Kubernetes Security and Observability

Book description

Securing, observing, and troubleshooting containerized workloads on Kubernetes can be daunting. It requires a range of considerations, from infrastructure choices and cluster configuration to deployment controls and runtime and network security. With this practical book, you'll learn how to adopt a holistic security and observability strategy for building and securing cloud native applications running on Kubernetes.

Whether you're already working on cloud native applications or are in the process of migrating to its architecture, this guide introduces key security and observability concepts and best practices to help you unleash the power of cloud native applications. Authors Brendan Creane and Amit Gupta from Tigera take you through the full breadth of new cloud native approaches for establishing security and observability for applications running on Kubernetes.

  • Learn why you need a security and observability strategy for cloud native applications and determine your scope of coverage
  • Understand key concepts behind the book's security and observability approach
  • Explore the technology choices available to support this strategy
  • Discover how to share security responsibilities across multiple teams or roles
  • Learn how to architect Kubernetes security and observability for multicloud and hybrid environments

Publisher resources

View/Submit Errata

Table of contents

  1. Preface
    1. The Stages of Kubernetes Adoption
    2. Who This Book Is For
      1. The Platform Team
      2. The Networking Team
      3. The Security Team
      4. The Compliance Team
      5. The Operations Team
    3. What You Will Learn
    4. Conventions Used in This Book
    5. Using Code Examples
    6. O’Reilly Online Learning
    7. How to Contact Us
    8. Acknowledgments
  2. 1. Security and Observability Strategy
    1. Security for Kubernetes: A New and Different World
    2. Deploying a Workload in Kubernetes: Security at Each Stage
      1. Build-Time Security: Shift Left
      2. Deploy-Time Security
      3. Runtime Security
      4. Observability
      5. Security Frameworks
    3. Security and Observability
    4. Conclusion
  3. 2. Infrastructure Security
    1. Host Hardening
      1. Choice of Operating System
      2. Nonessential Processes
      3. Host-Based Firewalling
      4. Always Research the Latest Best Practices
    2. Cluster Hardening
      1. Secure the Kubernetes Datastore
      2. Secure the Kubernetes API Server
      3. Encrypt Kubernetes Secrets at Rest
      4. Rotate Credentials Frequently
      5. Authentication and RBAC
      6. Restricting Cloud Metadata API Access
      7. Enable Auditing
      8. Restrict Access to Alpha or Beta Features
      9. Upgrade Kubernetes Frequently
    3. Use a Managed Kubernetes Service
      1. CIS Benchmarks
      2. Network Security
    4. Conclusion
  4. 3. Workload Deployment Controls
    1. Image Building and Scanning
      1. Choice of a Base Image
      2. Container Image Hardening
      3. Container Image Scanning Solution
      4. Privacy Concerns
      5. Container Threat Analysis
    2. CI/CD
      1. Scan Images by Registry Scanning Services
      2. Scan Images After Builds
      3. Inline Image Scanning
      4. Kubernetes Admission Controller
      5. Securing the CI/CD Pipeline
    3. Organization Policy
      1. Secrets Management
      2. etcd to Store Secrets
      3. Secrets Management Service
      4. Kubernetes Secrets Store CSI Driver
      5. Secrets Management Best Practices
    4. Authentication
      1. X509 Client Certificates
      2. Bearer Token
      3. OIDC Tokens
      4. Authentication Proxy
      5. Anonymous Requests
      6. User Impersonation
    5. Authorization
      1. Node
      2. ABAC
      3. AlwaysDeny/AlwaysAllow
      4. RBAC
      5. Namespaced RBAC
      6. Privilege Escalation Mitigation
    6. Conclusion
  5. 4. Workload Runtime Security
    1. Pod Security Policies
      1. Using Pod Security Policies
      2. Pod Security Policy Capabilities
      3. Pod Security Context
      4. Limitations of PSPs
      5. Process Monitoring
      6. Kubernetes Native Monitoring
      7. Seccomp
      8. SELinux
      9. AppArmor
      10. Sysctl
    2. Conclusion
  6. 5. Observability
    1. Monitoring
    2. Observability
      1. How Observability Works for Kubernetes
      2. Implementing Observability for Kubernetes
      3. Linux Kernel Tools
    3. Observability Components
    4. Aggregation and Correlation
    5. Visualization
      1. Service Graph
      2. Visualization of Network Flows
    6. Analytics and Troubleshooting
      1. Distributed Tracing
      2. Packet Capture
    7. Conclusion
  7. 6. Observability and Security
    1. Alerting
      1. Machine Learning
      2. Examples of Machine Learning Jobs
    2. Security Operations Center
    3. User and Entity Behavior Analytics
    4. Conclusion
  8. 7. Network Policy
    1. What Is Network Policy?
    2. Why Is Network Policy Important?
    3. Network Policy Implementations
    4. Network Policy Best Practices
      1. Ingress and Egress
      2. Not Just Mission-Critical Workloads
      3. Policy and Label Schemas
      4. Default Deny and Default App Policy
    5. Policy Tooling
      1. Development Processes and Microservices Benefits
      2. Policy Recommendations
      3. Policy Impact Previews
      4. Policy Staging and Audit Modes
    6. Conclusion
  9. 8. Managing Trust Across Teams
    1. Role-Based Access Control
      1. Limitations with Kubernetes Network Policies
      2. Richer Network Policy Implementations
      3. Admission Controllers
    2. Conclusion
  10. 9. Exposing Services to External Clients
    1. Understanding Direct Pod Connections
    2. Understanding Kubernetes Services
      1. Cluster IP Services
      2. Node Port Services
      3. Load Balancer Services
      4. externalTrafficPolicy:local
      5. Network Policy Extensions
      6. Alternatives to kube-proxy
      7. Direct Server Return
      8. Limiting Service External IPs
      9. Advertising Service IPs
      10. Understanding Kubernetes Ingress
    3. Conclusion
  11. 10. Encryption of Data in Transit
    1. Building Encryption into Your Code
    2. Sidecar or Service Mesh Encryption
    3. Network-Layer Encryption
    4. Conclusion
  12. 11. Threat Defense and Intrusion Detection
    1. Threat Defense for Kubernetes (Stages of an Attack)
    2. Intrusion Detection
      1. Intrusion Detection Systems
      2. IP Address and Domain Name Threat Feeds
      3. Special Considerations for Domain Name Feeds
    3. Advanced Threat Defense Techniques
      1. Canary Pods/Resources
      2. DNS-Based Attacks and Defense
    4. Conclusion
  13. Conclusion
  14. Index

Product information

  • Title: Kubernetes Security and Observability
  • Author(s): Brendan Creane, Amit Gupta
  • Release date: November 2021
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781098107109