O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Kubernetes Security

Book Description

Kubernetes has fundamentally changed the way DevOps teams create, manage, and operate container-based applications, but as with any production process, you can never provide enough security. This practical ebook walks you through Kubernetes security features—including when to use what—and shows you how to augment those features with container image best practices and secure network communication.

Liz Rice from Aqua Security and Michael Hausenblas from Red Hat not only describe practical security techniques for Kubernetes but also maintain an accompanying website. Developers will learn how to build container images with security in mind, and ops folks will pick up techniques for configuring and operating a Kubernetes cluster more securely.

  • Explore security concepts including defense in depth, least privilege, and limiting the attack surface
  • Safeguard clusters by securing worker nodes and control plane components, such as the API server and the etcd key value store
  • Learn how Kubernetes uses authentication and authorization to grant fine-grained access
  • Secure container images against known vulnerabilities and abuse by third parties
  • Examine security boundaries and policy enforcement features for running containers securely
  • Learn about the options for handling secret information such as credentials
  • Delve into advanced topics such as monitoring, alerting, and auditing, as well as sandboxing and runtime protection

Table of Contents

  1. Introduction
    1. Why We Wrote This Book
    2. Who Is This Book For?
    3. Which Version of Kubernetes?
    4. A Note on Federation
    5. Acknowledgments
  2. 1. Approaching Kubernetes Security
    1. Security Principles
      1. Defense in Depth
      2. Least Privilege
      3. Limiting the Attack Surface
  3. 2. Securing the Cluster
    1. API Server
    2. Kubelet
      1. Kubelet Certificate Rotation
    3. Running etcd Safely
    4. Kubernetes Dashboard
    5. Validating the Configuration
      1. CIS Security Benchmark
      2. Penetration Testing
  4. 3. Authentication
    1. Identity
    2. Authentication Concepts
    3. Authentication Strategies
    4. Tooling and Good Practices
  5. 4. Authorization
    1. Authorization Concepts
    2. Authorization Modes
    3. Access Control with RBAC
    4. Tooling and Good Practices
  6. 5. Securing Your Container Images
    1. Scanning Container Images
    2. Patching Container Images
    3. CI/CD Best Practices
    4. Image Storage
    5. Correct Image Versions
      1. Running the Correct Version of Container Images
    6. Image Trust and Supply Chain
    7. Minimizing Images to Reduce the Attack Surface
  7. 6. Running Containers Securely
    1. Say No to Root
    2. Admission Control
    3. Security Boundaries
    4. Policies
      1. Security Context and Policies
      2. Network Policies
      3. Example Network Policy
      4. Effective Network Policies
  8. 7. Secrets Management
    1. Applying the Principle of Least Privilege
    2. Secret Encryption
    3. Kubernetes Secret Storage
      1. Storing Secrets in etcd
      2. Storing Secrets in Third-Party Stores
    4. Passing Secrets into Containerized Code
      1. Don’t Build Secrets into Images
      2. Passing Secrets as Environment Variables
      3. Passing Secrets in Files
    5. Secret Rotation and Revocation
    6. Secret Access from Within the Container
    7. Secret Access from a Kubelet
  9. 8. Advanced Topics
    1. Monitoring, Alerting, and Auditing
    2. Host Security
      1. Host Operating System
      2. Node Recycling
    3. Sandboxing and Runtime Protection
    4. Multitenancy
    5. Dynamic Admission Control
    6. Network Protection
      1. Service Meshes
    7. Static Analysis of YAML
    8. Fork Bombs and Resource-Based Attacks
    9. Cryptocurrency Mining
    10. Kubernetes Security Updates