Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Learn Kubernetes Security
  • Table Of Contents Toc
Learn Kubernetes Security

Learn Kubernetes Security

By : Kaizhe Huang, Pranjal Jumde
5 (10)
Buy this Book
close
close
Learn Kubernetes Security

Learn Kubernetes Security

5 (10)
By: Kaizhe Huang, Pranjal Jumde
Buy this Book

Overview of this book

Kubernetes is an open source orchestration platform for managing containerized applications. Despite widespread adoption of the technology, DevOps engineers might be unaware of the pitfalls of containerized environments. With this comprehensive book, you'll learn how to use the different security integrations available on the Kubernetes platform to safeguard your deployments in a variety of scenarios. Learn Kubernetes Security starts by taking you through the Kubernetes architecture and the networking model. You'll then learn about the Kubernetes threat model and get to grips with securing clusters. Throughout the book, you'll cover various security aspects such as authentication, authorization, image scanning, and resource monitoring. As you advance, you'll learn about securing cluster components (the kube-apiserver, CoreDNS, and kubelet) and pods (hardening image, security context, and PodSecurityPolicy). With the help of hands-on examples, you'll also learn how to use open source tools such as Anchore, Prometheus, OPA, and Falco to protect your deployments. By the end of this Kubernetes book, you'll have gained a solid understanding of container security and be able to protect your clusters from cyberattacks and mitigate cybersecurity threats.
Table of Contents (19 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Download the example code files
Icon
Code in Action
Icon
Download the color images
Icon
Conventions used
Icon
Get in touch
Icon
Reviews
1
Section 1: Introduction to Kubernetes
Icon
Section 1: Introduction to Kubernetes
Lock Free Chapter
2
Chapter 1: Kubernetes Architecture
chevron up
Icon
Chapter 1: Kubernetes Architecture
Icon
The rise of Docker and the trend of microservices
Icon
Kubernetes components
Icon
Kubernetes objects
Icon
Kubernetes variations
Icon
Kubernetes and cloud providers
Icon
Summary
Icon
Questions
Icon
Further reading
3
Chapter 2: Kubernetes Networking
Icon
Chapter 2: Kubernetes Networking
Icon
Overview of the Kubernetes network model
Icon
Communicating inside a pod
Icon
Communicating between pods
Icon
Introducing the Kubernetes service
Icon
Introducing the CNI and CNI plugins
Icon
Summary
Icon
Questions
Icon
Further reading
4
Chapter 3: Threat Modeling
Icon
Chapter 3: Threat Modeling
Icon
Introduction to threat modeling
Icon
Component interactions
Icon
Threat actors in Kubernetes environments
Icon
Threats in Kubernetes clusters
Icon
Threat modeling application in Kubernetes
Icon
Summary
Icon
Questions
Icon
Further reading
5
Chapter 4: Applying the Principle of Least Privilege in Kubernetes
Icon
Chapter 4: Applying the Principle of Least Privilege in Kubernetes
Icon
The principle of least privilege
Icon
Least privilege of Kubernetes subjects
Icon
Least privilege for Kubernetes workloads
Icon
Summary
Icon
Questions
Icon
Further reading
6
Chapter 5: Configuring Kubernetes Security Boundaries
Icon
Chapter 5: Configuring Kubernetes Security Boundaries
Icon
Introduction to security boundaries
Icon
Security boundaries versus trust boundaries
Icon
Kubernetes security domains
Icon
Kubernetes entities as security boundaries
Icon
Security boundaries in the system layer
Icon
Security boundaries in the network layer
Icon
Summary
Icon
Questions
Icon
Further references
7
Section 2: Securing Kubernetes Deployments and Clusters
Icon
Section 2: Securing Kubernetes Deployments and Clusters
8
Chapter 6: Securing Cluster Components
Icon
Chapter 6: Securing Cluster Components
Icon
Securing kube-apiserver
Icon
Securing kubelet
Icon
Securing etcd
Icon
Securing kube-scheduler
Icon
Securing kube-controller-manager
Icon
Securing CoreDNS
Icon
Benchmarking a cluster's security configuration
Icon
Summary
Icon
Questions
Icon
Further reading
9
Chapter 7: Authentication, Authorization, and Admission Control
Icon
Chapter 7: Authentication, Authorization, and Admission Control
Icon
Requesting a workflow in Kubernetes
Icon
Kubernetes authentication
Icon
Kubernetes authorization
Icon
Admission controllers
Icon
Introduction to OPA
Icon
Summary
Icon
Questions
Icon
Further reading
10
Chapter 8: Securing Kubernetes Pods
Icon
Chapter 8: Securing Kubernetes Pods
Icon
Hardening container images
Icon
Configuring the security attributes of pods
Icon
The power of PodSecurityPolicy
Icon
Summary
Icon
Questions
Icon
Further reading
11
Chapter 9: Image Scanning in DevOps Pipelines
Icon
Chapter 9: Image Scanning in DevOps Pipelines
Icon
Introducing container images and vulnerabilities
Icon
Scanning images with Anchore Engine
Icon
Integrating image scanning into the CI/CD pipeline
Icon
Summary
Icon
Questions
Icon
Further references
12
Chapter 10: Real-Time Monitoring and Resource Management of a Kubernetes Cluster
Icon
Chapter 10: Real-Time Monitoring and Resource Management of a Kubernetes Cluster
Icon
Real-time monitoring and management in monolith environments
Icon
Managing resources in Kubernetes
Icon
Monitoring resources in Kubernetes
Icon
Summary
Icon
Questions
Icon
Further references
13
Chapter 11: Defense in Depth
Icon
Chapter 11: Defense in Depth
Icon
Introducing Kubernetes auditing
Icon
Enabling high availability in a Kubernetes cluster
Icon
Managing secrets with Vault
Icon
Detecting anomalies with Falco
Icon
Conducting forensics with Sysdig Inspect and CRIU
Icon
Summary
Icon
Questions
Icon
Further references
14
Section 3: Learning from Mistakes and Pitfalls
Icon
Section 3: Learning from Mistakes and Pitfalls
15
Chapter 12: Analyzing and Detecting Crypto-Mining Attacks
Icon
Chapter 12: Analyzing and Detecting Crypto-Mining Attacks
Icon
Analyzing crypto-mining attacks
Icon
Detecting crypto-mining attacks
Icon
Defending against attacks
Icon
Summary
Icon
Questions
Icon
Further reading
16
Chapter 13: Learning from Kubernetes CVEs
Icon
Chapter 13: Learning from Kubernetes CVEs
Icon
The path traversal issue in kubectl cp – CVE-2019-11246
Icon
DoS issues in JSON parsing – CVE-2019-1002100
Icon
A DoS issue in YAML parsing – CVE-2019-11253
Icon
The Privilege escalation issue in role parsing – CVE-2019-11247
Icon
Scanning for known vulnerabilities using kube-hunter
Icon
Summary
Icon
Questions
Icon
Further references
17
Assessments
Icon
Chapter 1
Icon
Chapter 2
Icon
Chapter 3
Icon
Chapter 4
Icon
Chapter 5
Icon
Chapter 6
Icon
Chapter 7
Icon
Chapter 8
Icon
Chapter 9
Icon
Chapter 10
Icon
Chapter 11
Icon
Chapter 12
Icon
Chapter 13
18
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Leave a review - let other readers know what you think

Kubernetes objects

The storage and compute resources of the system are classified into different objects that reflect the current state of the cluster. Objects are defined using a .yaml spec and the Kubernetes API is used to create and manage the objects. We are going to cover some common Kubernetes objects in detail.

Pods

A pod is a basic building block of a Kubernetes cluster. It's a group of one or more containers that are expected to co-exist on a single host. Containers within a pod can reference each other using localhost or inter-process communications (IPCs).

Deployments

Kubernetes deployments help scale pods up or down based on labels and selectors. The YAML spec for a deployment consists of replicas, which is the number of instances of pods that are required, and template, which is identical to a pod specification.

Services

A Kubernetes service is an abstraction of an application. A service enables network access for pods. Services and deployments work in conjunction to ease the management and communication between different pods of an application.

Replica sets

Replica sets ensure a given number pods are running in a system at any given time. It is better to use deployments over replica sets. Deployments encapsulate replica sets and pods. Additionally, deployments provide the ability to carry out rolling updates.

Volumes

Container storage is ephemeral. If the container crashes or reboots, it starts from its original state when it starts. Kubernetes volumes help solve this problem. A container can use volumes to store a state. A Kubernetes volume has a lifetime of a pod; as soon as the pod perishes, the volume is cleaned up as well. Some of the supported volumes include awsElasticBlockStore, azureDisk, flocker, nfs, and gitRepo.

Namespaces

Namespaces help a physical cluster to be divided into multiple virtual clusters. Multiple objects can be isolated within different namespaces. Default Kubernetes ships with three namespaces: default, kube-system, and kube-public.

Service accounts

Pods that need to interact with kube-apiserver use service accounts to identify themselves. By default, Kubernetes is provisioned with a list of default service accounts: kube-proxy, kube-dns, node-controller, and so on. Additional service accounts can be created to enforce custom access control.

Network policies

A network policy defines a set of rules of how a group of pods is allowed to communicate with each other and other network endpoints. Any incoming and outgoing network connections are gated by the network policy. By default, a pod is able to communicate with all pods.

Pod security policies

The pod security policy is a cluster-level resource that defines a set of conditions that must be fulfilled for a pod to run on the system. Pod security policies define the security-sensitive configuration for a pod. These policies must be accessible to the requesting user or the service account of the target pod to work.

CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Learn Kubernetes Security
End of Section 2
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist download Download options
font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon