Chapter 7. Monitoring, Logging, and Runtime Security

The last domain of the curriculum primarily deals with detecting suspicious activity on the host and container level in a Kubernetes cluster. We’ll first define the term behavior analytics and how it applies to the realm of Kubernetes. With the theory out of the way, we’ll bring in the tool called Falco that can detect intrusion scenarios.

Once a container has been started, its runtime environment can still be modified. For example, as an operator you could decide to shell into the container in order to manually install additional tools or write files to the container’s temporary filesystem. Modifying a container after it has been started can open doors to security risks. You will want to aim for creating immutable containers, containers that cannot be modified after they have been started. We’ll learn how to configure a Pod with the right settings to make its containers immutable.

Last, we’ll talk about capturing logs for events that occur in a Kubernetes cluster. Those logs can be used for troubleshooting purposes on the cluster level, to reconstruct when and how the cluster configuration was changed such that it led to an undesired or broken runtime behavior. Log entries can also be used to trace an attack that may be happening right now as a means to enacting countermeasures.

At a high level, this chapter covers the following concepts:

• Performing behavior analytics to detect malicious activities

• Performing deep analytical ...