This practical book introduces new cloud native approaches for Kubernetes practitioners, like yourself, who care about the security and observability of mission-critical microservices. Through practical guidance and best practice recommendations, this book helps you understand why cloud native applications require a modern approach to security and observability practices and how to implement them.

Do you want to know how to secure and troubleshoot your cloud native applications? Or are you part of a group that wants to solve security and observability challenges before fully adopting Kubernetes in your organization? This book takes you through the full breadth of new cloud native approaches for establishing security and observability with Kubernetes.

  • Learn why you need a security and observability strategy for cloud native applications and determine your scope of coverage
  • Understand key concepts behind KubernetesÃ??Ã?¢??s security and observability approach
  • Explore the technology choices you can make to meet each aspect of this strategy
  • Discover how to split security responsibilities across multiple teams or roles
  • Learn ways to architect Kubernetes security and observability for multicloud and hybrid environments

Table of Contents

  1. Preface
    1. The Stages of Kubernetes Adoption
    2. Who This Book Is For
    3. The Platform team
    4. The Networking team
    5. The Security team
    6. The Compliance team
    7. The Operations team
    8. What You Will Learn
  2. 1. Security Strategy
    1. Security for Kubernetes - a new and different world
    2. Deploying a workload in Kubernetes - Security at each stage.
    3. Build Time Security: Shift Left
    4. Deploy Time Security
    5. Runtime Security
    6. Security Frameworks
    7. MITRE
    8. Threat Matrix for Kubernetes
    9. Conclusion
  3. 2. Infrastructure Security
    1. Host hardening
    2. Choice of operating system
    3. Non-essential processes
    4. Host based firewalling
    5. Always research the latest best practices
    6. Cluster hardening
    7. Secure the Kubernetes datastore
    8. Secure the Kubernetes API server
    9. Encrypt Kubernetes secrets at rest
    10. Rotate credentials frequently
    11. Authentication & RBAC
    12. Restricting cloud metadata API access
    13. Enable auditing
    14. Restrict access to alpha or beta features
    15. Upgrade Kubernetes frequently
    16. Use a managed Kubernetes service
    17. CIS Benchmarks
    18. Network security
    19. Conclusion
  4. 3. Workload Deployment Controls
    1. Image building and scanning
    2. Choice of a base image
    3. Container image hardening
    4. Container image scanning solution
    5. Privacy concerns
    6. Container threat analysis
    7. CI/CD
    8. Scan images by registry scanning services
    9. Scan images after builds
    10. Inline image scanning
    11. Kubernetes admission controller
    12. Securing CI/CD pipeline
    13. Organization policy
    14. Secrets management
    15. etcd to store secrets
    16. Secret management service
    17. Kubernetes secrets store CSI driver
    18. Secrets management best practises
    19. Authentication
    20. Authorization
    21. Conclusion
  5. 4. Workload Runtime Security
    1. Pod Security Policies (PSPs)
    2. Using Pod Security Policies
    3. Pod Security Policy capabilities
    4. Pod security context
    5. Limitation of PSPs
    6. Process monitoring
    7. Kubernetes native monitoring
    8. Seccomp
    9. SELinux
    10. AppArmor
    11. Sysctl
    12. Conclusion
  6. 5. Network Policy
    1. What is network policy?
    2. Why is network policy important?
    3. Network policy implementations
    4. Network policy best practices
    5. Ingress and egress
    6. Not just mission critical workloads
    7. Policy and label schemas
    8. Default deny and default app policy
    9. Policy tooling
    10. Development processes & microservices benefits
    11. Policy recommendations
    12. Policy impact previews
    13. Policy staging / audit modes
    14. Conclusion
  7. 6. Managing Trust Across Teams
    1. Role based access control
    2. Limitations with Kubernetes network policies
    3. Richer network policy implementations
    4. Admissions controllers
    5. Conclusion
  8. 7. Exposing Services to External Clients
    1. Understanding direct pod connections
    2. Understanding Kubernetes Services
    3. Cluster IP services
    4. Node port services
    5. Load Balancer Services
    6. externalTrafficPolicy:local
    7. Network policy extensions
    8. Alternatives to kube-proxy
    9. Direct Server Return
    10. Limiting service external IPs
    11. Advertising service IPs
    12. Understanding Kubernetes Ingress
    13. In-cluster ingress solutions
    14. External ingress solutions
    15. Conclusion
  9. 8. Encryption of Data in Transit
    1. Building encryption into your code
    2. Side-car or service mesh encryption
    3. Network layer encryption
    4. Conclusion