book

Kubernetes Security and Observability

by Brendan Creane, Amit Gupta

October 2021

Intermediate to advanced

192 pages

5h 59m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
The Stages of Kubernetes AdoptionWho This Book Is ForThe Platform TeamThe Networking TeamThe Security TeamThe Compliance TeamThe Operations TeamWhat You Will LearnConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
1. Security and Observability Strategy
Security for Kubernetes: A New and Different WorldDeploying a Workload in Kubernetes: Security at Each StageBuild-Time Security: Shift LeftDeploy-Time SecurityRuntime SecurityObservabilitySecurity FrameworksSecurity and ObservabilityConclusion
2. Infrastructure Security
Host HardeningChoice of Operating SystemNonessential ProcessesHost-Based FirewallingAlways Research the Latest Best PracticesCluster HardeningSecure the Kubernetes DatastoreSecure the Kubernetes API ServerEncrypt Kubernetes Secrets at RestRotate Credentials FrequentlyAuthentication and RBACRestricting Cloud Metadata API AccessEnable AuditingRestrict Access to Alpha or Beta FeaturesUpgrade Kubernetes FrequentlyUse a Managed Kubernetes ServiceCIS BenchmarksNetwork SecurityConclusion
3. Workload Deployment Controls
Image Building and ScanningChoice of a Base ImageContainer Image HardeningContainer Image Scanning SolutionPrivacy ConcernsContainer Threat AnalysisCI/CDScan Images by Registry Scanning ServicesScan Images After BuildsInline Image ScanningKubernetes Admission ControllerSecuring the CI/CD PipelineOrganization PolicySecrets Managementetcd to Store SecretsSecrets Management ServiceKubernetes Secrets Store CSI DriverSecrets Management Best PracticesAuthenticationX509 Client CertificatesBearer TokenOIDC TokensAuthentication ProxyAnonymous RequestsUser ImpersonationAuthorizationNodeABACAlwaysDeny/AlwaysAllowRBACNamespaced RBACPrivilege Escalation MitigationConclusion
4. Workload Runtime Security
Pod Security PoliciesUsing Pod Security PoliciesPod Security Policy CapabilitiesPod Security ContextLimitations of PSPsProcess MonitoringKubernetes Native MonitoringSeccompSELinuxAppArmorSysctlConclusion
5. Observability
MonitoringObservabilityHow Observability Works for KubernetesImplementing Observability for KubernetesLinux Kernel ToolsObservability ComponentsAggregation and CorrelationVisualizationService GraphVisualization of Network FlowsAnalytics and Troubleshooting Distributed TracingPacket CaptureConclusion
6. Observability and Security
AlertingMachine LearningExamples of Machine Learning JobsSecurity Operations CenterUser and Entity Behavior AnalyticsConclusion
7. Network Policy
What Is Network Policy?Why Is Network Policy Important?Network Policy ImplementationsNetwork Policy Best PracticesIngress and EgressNot Just Mission-Critical WorkloadsPolicy and Label SchemasDefault Deny and Default App PolicyPolicy ToolingDevelopment Processes and Microservices BenefitsPolicy RecommendationsPolicy Impact PreviewsPolicy Staging and Audit ModesConclusion
8. Managing Trust Across Teams
Role-Based Access ControlLimitations with Kubernetes Network PoliciesRicher Network Policy ImplementationsAdmission ControllersConclusion
9. Exposing Services to External Clients
Understanding Direct Pod ConnectionsUnderstanding Kubernetes ServicesCluster IP ServicesNode Port ServicesLoad Balancer ServicesexternalTrafficPolicy:localNetwork Policy ExtensionsAlternatives to kube-proxyDirect Server ReturnLimiting Service External IPsAdvertising Service IPsUnderstanding Kubernetes IngressConclusion

10. Encryption of Data in Transit
Building Encryption into Your CodeSidecar or Service Mesh EncryptionNetwork-Layer EncryptionConclusion
11. Threat Defense and Intrusion Detection
Threat Defense for Kubernetes (Stages of an Attack)Intrusion DetectionIntrusion Detection SystemsIP Address and Domain Name Threat FeedsSpecial Considerations for Domain Name FeedsAdvanced Threat Defense TechniquesCanary Pods/ResourcesDNS-Based Attacks and DefenseConclusion
Conclusion
Index
About the Authors

Content preview from Kubernetes Security and Observability

About the Authors

Brendan Creane is head of engineering at Tigera, where he’s responsible for all engineering operations, including Calico Cloud, Calico Enterprise, and Project Calico. Brendan has several decades of experience building enterprise security, observability, and networking products.

Amit Gupta is vice president of product management and business development at Tigera, where he’s responsible for the strategy and vision of Tigera’s products and leads the delivery of the company’s roadmap. Amit is a hands-on product executive with expertise in building software products and services across various domains, including cloud security, cloud native applications, and public and private cloud infrastructure.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098107093Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Kubernetes Security and Observability

by Brendan Creane, Amit Gupta

About the Authors

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.