Kubernetes Security and Observability: A Holistic Approach to Securing Containers and Cloud Native Applications

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

Securing, observing, and troubleshooting containerized workloads on Kubernetes can be daunting. It requires a range of considerations, from infrastructure choices and cluster configuration to deployment controls and runtime and network security. With this practical book, you'll learn how to adopt a holistic security and observability strategy for building and securing cloud native applications running on Kubernetes.

Whether you're already working on cloud native applications or are in the process of migrating to its architecture, this guide introduces key security and observability concepts and best practices to help you unleash the power of cloud native applications. Authors Brendan Creane and Amit Gupta from Tigera take you through the full breadth of new cloud native approaches for establishing security and observability for applications running on Kubernetes.

  • Learn why you need a security and observability strategy for cloud native applications and determine...
  • Author(s): Brendan Creane
    Publisher: O'Reilly Media
    Year: 2021

    Language: English
    Pages: 330

    Preface
    The Stages of Kubernetes Adoption
    Who This Book Is For
    The Platform Team
    The Networking Team
    The Security Team
    The Compliance Team
    The Operations Team
    What You Will Learn
    Conventions Used in This Book
    Using Code Examples
    O’Reilly Online Learning
    How to Contact Us
    Acknowledgments
    1. Security and Observability Strategy
    Security for Kubernetes: A New and Different World
    Deploying a Workload in Kubernetes: Security at Each Stage
    Build-Time Security: Shift Left
    Image scanning
    Host operating system hardening
    Minimizing the attack surface: Base container images
    Deploy-Time Security
    Runtime Security
    Network security controls
    Enterprise security controls
    Threat defense
    Observability
    Network traffic visibility
    DNS activity logs
    Application traffic visibility
    Kubernetes activity logs
    Machine learning/anomaly detection
    Security Frameworks
    MITRE
    Threat matrix for Kubernetes
    Security and Observability
    Conclusion
    2. Infrastructure Security
    Host Hardening
    Choice of Operating System
    Nonessential Processes
    Host-Based Firewalling
    Always Research the Latest Best Practices
    Cluster Hardening
    Secure the Kubernetes Datastore
    Secure the Kubernetes API Server
    Encrypt Kubernetes Secrets at Rest
    Rotate Credentials Frequently
    Authentication and RBAC
    Restricting Cloud Metadata API Access
    Enable Auditing
    Restrict Access to Alpha or Beta Features
    Upgrade Kubernetes Frequently
    Use a Managed Kubernetes Service
    CIS Benchmarks
    Network Security
    Conclusion
    3. Workload Deployment Controls
    Image Building and Scanning
    Choice of a Base Image
    Container Image Hardening
    Container Image Scanning Solution
    Privacy Concerns
    Container Threat Analysis
    CI/CD
    Scan Images by Registry Scanning Services
    Scan Images After Builds
    Inline Image Scanning
    Kubernetes Admission Controller
    Securing the CI/CD Pipeline
    Zero-trust policy for CI/CD environment
    Secure secrets
    Access control
    Audit and monitoring
    Organization Policy
    Secrets Management
    etcd to Store Secrets
    Secrets Management Service
    Kubernetes Secrets Store CSI Driver
    Secrets Management Best Practices
    Avoid secrets sprawl
    Use anti-affinity rules
    Data encryption (transit and rest)
    Use automated secret rotation
    Ephemeral or dynamic secret
    Enable audit log
    Store secrets in container memory
    Secret zero problem
    Use your Certificate Authority
    Authentication
    X509 Client Certificates
    Bearer Token
    OIDC Tokens
    Authentication Proxy
    Anonymous Requests
    User Impersonation
    Authorization
    Node
    ABAC
    AlwaysDeny/AlwaysAllow
    RBAC
    Namespaced RBAC
    Privilege Escalation Mitigation
    Conclusion
    4. Workload Runtime Security
    Pod Security Policies
    Using Pod Security Policies
    Pod Security Policy Capabilities
    Pod Security Context
    Limitations of PSPs
    Process Monitoring
    Kubernetes Native Monitoring
    Seccomp
    SELinux
    AppArmor
    Sysctl
    Conclusion
    5. Observability
    Monitoring
    Observability
    How Observability Works for Kubernetes
    Implementing Observability for Kubernetes
    Linux Kernel Tools
    Observability Components
    Aggregation and Correlation
    Visualization
    Service Graph
    Visualization of Network Flows
    Analytics and Troubleshooting
    Distributed Tracing
    Packet Capture
    Conclusion
    6. Observability and Security
    Alerting
    Machine Learning
    Examples of Machine Learning Jobs
    Security Operations Center
    User and Entity Behavior Analytics
    Conclusion
    7. Network Policy
    What Is Network Policy?
    Why Is Network Policy Important?
    Network Policy Implementations
    Network Policy Best Practices
    Ingress and Egress
    Not Just Mission-Critical Workloads
    Policy and Label Schemas
    Default Deny and Default App Policy
    Policy Tooling
    Development Processes and Microservices Benefits
    Policy Recommendations
    Policy Impact Previews
    Policy Staging and Audit Modes
    Conclusion
    8. Managing Trust Across Teams
    Role-Based Access Control
    Limitations with Kubernetes Network Policies
    Richer Network Policy Implementations
    Admission Controllers
    Conclusion
    9. Exposing Services to External Clients
    Understanding Direct Pod Connections
    Understanding Kubernetes Services
    Cluster IP Services
    Node Port Services
    Load Balancer Services
    externalTrafficPolicy:local
    Network Policy Extensions
    Alternatives to kube-proxy
    Direct Server Return
    Limiting Service External IPs
    Advertising Service IPs
    Understanding Kubernetes Ingress
    In-cluster ingress solutions
    External ingress solutions
    Conclusion
    10. Encryption of Data in Transit
    Building Encryption into Your Code
    Sidecar or Service Mesh Encryption
    Network-Layer Encryption
    Conclusion
    11. Threat Defense and Intrusion Detection
    Threat Defense for Kubernetes (Stages of an Attack)
    Intrusion Detection
    Intrusion Detection Systems
    IP Address and Domain Name Threat Feeds
    Threat feed controller
    Network policy engine
    Log processing engine
    Special Considerations for Domain Name Feeds
    Deep packet inspection
    Logging and visibility
    Advanced Threat Defense Techniques
    Canary Pods/Resources
    DNS-Based Attacks and Defense
    Conclusion
    Conclusion
    Index