetes clusters
Icon
Threat modeling application in Kubernetes
Icon
Summary
Icon
Further reading
Icon
Subscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals
4
Applying the Principle of Least Privilege in Kubernetes
Icon
Applying the Principle of Least Privilege in Kubernetes
Icon
The principle of least privilege
Icon
The least privilege of Kubernetes subjects
Icon
The least privilege for Kubernetes workloads
Icon
Summary
Icon
Further reading
5
Configuring Kubernetes Security Boundaries
Icon
Configuring Kubernetes Security Boundaries
Icon
Introduction to security boundaries
Icon
Security boundaries versus trust boundaries
Icon
Kubernetes security domains
Icon
Kubernetes entities as security boundaries
Icon
Security boundaries in the system layer
Icon
Security boundaries in the network layer
Icon
Summary
Icon
Further reading
6
Securing Cluster Components
Icon
Securing Cluster Components
Icon
Technical requirements
Icon
Securing kube-apiserver
Icon
Securing kubelet
Icon
Introduction to kubeletctl
Icon
Securing etcd
Icon
Securing kube-scheduler
Icon
Securing kube-controller-manager
Icon
Securing CoreDNS
Icon
Benchmarking a cluster’s security configuration
Icon
Summary
Icon
Further reading
7
Authentication, Authorization, and Admission Control
Icon
Authentication, Authorization, and Admission Control
Icon
The request workflow in Kubernetes
Icon
Kubernetes authentication
Icon
Kubernetes authorization
Icon
Admission controllers
Icon
Introduction to OPA
Icon
Summary
Icon
Further reading
Icon
Subscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals
8
Securing Pods
Icon
Securing Pods
Icon
Hardening container images
Icon
Configuring the security attributes of Pods
Icon
Enforcement at admission time
Icon
Summary
Icon
Further reading
9
Shift Left (Scanning, SBOM, and CI/CD)
Icon
Shift Left (Scanning, SBOM, and CI/CD)
Icon
Technical requirements
Icon
Introducing container images and vulnerabilities
Icon
Scanning images with Trivy
Icon
SBOM with Syft
Icon
Grype, an image scanner
Icon
Integrating image scanning into the CI/CD pipeline
Icon
Image signing and validation using Cosign
Icon
Summary
Icon
Further reading
10
Real-Time Monitoring and Observability
Icon
Real-Time Monitoring and Observability
Icon
Technical requirements
Icon
Real-time monitoring and management in monolithic environments
Icon
Managing resources in Kubernetes
Icon
Monitoring resources in Kubernetes
Icon
Introduction to observability
Icon
Summary
Icon
Further reading
11
Security Monitoring and Log Analysis
Icon
Security Monitoring and Log Analysis
Icon
Technical requirements
Icon
The role of monitoring and log analysis in security posture
Icon
Logging in Kubernetes
Icon
Introducing Kubernetes auditing
Icon
Hands-on examples for Kubernetes security logging and monitoring
Icon
Summary
Icon
Further reading
Icon
Subscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals
12
Defense in Depth
Icon
Defense in Depth
Icon
Technical requirements
Icon
Enabling high availability in a Kubernetes cluster
Icon
Managing Secrets with Vault
Icon
Tetragon runtime protection
Icon
Detecting anomalies with Falco [4]
Icon
Handling false positive considerations in Runtime security
Icon
Summary
Icon
Further reading
13
Kubernetes Vulnerabilities and Container Escapes
Icon
Kubernetes Vulnerabilities and Container Escapes
Icon
Technical requirements
Icon
Understanding Kubernetes vulnerabilities
Icon
Container escape techniques
Icon
Practical exercises (escaping from containers)
Icon
Summary
Icon
Further reading
14
Third-Party Plugins for Securing Kubernetes
Icon
Third-Party Plugins for Securing Kubernetes
Icon
Technical requirements
Icon
Securing Kubernetes with plugins
Icon
Discovering the available kubectl plugins
Icon
Practical examples of security plugins
Icon
Summary
Icon
Further reading
15
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Stay relevant in a rapidly changing cybersecurity world – join 65,000+ SecPro subscribers
16
Index
Icon
Index
Icon
Download a Free PDF Copy of This Book
1
Appendix: Enhancements in Kubernetes 1.30–1.33
Icon
Appendix: Enhancements in Kubernetes 1.30–1.33
Icon
Kubernetes Enhancement Proposal
Icon
Understanding new non-security features
Icon
Learning about new security features
Icon
Summary
Icon
Further reading
Icon
Subscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals

Kubernetes objects

The storage and compute resources of the system are classified into different objects that reflect the current state of the cluster. Objects are defined using a .yaml spec and the Kubernetes API is used to create and manage the objects. We are going to cover some common Kubernetes objects in detail in the following subsections.

Pods

The Pod is the basic building block of a Kubernetes cluster. It’s a group of one or more containers that are expected to co-exist on a single host. Containers within a Pod can reference each other using localhost or inter-process communications (IPCs).

Replica sets

Replica sets ensure that a given number of Pods are running in a system at any given time. However, it is better to use deployments instead of replica sets because replica sets do not offer the same enhanced features, flexibility, and management capabilities for workloads as deployments. Deployments encapsulate replica sets and Pods. Additionally, deployments provide the ability to carry out rolling updates.

Deployments

Kubernetes deployments help scale Pods up or down based on labels and selectors. The YAML spec for a deployment consists of replicas, which is the number of instances of Pods that are required, and templates, which are identical to Pod specifications.

Services

A Kubernetes service is an abstraction of an application. A service enables network access for Pods. Services and deployments work in conjunction to ease the management and communication between different pods of an application. Kubernetes services will be explored in more detail in the next chapter, Chapter 2, Kubernetes Networking.

Volumes

Container storage is ephemeral by nature, which means that they are created on the fly and exist only for a short duration, typically to assist with debugging or inspecting the state of a running Pod. If the container crashes or reboots, it restarts from its original state, which means any changes made to the filesystem or runtime state during the container’s lifecycle are lost upon restart. Kubernetes volumes help solve this problem. A container can use volumes to store a state. A Kubernetes volume has a lifetime of a Pod, unless we are using PersistentVolume [3]; as soon as the Pod perishes, the volume is cleaned up as well. Volumes are also needed when multiple containers are running in a Pod and need to share files. A Pod can mount any number of volume types concurrently.

Namespaces

Namespaces help a physical cluster to be divided into multiple virtual clusters. Multiple objects can be isolated within different namespaces. One use case of namespaces is on multi-tenant clusters, where different teams and users share the same system. Default Kubernetes ships with four namespaces: default, kube-system, kube-public, and kube-node-lease.

Service accounts

Pods that need to interact with kube-apiserver use service accounts to identify themselves. By default, Kubernetes is provisioned with a list of default service accounts: kube-proxy, kube-dns, node-controller, and so on. Additional service accounts can be created to enforce custom access control. When you create a cluster, Kubernetes automatically creates the default service account for every namespace in your cluster.

Network policies

A network policy defines a set of rules of how a group of Pods is allowed to communicate with each other and other network endpoints. Any incoming and outgoing network connections are gated by the network policy. By default, a Pod can communicate with all Pods.

Pod security admission

The PodSecurityPolicy was deprecated in Kubernetes v1.21 and removed from Kubernetes in v1.25. The Kubernetes Pod Security Standards (PSS) define different isolation levels for Pods. These standards let you define how you want to restrict the behavior of Pods. Kubernetes offers a built-in Pod Security admission controller to enforce the Pod Security Standards as an alternative to PodSecurityPolicy.

You now have an understanding of the fundamentals of Kubernetes objects, including essential components such as Pods, Deployments, and Network Policies, which are critical when deploying a cluster. While Kubernetes has become the de facto standard for container orchestration and managing cloud-native applications, it is not always the best fit for every organization or use case. DevOps teams and system administrators may seek Kubernetes alternatives. Next, you will see some alternatives to Kubernetes.

Visually different images
CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Learning Kubernetes Security
End of Section 1
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist download Download options
font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon