Kubernetes Security and Observability: A Holistic Approach to Securing Containers and Cloud Native Applications 9781098107116
Securing, observing, and troubleshooting containerized workloads on Kubernetes can be daunting. It requires a range of c
137 12 11MB
English Pages 330 Year 2021
Table of contents :
Preface
The Stages of Kubernetes Adoption
Who This Book Is For
The Platform Team
The Networking Team
The Security Team
The Compliance Team
The Operations Team
What You Will Learn
Conventions Used in This Book
Using Code Examples
O’Reilly Online Learning
How to Contact Us
Acknowledgments
1. Security and Observability Strategy
Security for Kubernetes: A New and Different World
Deploying a Workload in Kubernetes: Security at Each Stage
Build-Time Security: Shift Left
Image scanning
Host operating system hardening
Minimizing the attack surface: Base container images
Deploy-Time Security
Runtime Security
Network security controls
Enterprise security controls
Threat defense
Observability
Network traffic visibility
DNS activity logs
Application traffic visibility
Kubernetes activity logs
Machine learning/anomaly detection
Security Frameworks
MITRE
Threat matrix for Kubernetes
Security and Observability
Conclusion
2. Infrastructure Security
Host Hardening
Choice of Operating System
Nonessential Processes
Host-Based Firewalling
Always Research the Latest Best Practices
Cluster Hardening
Secure the Kubernetes Datastore
Secure the Kubernetes API Server
Encrypt Kubernetes Secrets at Rest
Rotate Credentials Frequently
Authentication and RBAC
Restricting Cloud Metadata API Access
Enable Auditing
Restrict Access to Alpha or Beta Features
Upgrade Kubernetes Frequently
Use a Managed Kubernetes Service
CIS Benchmarks
Network Security
Conclusion
3. Workload Deployment Controls
Image Building and Scanning
Choice of a Base Image
Container Image Hardening
Container Image Scanning Solution
Privacy Concerns
Container Threat Analysis
CI/CD
Scan Images by Registry Scanning Services
Scan Images After Builds
Inline Image Scanning
Kubernetes Admission Controller
Securing the CI/CD Pipeline
Zero-trust policy for CI/CD environment
Secure secrets
Access control
Audit and monitoring
Organization Policy
Secrets Management
etcd to Store Secrets
Secrets Management Service
Kubernetes Secrets Store CSI Driver
Secrets Management Best Practices
Avoid secrets sprawl
Use anti-affinity rules
Data encryption (transit and rest)
Use automated secret rotation
Ephemeral or dynamic secret
Enable audit log
Store secrets in container memory
Secret zero problem
Use your Certificate Authority
Authentication
X509 Client Certificates
Bearer Token
OIDC Tokens
Authentication Proxy
Anonymous Requests
User Impersonation
Authorization
Node
ABAC
AlwaysDeny/AlwaysAllow
RBAC
Namespaced RBAC
Privilege Escalation Mitigation
Conclusion
4. Workload Runtime Security
Pod Security Policies
Using Pod Security Policies
Pod Security Policy Capabilities
Pod Security Context
Limitations of PSPs
Process Monitoring
Kubernetes Native Monitoring
Seccomp
SELinux
AppArmor
Sysctl
Conclusion
5. Observability
Monitoring
Observability
How Observability Works for Kubernetes
Implementing Observability for Kubernetes
Linux Kernel Tools
Observability Components
Aggregation and Correlation
Visualization
Service Graph
Visualization of Network Flows
Analytics and Troubleshooting
Distributed Tracing
Packet Capture
Conclusion
6. Observability and Security
Alerting
Machine Learning
Examples of Machine Learning Jobs
Security Operations Center
User and Entity Behavior Analytics
Conclusion
7. Network Policy
What Is Network Policy?
Why Is Network Policy Important?
Network Policy Implementations
Network Policy Best Practices
Ingress and Egress
Not Just Mission-Critical Workloads
Policy and Label Schemas
Default Deny and Default App Policy
Policy Tooling
Development Processes and Microservices Benefits
Policy Recommendations
Policy Impact Previews
Policy Staging and Audit Modes
Conclusion
8. Managing Trust Across Teams
Role-Based Access Control
Limitations with Kubernetes Network Policies
Richer Network Policy Implementations
Admission Controllers
Conclusion
9. Exposing Services to External Clients
Understanding Direct Pod Connections
Understanding Kubernetes Services
Cluster IP Services
Node Port Services
Load Balancer Services
externalTrafficPolicy:local
Network Policy Extensions
Alternatives to kube-proxy
Direct Server Return
Limiting Service External IPs
Advertising Service IPs
Understanding Kubernetes Ingress
In-cluster ingress solutions
External ingress solutions
Conclusion
10. Encryption of Data in Transit
Building Encryption into Your Code
Sidecar or Service Mesh Encryption
Network-Layer Encryption
Conclusion
11. Threat Defense and Intrusion Detection
Threat Defense for Kubernetes (Stages of an Attack)
Intrusion Detection
Intrusion Detection Systems
IP Address and Domain Name Threat Feeds
Threat feed controller
Network policy engine
Log processing engine
Special Considerations for Domain Name Feeds
Deep packet inspection
Logging and visibility
Advanced Threat Defense Techniques
Canary Pods/Resources
DNS-Based Attacks and Defense
Conclusion
Conclusion
Index
Preface
The Stages of Kubernetes Adoption
Who This Book Is For
The Platform Team
The Networking Team
The Security Team
The Compliance Team
The Operations Team
What You Will Learn
Conventions Used in This Book
Using Code Examples
O’Reilly Online Learning
How to Contact Us
Acknowledgments
1. Security and Observability Strategy
Security for Kubernetes: A New and Different World
Deploying a Workload in Kubernetes: Security at Each Stage
Build-Time Security: Shift Left
Image scanning
Host operating system hardening
Minimizing the attack surface: Base container images
Deploy-Time Security
Runtime Security
Network security controls
Enterprise security controls
Threat defense
Observability
Network traffic visibility
DNS activity logs
Application traffic visibility
Kubernetes activity logs
Machine learning/anomaly detection
Security Frameworks
MITRE
Threat matrix for Kubernetes
Security and Observability
Conclusion
2. Infrastructure Security
Host Hardening
Choice of Operating System
Nonessential Processes
Host-Based Firewalling
Always Research the Latest Best Practices
Cluster Hardening
Secure the Kubernetes Datastore
Secure the Kubernetes API Server
Encrypt Kubernetes Secrets at Rest
Rotate Credentials Frequently
Authentication and RBAC
Restricting Cloud Metadata API Access
Enable Auditing
Restrict Access to Alpha or Beta Features
Upgrade Kubernetes Frequently
Use a Managed Kubernetes Service
CIS Benchmarks
Network Security
Conclusion
3. Workload Deployment Controls
Image Building and Scanning
Choice of a Base Image
Container Image Hardening
Container Image Scanning Solution
Privacy Concerns
Container Threat Analysis
CI/CD
Scan Images by Registry Scanning Services
Scan Images After Builds
Inline Image Scanning
Kubernetes Admission Controller
Securing the CI/CD Pipeline
Zero-trust policy for CI/CD environment
Secure secrets
Access control
Audit and monitoring
Organization Policy
Secrets Management
etcd to Store Secrets
Secrets Management Service
Kubernetes Secrets Store CSI Driver
Secrets Management Best Practices
Avoid secrets sprawl
Use anti-affinity rules
Data encryption (transit and rest)
Use automated secret rotation
Ephemeral or dynamic secret
Enable audit log
Store secrets in container memory
Secret zero problem
Use your Certificate Authority
Authentication
X509 Client Certificates
Bearer Token
OIDC Tokens
Authentication Proxy
Anonymous Requests
User Impersonation
Authorization
Node
ABAC
AlwaysDeny/AlwaysAllow
RBAC
Namespaced RBAC
Privilege Escalation Mitigation
Conclusion
4. Workload Runtime Security
Pod Security Policies
Using Pod Security Policies
Pod Security Policy Capabilities
Pod Security Context
Limitations of PSPs
Process Monitoring
Kubernetes Native Monitoring
Seccomp
SELinux
AppArmor
Sysctl
Conclusion
5. Observability
Monitoring
Observability
How Observability Works for Kubernetes
Implementing Observability for Kubernetes
Linux Kernel Tools
Observability Components
Aggregation and Correlation
Visualization
Service Graph
Visualization of Network Flows
Analytics and Troubleshooting
Distributed Tracing
Packet Capture
Conclusion
6. Observability and Security
Alerting
Machine Learning
Examples of Machine Learning Jobs
Security Operations Center
User and Entity Behavior Analytics
Conclusion
7. Network Policy
What Is Network Policy?
Why Is Network Policy Important?
Network Policy Implementations
Network Policy Best Practices
Ingress and Egress
Not Just Mission-Critical Workloads
Policy and Label Schemas
Default Deny and Default App Policy
Policy Tooling
Development Processes and Microservices Benefits
Policy Recommendations
Policy Impact Previews
Policy Staging and Audit Modes
Conclusion
8. Managing Trust Across Teams
Role-Based Access Control
Limitations with Kubernetes Network Policies
Richer Network Policy Implementations
Admission Controllers
Conclusion
9. Exposing Services to External Clients
Understanding Direct Pod Connections
Understanding Kubernetes Services
Cluster IP Services
Node Port Services
Load Balancer Services
externalTrafficPolicy:local
Network Policy Extensions
Alternatives to kube-proxy
Direct Server Return
Limiting Service External IPs
Advertising Service IPs
Understanding Kubernetes Ingress
In-cluster ingress solutions
External ingress solutions
Conclusion
10. Encryption of Data in Transit
Building Encryption into Your Code
Sidecar or Service Mesh Encryption
Network-Layer Encryption
Conclusion
11. Threat Defense and Intrusion Detection
Threat Defense for Kubernetes (Stages of an Attack)
Intrusion Detection
Intrusion Detection Systems
IP Address and Domain Name Threat Feeds
Threat feed controller
Network policy engine
Log processing engine
Special Considerations for Domain Name Feeds
Deep packet inspection
Logging and visibility
Advanced Threat Defense Techniques
Canary Pods/Resources
DNS-Based Attacks and Defense
Conclusion
Conclusion
Index
![Kubernetes Security and Observability: A Holistic Approach to Securing Containers and Cloud Native Applications [1 ed.]
1098107101, 9781098107109](https://ebin.pub/img/200x200/kubernetes-security-and-observability-a-holistic-approach-to-securing-containers-and-cloud-native-applications-1nbsped-1098107101-9781098107109.jpg)
