Chapter 5. Minimize Microservice Vulnerabilities

Application stacks operated in a Kubernetes cluster often follow a microservices architecture. The domain “minimize microservice vulnerabilities” covers governance and enforcement of security settings on the Pod-level. We’ll touch on Kubernetes’ core features, as well as external tooling, that help with minimizing secuirty vulnerabilities. Additionally, we’ll also talk about encrypted network communication between Pods running microservices.

At a high level, this chapter covers the following concepts:

  • Setting up appropriate OS-level security domains with security contexts, Pod Security Admission (PSA), and Open Policy Agent (OPA) Gatekeeper

  • Managing Secrets

  • Using container runtime sandboxes, such as gVisor and kata containers

  • Implementing Pod-to-Pod communication encryption via mutual Transport Layer Security (TLS)

Setting Appropriate OS-Level Security Domains

Both core ...

Get Certified Kubernetes Security Specialist (CKS) Study Guide now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.