Securing, observing, and troubleshooting containerized workloads on Kubernetes can be daunting. It requires a range of considerations, from infrastructure choices and cluster configuration to deployment controls and runtime and network security. With this practical book, you'll learn how to adopt a holistic security and observability strategy for building and securing cloud native applications running on Kubernetes.
Whether you're already working on cloud native applications or are in the process of migrating to its architecture, this guide introduces key security and observability concepts and best practices to help you unleash the power of cloud native applications. Authors Brendan Creane and Amit Gupta from Tigera take you through the full breadth of new cloud native approaches for establishing security and observability for applications running on Kubernetes.
- Learn why you need a security and observability strategy for cloud native applications and determine your scope of coverage
- Understand key concepts behind the book's security and observability approach
- Explore the technology choices available to support this strategy
- Discover how to share security responsibilities across multiple teams or roles
- Learn how to architect Kubernetes security and observability for multicloud and hybrid environments
Author(s): Brendan Creane, Amit Gupta
Edition: 1
Publisher: O'Reilly Media
Year: 2021
Language: English
Commentary: Publisher PDF | Published: November 2021 | Revision History: 2022-11-10: Second Release
Pages: 192
City: Sebastopol, CA
Cover
Copyright
Table of Contents
Preface
The Stages of Kubernetes Adoption
Who This Book Is For
The Platform Team
The Networking Team
The Security Team
The Compliance Team
The Operations Team
What You Will Learn
Conventions Used in This Book
Using Code Examples
O’Reilly Online Learning
How to Contact Us
Acknowledgments
Chapter 1. Security and Observability Strategy
Security for Kubernetes: A New and Different World
Deploying a Workload in Kubernetes: Security at Each Stage
Build-Time Security: Shift Left
Deploy-Time Security
Runtime Security
Observability
Security Frameworks
Security and Observability
Conclusion
Chapter 2. Infrastructure Security
Host Hardening
Choice of Operating System
Nonessential Processes
Host-Based Firewalling
Always Research the Latest Best Practices
Cluster Hardening
Secure the Kubernetes Datastore
Secure the Kubernetes API Server
Encrypt Kubernetes Secrets at Rest
Rotate Credentials Frequently
Authentication and RBAC
Restricting Cloud Metadata API Access
Enable Auditing
Restrict Access to Alpha or Beta Features
Upgrade Kubernetes Frequently
Use a Managed Kubernetes Service
CIS Benchmarks
Network Security
Conclusion
Chapter 3. Workload Deployment Controls
Image Building and Scanning
Choice of a Base Image
Container Image Hardening
Container Image Scanning Solution
Privacy Concerns
Container Threat Analysis
CI/CD
Scan Images by Registry Scanning Services
Scan Images After Builds
Inline Image Scanning
Kubernetes Admission Controller
Securing the CI/CD Pipeline
Organization Policy
Secrets Management
etcd to Store Secrets
Secrets Management Service
Kubernetes Secrets Store CSI Driver
Secrets Management Best Practices
Authentication
X509 Client Certificates
Bearer Token
OIDC Tokens
Authentication Proxy
Anonymous Requests
User Impersonation
Authorization
Node
ABAC
AlwaysDeny/AlwaysAllow
RBAC
Namespaced RBAC
Privilege Escalation Mitigation
Conclusion
Chapter 4. Workload Runtime Security
Pod Security Policies
Using Pod Security Policies
Pod Security Policy Capabilities
Pod Security Context
Limitations of PSPs
Process Monitoring
Kubernetes Native Monitoring
Seccomp
SELinux
AppArmor
Sysctl
Conclusion
Chapter 5. Observability
Monitoring
Observability
How Observability Works for Kubernetes
Implementing Observability for Kubernetes
Linux Kernel Tools
Observability Components
Aggregation and Correlation
Visualization
Service Graph
Visualization of Network Flows
Analytics and Troubleshooting
Distributed Tracing
Packet Capture
Conclusion
Chapter 6. Observability and Security
Alerting
Machine Learning
Examples of Machine Learning Jobs
Security Operations Center
User and Entity Behavior Analytics
Conclusion
Chapter 7. Network Policy
What Is Network Policy?
Why Is Network Policy Important?
Network Policy Implementations
Network Policy Best Practices
Ingress and Egress
Not Just Mission-Critical Workloads
Policy and Label Schemas
Default Deny and Default App Policy
Policy Tooling
Development Processes and Microservices Benefits
Policy Recommendations
Policy Impact Previews
Policy Staging and Audit Modes
Conclusion
Chapter 8. Managing Trust Across Teams
Role-Based Access Control
Limitations with Kubernetes Network Policies
Richer Network Policy Implementations
Admission Controllers
Conclusion
Chapter 9. Exposing Services to External Clients
Understanding Direct Pod Connections
Understanding Kubernetes Services
Cluster IP Services
Node Port Services
Load Balancer Services
externalTrafficPolicy:local
Network Policy Extensions
Alternatives to kube-proxy
Direct Server Return
Limiting Service External IPs
Advertising Service IPs
Understanding Kubernetes Ingress
Conclusion
Chapter 10. Encryption of Data in Transit
Building Encryption into Your Code
Sidecar or Service Mesh Encryption
Network-Layer Encryption
Conclusion
Chapter 11. Threat Defense and Intrusion Detection
Threat Defense for Kubernetes (Stages of an Attack)
Intrusion Detection
Intrusion Detection Systems
IP Address and Domain Name Threat Feeds
Special Considerations for Domain Name Feeds
Advanced Threat Defense Techniques
Canary Pods/Resources
DNS-Based Attacks and Defense
Conclusion
Conclusion
Index
About the Authors
Colophon
