Learn Kubernetes Security: Securely orchestrate, scale, and manage your microservices in Kubernetes deployments

✍ Scribed by Kaizhe Huang; Pranjal Jumde

Publisher: Packt Publishing Ltd
Year: 2020
Tongue: English
Leaves: 331
Category: Library

No coin nor oath required. For personal study only.

✦ Synopsis

Secure your container environment against cyberattacks and deliver robust deployments with this practical guide.

Key Features
* Explore a variety of Kubernetes components that help you to prevent cyberattacks
* Perform effective resource management and monitoring with Prometheus and built-in Kubernetes tools
* Learn techniques to prevent attackers from compromising applications and accessing resources for crypto-coin mining

Book Description
Kubernetes is an open source orchestration platform for managing containerized applications. Despite widespread adoption of the technology, DevOps engineers might be unaware of the pitfalls of containerized environments. With this comprehensive book, you'll learn how to use the different security integrations available on the Kubernetes platform to safeguard your deployments in a variety of scenarios.

Learn Kubernetes Security starts by taking you through the Kubernetes architecture and the networking model. You'll then learn about the Kubernetes threat model and get to grips with securing clusters. Throughout the book, you'll cover various security aspects such as authentication, authorization, image scanning, and resource monitoring. As you advance, you'll learn about securing cluster components (the kube-apiserver, CoreDNS, and kubelet) and pods (hardening image, security context, and PodSecurityPolicy). With the help of hands-on examples, you'll also learn how to use open source tools such as Anchore, Prometheus, OPA, and Falco to protect your deployments.

By the end of this Kubernetes book, you'll have gained a solid understanding of container security and be able to protect your clusters from cyberattacks and mitigate cybersecurity threats.

What you will learn
* Understand the basics of Kubernetes architecture and networking
* Gain insights into different security integrations provided by the Kubernetes platform
* Delve into Kubernetes' threat modeling and security domains
* Explore different security configurations from a variety of practical examples
* Get to grips with using and deploying open source tools to protect your deployments
* Discover techniques to mitigate or prevent known Kubernetes hacks

Who this book is for
This book is for security consultants, cloud administrators, system administrators, and DevOps engineers interested in securing their container deployments. If you're looking to secure your Kubernetes clusters and cloud-based deployments, you'll find this book useful. A basic understanding of cloud computing and containerization is necessary to make the most of this book.

✦ Table of Contents

Cover
Title Page
Copyright and Credits
Dedication
About Packt
Foreword
Contributors
Table of Contents
Preface
Section 1: Introduction to Kubernetes
Chapter 1: Kubernetes Architecture
The rise of Docker and the trend of microservices
Kubernetes adoption status
Kubernetes clusters
Kubernetes components
The Kubernetes interfaces
Kubernetes objects
Pods
Deployments
Services
Replica sets
Volumes
Namespaces
Service accounts
Network policies
Pod security policies
Kubernetes variations
Minikube
K3s
OpenShift
Kubernetes and cloud providers
Kubernetes as a service
Kops
Why worry about Kubernetes' security?
Summary
Questions
Further reading
Chapter 2: Kubernetes Networking
Overview of the Kubernetes network model
Port-sharing problems
Kubernetes network model
Communicating inside a pod
Linux namespaces and the pause container
Beyond network communication
Communicating between pods
The Kubernetes service
kube-proxy
Introducing the Kubernetes service
Service discovery
Service types
Ingress for routing external requests
Introducing the CNI and CNI plugins
CNI specification and plugins
Calico
Wrapping up
Summary
Questions
Further reading
Chapter 3: Threat Modeling
Introduction to threat modeling
Component interactions
Threat actors in Kubernetes environments
Threats in Kubernetes clusters
Threat modeling application in Kubernetes
Summary
Questions
Further reading
Chapter 4: Applying the Principle of Least Privilege in Kubernetes
The principle of least privilege
Authorization model
Rewards of the principle of least privilege
Least privilege of Kubernetes subjects
Introduction to RBAC
Service accounts, users, and groups
Role
RoleBinding
Kubernetes namespaces
Wrapping up least privilege for Kubernetes subjects
Least privilege for Kubernetes workloads
Least privilege for accessing system resources
Wrapping up least privilege for accessing system resources
Least privilege for accessing network resources
Least privilege for accessing application resources
Summary
Questions
Further reading
Chapter 5: Configuring Kubernetes Security Boundaries
Introduction to security boundaries
Security boundaries versus trust boundaries
Kubernetes security domains
Kubernetes entities as security boundaries
Security boundaries in the system layer
Linux namespaces as security boundaries
Linux capabilities as security boundaries
Wrapping up security boundaries in the system layer
Security boundaries in the network layer
Network policies
Summary
Questions
Further references
Section 2: Securing Kubernetes Deployments and Clusters
Chapter 6: Securing Cluster Components
Securing kube-apiserver
Securing kubelet
Securing etcd
Securing kube-scheduler
Securing kube-controller-manager
Securing CoreDNS
Benchmarking a cluster's security configuration
Summary
Questions
Further reading
Chapter 7: Authentication, Authorization, and Admission Control
Requesting a workflow in Kubernetes
Kubernetes authentication
Client certificates
Static tokens
Basic authentication
Bootstrap tokens
Service account tokens
Webhook tokens
Authentication proxy
User impersonation
Kubernetes authorization
Request attributes
Authorization modes
Node
ABAC
RBAC
Webhooks
Admission controllers
AlwaysPullImages
EventRateLimit
LimitRanger
NodeRestriction
PersistentVolumeClaimResize
PodSecurityPolicy
SecurityContextDeny
ServiceAccount
MutatingAdmissionWebhook and ValidatingAdmissionWebhook
Introduction to OPA
Summary
Questions
Further reading
Chapter 8: Securing Kubernetes Pods
Hardening container images
Container images and Dockerfiles
CIS Docker benchmarks
Configuring the security attributes of pods
Setting host-level namespaces for pods
Security context for containers
Security context for pods
AppArmor profiles
The power of PodSecurityPolicy
Understanding PodSecurityPolicy
Kubernetes PodSecurityPolicy Advisor
Summary
Questions
Further reading
Chapter 9: Image Scanning in DevOps Pipelines
Introducing container images and vulnerabilities
Container images
Detecting known vulnerabilities
Scanning images with Anchore Engine
Introduction to Anchore Engine
Scanning images with anchore-cli
Integrating image scanning into the CI/CD pipeline
Scanning at the build stage
Scanning at the deployment stage
Scanning at the runtime stage
Summary
Questions
Further references
Chapter 10: Real-Time Monitoring and Resource Management of a Kubernetes Cluster
Real-time monitoring and management in monolith environments
Managing resources in Kubernetes
Resource requests and limits
Namespace resource quotas
LimitRanger
Monitoring resources in Kubernetes
Built-in monitors
Third-party monitoring tools
Prometheus and Grafana
Summary
Questions
Further references
Chapter 11: Defense in Depth
Introducing Kubernetes auditing
Kubernetes audit policy
Configuring the audit backend
Enabling high availability in a Kubernetes cluster
Enabling high availability of Kubernetes workloads
Enabling high availability of Kubernetes components
Enabling high availability of a cloud infrastructure
Managing secrets with Vault
Setting up Vault
Provisioning and rotating secrets
Detecting anomalies with Falco
An overview of Falco
Creating Falco rules to detect anomalies
Conducting forensics with Sysdig Inspect and CRIU
Using CRIU to collect data
Using Sysdig and Sysdig Inspect
Summary
Questions
Further references
Section 3: Learning from Mistakes and Pitfalls
Chapter 12: Analyzing and Detecting Crypto-Mining Attacks
Analyzing crypto-mining attacks
An introduction to crypto-mining attacks
The crypto-mining attack on Tesla's Kubernetes cluster
Graboid – a crypto-worm attack
Lessons learned
Detecting crypto-mining attacks
Monitoring CPU utilization
Detecting network traffic to a mining pool
Detecting launched crypto-mining processes
Checking the binary signature
Defending against attacks
Securing Kubernetes cluster provisioning
Securing the build
Securing deployment
Securing runtime
Summary
Questions
Further reading
Chapter 13: Learning from Kubernetes CVEs
The path traversal issue in kubectl cp – CVE-2019-11246
Mitigation strategy
DoS issues in JSON parsing – CVE-2019-1002100
Mitigation strategy
A DoS issue in YAML parsing – CVE-2019-11253
Mitigation strategy
The Privilege escalation issue in role parsing – CVE-2019-11247
Mitigation strategy
Scanning for known vulnerabilities using kube-hunter
Summary
Questions
Further references
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Other Books You May Enjoy
Leave a review - let other readers know what you think
Index

📜 SIMILAR VOLUMES

Learn Kubernetes Security: Securely orch

📁 Learn Kubernetes Security: Securely orchestrate, scale, and manage your microservices in Kubernetes deployments

✍ Kaizhe Huang; Pranjal Jumde 📂 Library 📅 2020 🏛 Packt Publishing Ltd 🌐 English

Secure your container environment against cyberattacks and deliver robust deployments with this practical guide Key Features Explore a variety of Kubernetes components that help you to prevent cyberattacks Perform effective resource management and monitoring with Prometheus and built-in Kubernetes t

Learn Kubernetes Security: Securely orch

📁 Learn Kubernetes Security: Securely orchestrate, scale, and manage your microservices in Kubernetes deployments. Code

✍ Kaizhe Huang; Pranjal Jumde 📂 Library 📅 2020 🏛 Packt Publishing Ltd 🌐 English

Code .Secure your container environment against cyberattacks and deliver robust deployments with this practical guide Key Features Explore a variety of Kubernetes components that help you to prevent cyberattacks Perform effective resource management and monitoring with Prometheus and built-in Kubern

Cloud Native Microservices With Kubernet

📁 Cloud Native Microservices With Kubernetes: A Comprehensive Guide to Building, Scaling, Deploying, Observing, and Managing Highly-Available Microservices in Kubernetes

✍ Aymen El Amri 📂 Library 📅 2023 🏛 Leanpub 🌐 English

"Cloud Native Microservices With Kubernetes" is a hands-on, example-rich guide focused on real-world examples and practical learning that covers everything needed from the basics to the most advanced concepts. In this comprehensive guide, we will dive deep into the intricacies of microservices, h

Hands-On Multi-Cloud Kubernetes: Multi-c

📁 Hands-On Multi-Cloud Kubernetes: Multi-cluster Kubernetes deployment and scaling with FluxCD, Virtual Kubelet

✍ Joe Brian 📂 Library 📅 2023 🏛 GitforGits 🌐 English

"Hands-On Multi-Cloud Kubernetes" is an essential guide for anyone looking to understand Kubernetes and how it can be used to manage multi-cloud infrastructure. With eight comprehensive chapters, this book provides hands-on experience in setting up Kubernetes clusters, administering deployments and

Hands-On Microservices With Kubernetes:

📁 Hands-On Microservices With Kubernetes: Build, Deploy, And Manage Scalable Microservices On Kubernetes

✍ Gigi Sayfan 📂 Library 📅 2019 🏛 Packt Publishing 🌐 English

Kubernetes is an open source container management and orchestration platform. It has been giving a decent competition to spring cloud environment, claiming to be the best environment for developing and running Microservices. Hands-on Microservices with Kubernetes will help you successfully create or

Hands-On Microservices With Kubernetes:

📁 Hands-On Microservices With Kubernetes: Build, Deploy, And Manage Scalable Microservices On Kubernetes

✍ Gigi Sayfan 📂 Library 📅 2019 🏛 Packt Publishing 🌐 English