Chapter 6. Observability and Security
This chapter will explain how an observability platform can help improve the security of your Kubernetes cluster. We will cover the following topics:
- Alerting
- In Chapter 5 we covered best practices for implementing log collection. In this chapter, we will focus on how to build a system that helps generate high-fidelity alerts. We will also discuss the use of machine learning for anomaly detection.
- Security operations center
- We will review a reference implementation of a security operations center (SOC) and how observability can help you build an SOC for your Kubernetes cluster.
- Behavioral analytics
- We will cover the concept of user and entity behavior analytics (UEBA) and how to implement it in your Kubernetes cluster.
Alerting
In the previous chapter we discussed how to implement logging for your Kubernetes cluster. An effective alerting system must include the following:
The system should be able to automatically run queries across various log data sources (e.g., Kubernetes activity logs, network logs, application logs, DNS logs, etc.).
The system must be able to support a state machine that is used to generate events for a specified number of threshold violations in a specified duration. The system must also support setting a time period for the query (known as lookback). We will cover an example in the next section.
The system must be able to export actionable alerts to external security, information, and event management (SIEM) so ...
Get Kubernetes Security and Observability now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
