book

Kubernetes Security

by Liz Rice, Michael Hausenblas

November 2018

Intermediate to advanced

84 pages

1h 37m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Why We Wrote This BookWho Is This Book For?Which Version of Kubernetes?A Note on FederationAcknowledgments
Security PrinciplesDefense in DepthLeast PrivilegeLimiting the Attack Surface
API ServerKubeletKubelet Certificate RotationRunning etcd SafelyKubernetes DashboardValidating the ConfigurationCIS Security BenchmarkPenetration Testing
IdentityAuthentication ConceptsAuthentication StrategiesTooling and Good Practices
Authorization ConceptsAuthorization ModesAccess Control with RBACTooling and Good Practices
Scanning Container ImagesPatching Container ImagesCI/CD Best PracticesImage StorageCorrect Image VersionsRunning the Correct Version of Container ImagesImage Trust and Supply ChainMinimizing Images to Reduce the Attack Surface
Say No to RootAdmission ControlSecurity BoundariesPoliciesSecurity Context and PoliciesNetwork PoliciesExample Network PolicyEffective Network Policies
Applying the Principle of Least PrivilegeSecret EncryptionKubernetes Secret StorageStoring Secrets in etcdStoring Secrets in Third-Party StoresPassing Secrets into Containerized CodeDon’t Build Secrets into ImagesPassing Secrets as Environment VariablesPassing Secrets in FilesSecret Rotation and RevocationSecret Access from Within the ContainerSecret Access from a Kubelet
Monitoring, Alerting, and AuditingHost SecurityHost Operating SystemNode RecyclingSandboxing and Runtime ProtectionMultitenancyDynamic Admission ControlNetwork ProtectionService MeshesStatic Analysis of YAMLFork Bombs and Resource-Based AttacksCryptocurrency MiningKubernetes Security Updates

Overview

Kubernetes has fundamentally changed the way DevOps teams create, manage, and operate container-based applications, but as with any production process, you can never provide enough security. This practical ebook walks you through Kubernetes security features—including when to use what—and shows you how to augment those features with container image best practices and secure network communication.

Liz Rice from Aqua Security and Michael Hausenblas from Red Hat not only describe practical security techniques for Kubernetes but also maintain an accompanying website. Developers will learn how to build container images with security in mind, and ops folks will pick up techniques for configuring and operating a Kubernetes cluster more securely.

Explore security concepts including defense in depth, least privilege, and limiting the attack surface
Safeguard clusters by securing worker nodes and control plane components, such as the API server and the etcd key value store
Learn how Kubernetes uses authentication and authorization to grant fine-grained access
Secure container images against known vulnerabilities and abuse by third parties
Examine security boundaries and policy enforcement features for running containers securely
Learn about the options for handling secret information such as credentials
Delve into advanced topics such as monitoring, alerting, and auditing, as well as sandboxing and runtime protection