Cover image for Learn Kubernetes Security

Learn Kubernetes Security

Author Kaizhe Huang , Pranjal Jumde , Loris Degioanni
Release Date: 2020/07/01
Topic:
0%
22
Chapters
0-1
Hours read
0k
Total Words
    Start Reading Now    
       Add to Wishlist       
View table of contents

Book Description

Secure your container environment against cyberattacks and deliver robust deployments with this practical guide

Key Features

  • Explore a variety of Kubernetes components that help you to prevent cyberattacks
  • Perform effective resource management and monitoring with Prometheus and built-in Kubernetes tools
  • Learn techniques to prevent attackers from compromising applications and accessing resources for crypto-coin mining

Book Description

Kubernetes is an open source orchestration platform for managing containerized applications. Despite widespread adoption of the technology, DevOps engineers might be unaware of the pitfalls of containerized environments. With this comprehensive book, you'll learn how to use the different security integrations available on the Kubernetes platform to safeguard your deployments in a variety of scenarios.

Learn Kubernetes Security starts by taking you through the Kubernetes architecture and the networking model. You'll then learn about the Kubernetes threat model and get to grips with securing clusters. Throughout the book, you'll cover various security aspects such as authentication, authorization, image scanning, and resource monitoring. As you advance, you'll learn about securing cluster components (the kube-apiserver, CoreDNS, and kubelet) and pods (hardening image, security context, and PodSecurityPolicy). With the help of hands-on examples, you'll also learn how to use open source tools such as Anchore, Prometheus, OPA, and Falco to protect your deployments.

By the end of this Kubernetes book, you'll have gained a solid understanding of container security and be able to protect your clusters from cyberattacks and mitigate cybersecurity threats.

What you will learn

  • Understand the basics of Kubernetes architecture and networking
  • Gain insights into different security integrations provided by the Kubernetes platform
  • Delve into Kubernetes' threat modeling and security domains
  • Explore different security configurations from a variety of practical examples
  • Get to grips with using and deploying open source tools to protect your deployments
  • Discover techniques to mitigate or prevent known Kubernetes hacks

Who this book is for

This book is for security consultants, cloud administrators, system administrators, and DevOps engineers interested in securing their container deployments. If you're looking to secure your Kubernetes clusters and cloud-based deployments, you'll find this book useful. A basic understanding of cloud computing and containerization is necessary to make the most of this book.

Table of Contents

  1. Learn Kubernetes Security
  2. Why subscribe?
  3. Foreword
  4. Contributors
  5. About the authors
  6. About the reviewer
  7. Packt is searching for authors like you
  8. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the example code files
    5. Code in Action
    6. Download the color images
    7. Conventions used
    8. Get in touch
    9. Reviews
  9. Section 1: Introduction to Kubernetes
  10. Chapter 1: Kubernetes Architecture
    1. The rise of Docker and the trend of microservices
      1. Kubernetes adoption status
      2. Kubernetes clusters
    2. Kubernetes components
      1. The Kubernetes interfaces
    3. Kubernetes objects
      1. Pods
      2. Deployments
      3. Services
      4. Replica sets
      5. Volumes
      6. Namespaces
      7. Service accounts
      8. Network policies
      9. Pod security policies
    4. Kubernetes variations
      1. Minikube
      2. K3s
      3. OpenShift
    5. Kubernetes and cloud providers
      1. Kubernetes as a service
      2. Kops
      3. Why worry about Kubernetes' security?
    6. Summary
    7. Questions
    8. Further reading
  11. Chapter 2: Kubernetes Networking
    1. Overview of the Kubernetes network model
      1. Port-sharing problems
      2. Kubernetes network model
    2. Communicating inside a pod
      1. Linux namespaces and the pause container
      2. Beyond network communication
    3. Communicating between pods
      1. The Kubernetes service
      2. kube-proxy
    4. Introducing the Kubernetes service
      1. Service discovery
      2. Service types
      3. Ingress for routing external requests
    5. Introducing the CNI and CNI plugins
      1. CNI specification and plugins
      2. Calico
      3. Wrapping up
    6. Summary
    7. Questions
    8. Further reading
  12. Chapter 3: Threat Modeling
    1. Introduction to threat modeling
    2. Component interactions
    3. Threat actors in Kubernetes environments
    4. Threats in Kubernetes clusters
    5. Threat modeling application in Kubernetes
    6. Summary
    7. Questions
    8. Further reading
  13. Chapter 4: Applying the Principle of Least Privilege in Kubernetes
    1. The principle of least privilege
      1. Authorization model
      2. Rewards of the principle of least privilege
    2. Least privilege of Kubernetes subjects
      1. Introduction to RBAC
      2. Service accounts, users, and groups
      3. Role
      4. RoleBinding
      5. Kubernetes namespaces
      6. Wrapping up least privilege for Kubernetes subjects
    3. Least privilege for Kubernetes workloads
      1. Least privilege for accessing system resources
      2. Wrapping up least privilege for accessing system resources
      3. Least privilege for accessing network resources
      4. Least privilege for accessing application resources
    4. Summary
    5. Questions
    6. Further reading
  14. Chapter 5: Configuring Kubernetes Security Boundaries
    1. Introduction to security boundaries
    2. Security boundaries versus trust boundaries
    3. Kubernetes security domains
    4. Kubernetes entities as security boundaries
    5. Security boundaries in the system layer
      1. Linux namespaces as security boundaries
      2. Linux capabilities as security boundaries
      3. Wrapping up security boundaries in the system layer
    6. Security boundaries in the network layer
      1. Network policies
    7. Summary
    8. Questions
    9. Further references
  15. Section 2: Securing Kubernetes Deployments and Clusters
  16. Chapter 6: Securing Cluster Components
    1. Securing kube-apiserver
    2. Securing kubelet
    3. Securing etcd
    4. Securing kube-scheduler
    5. Securing kube-controller-manager
    6. Securing CoreDNS
    7. Benchmarking a cluster's security configuration
    8. Summary
    9. Questions
    10. Further reading
  17. Chapter 7: Authentication, Authorization, and Admission Control
    1. Requesting a workflow in Kubernetes
    2. Kubernetes authentication
      1. Client certificates
      2. Static tokens
      3. Basic authentication
      4. Bootstrap tokens
      5. Service account tokens
      6. Webhook tokens
      7. Authentication proxy
      8. User impersonation
    3. Kubernetes authorization
      1. Request attributes
      2. Authorization modes
      3. Node
      4. ABAC
      5. RBAC
      6. Webhooks
    4. Admission controllers
      1. AlwaysPullImages
      2. EventRateLimit
      3. LimitRanger
      4. NodeRestriction
      5. PersistentVolumeClaimResize
      6. PodSecurityPolicy
      7. SecurityContextDeny
      8. ServiceAccount
      9. MutatingAdmissionWebhook and ValidatingAdmissionWebhook
    5. Introduction to OPA
    6. Summary
    7. Questions
    8. Further reading
  18. Chapter 8: Securing Kubernetes Pods
    1. Hardening container images
      1. Container images and Dockerfiles
      2. CIS Docker benchmarks
    2. Configuring the security attributes of pods
      1. Setting host-level namespaces for pods
      2. Security context for containers
      3. Security context for pods
      4. AppArmor profiles
    3. The power of PodSecurityPolicy
      1. Understanding PodSecurityPolicy
      2. Kubernetes PodSecurityPolicy Advisor
    4. Summary
    5. Questions
    6. Further reading
  19. Chapter 9: Image Scanning in DevOps Pipelines
    1. Introducing container images and vulnerabilities
      1. Container images
      2. Detecting known vulnerabilities
    2. Scanning images with Anchore Engine
      1. Introduction to Anchore Engine
      2. Scanning images with anchore-cli
    3. Integrating image scanning into the CI/CD pipeline
      1. Scanning at the build stage
      2. Scanning at the deployment stage
      3. Scanning at the runtime stage
    4. Summary
    5. Questions
    6. Further references
  20. Chapter 10: Real-Time Monitoring and Resource Management of a Kubernetes Cluster
    1. Real-time monitoring and management in monolith environments
    2. Managing resources in Kubernetes
      1. Resource requests and limits
      2. Namespace resource quotas
      3. LimitRanger
    3. Monitoring resources in Kubernetes
      1. Built-in monitors
      2. Third-party monitoring tools
      3. Prometheus and Grafana
    4. Summary
    5. Questions
    6. Further references
  21. Chapter 11: Defense in Depth
    1. Introducing Kubernetes auditing
      1. Kubernetes audit policy
      2. Configuring the audit backend
    2. Enabling high availability in a Kubernetes cluster
      1. Enabling high availability of Kubernetes workloads
      2. Enabling high availability of Kubernetes components
      3. Enabling high availability of a cloud infrastructure
    3. Managing secrets with Vault
      1. Setting up Vault
      2. Provisioning and rotating secrets
    4. Detecting anomalies with Falco
      1. An overview of Falco
      2. Creating Falco rules to detect anomalies
    5. Conducting forensics with Sysdig Inspect and CRIU
      1. Using CRIU to collect data
      2. Using Sysdig and Sysdig Inspect
    6. Summary
    7. Questions
    8. Further references
  22. Section 3: Learning from Mistakes and Pitfalls
  23. Chapter 12: Analyzing and Detecting Crypto-Mining Attacks
    1. Analyzing crypto-mining attacks
      1. An introduction to crypto-mining attacks
      2. The crypto-mining attack on Tesla's Kubernetes cluster
      3. Graboid – a crypto-worm attack
      4. Lessons learned
    2. Detecting crypto-mining attacks
      1. Monitoring CPU utilization
      2. Detecting network traffic to a mining pool
      3. Detecting launched crypto-mining processes
      4. Checking the binary signature
    3. Defending against attacks
      1. Securing Kubernetes cluster provisioning
      2. Securing the build
      3. Securing deployment
      4. Securing runtime
    4. Summary
    5. Questions
    6. Further reading
  24. Chapter 13: Learning from Kubernetes CVEs
    1. The path traversal issue in kubectl cp – CVE-2019-11246
      1. Mitigation strategy
    2. DoS issues in JSON parsing – CVE-2019-1002100
      1. Mitigation strategy
    3. A DoS issue in YAML parsing – CVE-2019-11253
      1. Mitigation strategy
    4. The Privilege escalation issue in role parsing – CVE-2019-11247
      1. Mitigation strategy
    5. Scanning for known vulnerabilities using kube-hunter
    6. Summary
    7. Questions
    8. Further references
  25. Assessments
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 13
  26. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think
3.145.2.184