book

Kubernetes Security and Observability

by Brendan Creane, Amit Gupta

October 2021

Intermediate to advanced

192 pages

5h 59m

English

O'Reilly Media, Inc.

Read now

Unlock full access

The Stages of Kubernetes AdoptionWho This Book Is ForThe Platform TeamThe Networking TeamThe Security TeamThe Compliance TeamThe Operations TeamWhat You Will LearnConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
Security for Kubernetes: A New and Different WorldDeploying a Workload in Kubernetes: Security at Each StageBuild-Time Security: Shift LeftDeploy-Time SecurityRuntime SecurityObservabilitySecurity FrameworksSecurity and ObservabilityConclusion
Host HardeningChoice of Operating SystemNonessential ProcessesHost-Based FirewallingAlways Research the Latest Best PracticesCluster HardeningSecure the Kubernetes DatastoreSecure the Kubernetes API ServerEncrypt Kubernetes Secrets at RestRotate Credentials FrequentlyAuthentication and RBACRestricting Cloud Metadata API AccessEnable AuditingRestrict Access to Alpha or Beta FeaturesUpgrade Kubernetes FrequentlyUse a Managed Kubernetes ServiceCIS BenchmarksNetwork SecurityConclusion
Image Building and ScanningChoice of a Base ImageContainer Image HardeningContainer Image Scanning SolutionPrivacy ConcernsContainer Threat AnalysisCI/CDScan Images by Registry Scanning ServicesScan Images After BuildsInline Image ScanningKubernetes Admission ControllerSecuring the CI/CD PipelineOrganization PolicySecrets Managementetcd to Store SecretsSecrets Management ServiceKubernetes Secrets Store CSI DriverSecrets Management Best PracticesAuthenticationX509 Client CertificatesBearer TokenOIDC TokensAuthentication ProxyAnonymous RequestsUser ImpersonationAuthorizationNodeABACAlwaysDeny/AlwaysAllowRBACNamespaced RBACPrivilege Escalation MitigationConclusion
Pod Security PoliciesUsing Pod Security PoliciesPod Security Policy CapabilitiesPod Security ContextLimitations of PSPsProcess MonitoringKubernetes Native MonitoringSeccompSELinuxAppArmorSysctlConclusion
MonitoringObservabilityHow Observability Works for KubernetesImplementing Observability for KubernetesLinux Kernel ToolsObservability ComponentsAggregation and CorrelationVisualizationService GraphVisualization of Network FlowsAnalytics and Troubleshooting Distributed TracingPacket CaptureConclusion
AlertingMachine LearningExamples of Machine Learning JobsSecurity Operations CenterUser and Entity Behavior AnalyticsConclusion
What Is Network Policy?Why Is Network Policy Important?Network Policy ImplementationsNetwork Policy Best PracticesIngress and EgressNot Just Mission-Critical WorkloadsPolicy and Label SchemasDefault Deny and Default App PolicyPolicy ToolingDevelopment Processes and Microservices BenefitsPolicy RecommendationsPolicy Impact PreviewsPolicy Staging and Audit ModesConclusion
Role-Based Access ControlLimitations with Kubernetes Network PoliciesRicher Network Policy ImplementationsAdmission ControllersConclusion
Understanding Direct Pod ConnectionsUnderstanding Kubernetes ServicesCluster IP ServicesNode Port ServicesLoad Balancer ServicesexternalTrafficPolicy:localNetwork Policy ExtensionsAlternatives to kube-proxyDirect Server ReturnLimiting Service External IPsAdvertising Service IPsUnderstanding Kubernetes IngressConclusion

Building Encryption into Your CodeSidecar or Service Mesh EncryptionNetwork-Layer EncryptionConclusion
Threat Defense for Kubernetes (Stages of an Attack)Intrusion DetectionIntrusion Detection SystemsIP Address and Domain Name Threat FeedsSpecial Considerations for Domain Name FeedsAdvanced Threat Defense TechniquesCanary Pods/ResourcesDNS-Based Attacks and DefenseConclusion

Overview

Securing, observing, and troubleshooting containerized workloads on Kubernetes can be daunting. It requires a range of considerations, from infrastructure choices and cluster configuration to deployment controls and runtime and network security. With this practical book, you'll learn how to adopt a holistic security and observability strategy for building and securing cloud native applications running on Kubernetes.

Whether you're already working on cloud native applications or are in the process of migrating to its architecture, this guide introduces key security and observability concepts and best practices to help you unleash the power of cloud native applications. Authors Brendan Creane and Amit Gupta from Tigera take you through the full breadth of new cloud native approaches for establishing security and observability for applications running on Kubernetes.

Learn why you need a security and observability strategy for cloud native applications and determine your scope of coverage
Understand key concepts behind the book's security and observability approach
Explore the technology choices available to support this strategy
Discover how to share security responsibilities across multiple teams or roles
Learn how to architect Kubernetes security and observability for multicloud and hybrid environments