book

Kubernetes Security and Observability

by Brendan Creane, Amit Gupta

October 2021

Intermediate to advanced

192 pages

5h 59m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
The Stages of Kubernetes AdoptionWho This Book Is ForThe Platform TeamThe Networking TeamThe Security TeamThe Compliance TeamThe Operations TeamWhat You Will LearnConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
1. Security and Observability Strategy
Security for Kubernetes: A New and Different WorldDeploying a Workload in Kubernetes: Security at Each StageBuild-Time Security: Shift LeftDeploy-Time SecurityRuntime SecurityObservabilitySecurity FrameworksSecurity and ObservabilityConclusion
2. Infrastructure Security
Host HardeningChoice of Operating SystemNonessential ProcessesHost-Based FirewallingAlways Research the Latest Best PracticesCluster HardeningSecure the Kubernetes DatastoreSecure the Kubernetes API ServerEncrypt Kubernetes Secrets at RestRotate Credentials FrequentlyAuthentication and RBACRestricting Cloud Metadata API AccessEnable AuditingRestrict Access to Alpha or Beta FeaturesUpgrade Kubernetes FrequentlyUse a Managed Kubernetes ServiceCIS BenchmarksNetwork SecurityConclusion
3. Workload Deployment Controls
Image Building and ScanningChoice of a Base ImageContainer Image HardeningContainer Image Scanning SolutionPrivacy ConcernsContainer Threat AnalysisCI/CDScan Images by Registry Scanning ServicesScan Images After BuildsInline Image ScanningKubernetes Admission ControllerSecuring the CI/CD PipelineOrganization PolicySecrets Managementetcd to Store SecretsSecrets Management ServiceKubernetes Secrets Store CSI DriverSecrets Management Best PracticesAuthenticationX509 Client CertificatesBearer TokenOIDC TokensAuthentication ProxyAnonymous RequestsUser ImpersonationAuthorizationNodeABACAlwaysDeny/AlwaysAllowRBACNamespaced RBACPrivilege Escalation MitigationConclusion
4. Workload Runtime Security
Pod Security PoliciesUsing Pod Security PoliciesPod Security Policy CapabilitiesPod Security ContextLimitations of PSPsProcess MonitoringKubernetes Native MonitoringSeccompSELinuxAppArmorSysctlConclusion
5. Observability
MonitoringObservabilityHow Observability Works for KubernetesImplementing Observability for KubernetesLinux Kernel ToolsObservability ComponentsAggregation and CorrelationVisualizationService GraphVisualization of Network FlowsAnalytics and Troubleshooting Distributed TracingPacket CaptureConclusion
6. Observability and Security
AlertingMachine LearningExamples of Machine Learning JobsSecurity Operations CenterUser and Entity Behavior AnalyticsConclusion
7. Network Policy
What Is Network Policy?Why Is Network Policy Important?Network Policy ImplementationsNetwork Policy Best PracticesIngress and EgressNot Just Mission-Critical WorkloadsPolicy and Label SchemasDefault Deny and Default App PolicyPolicy ToolingDevelopment Processes and Microservices BenefitsPolicy RecommendationsPolicy Impact PreviewsPolicy Staging and Audit ModesConclusion
8. Managing Trust Across Teams
Role-Based Access ControlLimitations with Kubernetes Network PoliciesRicher Network Policy ImplementationsAdmission ControllersConclusion
9. Exposing Services to External Clients
Understanding Direct Pod ConnectionsUnderstanding Kubernetes ServicesCluster IP ServicesNode Port ServicesLoad Balancer ServicesexternalTrafficPolicy:localNetwork Policy ExtensionsAlternatives to kube-proxyDirect Server ReturnLimiting Service External IPsAdvertising Service IPsUnderstanding Kubernetes IngressConclusion

10. Encryption of Data in Transit
Building Encryption into Your CodeSidecar or Service Mesh EncryptionNetwork-Layer EncryptionConclusion
11. Threat Defense and Intrusion Detection
Threat Defense for Kubernetes (Stages of an Attack)Intrusion DetectionIntrusion Detection SystemsIP Address and Domain Name Threat FeedsSpecial Considerations for Domain Name FeedsAdvanced Threat Defense TechniquesCanary Pods/ResourcesDNS-Based Attacks and DefenseConclusion
Conclusion
Index
About the Authors

Overview

Securing, observing, and troubleshooting containerized workloads on Kubernetes can be daunting. It requires a range of considerations, from infrastructure choices and cluster configuration to deployment controls and runtime and network security. With this practical book, you'll learn how to adopt a holistic security and observability strategy for building and securing cloud native applications running on Kubernetes.

Whether you're already working on cloud native applications or are in the process of migrating to its architecture, this guide introduces key security and observability concepts and best practices to help you unleash the power of cloud native applications. Authors Brendan Creane and Amit Gupta from Tigera take you through the full breadth of new cloud native approaches for establishing security and observability for applications running on Kubernetes.

Learn why you need a security and observability strategy for cloud native applications and determine your scope of coverage
Understand key concepts behind the book's security and observability approach
Explore the technology choices available to support this strategy
Discover how to share security responsibilities across multiple teams or roles
Learn how to architect Kubernetes security and observability for multicloud and hybrid environments

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098107093Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills