Home Page Icon
Home Page
Table of Contents for
B15566_TOC_Final_ASB_ePub
Close
B15566_TOC_Final_ASB_ePub
by Kaizhe Huang, Pranjal Jumde, Loris Degioanni
Learn Kubernetes Security
Learn Kubernetes Security
Why subscribe?
Foreword
Contributors
About the authors
About the reviewer
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Code in Action
Download the color images
Conventions used
Get in touch
Reviews
Section 1: Introduction to Kubernetes
Chapter 1: Kubernetes Architecture
The rise of Docker and the trend of microservices
Kubernetes adoption status
Kubernetes clusters
Kubernetes components
The Kubernetes interfaces
Kubernetes objects
Pods
Deployments
Services
Replica sets
Volumes
Namespaces
Service accounts
Network policies
Pod security policies
Kubernetes variations
Minikube
K3s
OpenShift
Kubernetes and cloud providers
Kubernetes as a service
Kops
Why worry about Kubernetes' security?
Summary
Questions
Further reading
Chapter 2: Kubernetes Networking
Overview of the Kubernetes network model
Port-sharing problems
Kubernetes network model
Communicating inside a pod
Linux namespaces and the pause container
Beyond network communication
Communicating between pods
The Kubernetes service
kube-proxy
Introducing the Kubernetes service
Service discovery
Service types
Ingress for routing external requests
Introducing the CNI and CNI plugins
CNI specification and plugins
Calico
Wrapping up
Summary
Questions
Further reading
Chapter 3: Threat Modeling
Introduction to threat modeling
Component interactions
Threat actors in Kubernetes environments
Threats in Kubernetes clusters
Threat modeling application in Kubernetes
Summary
Questions
Further reading
Chapter 4: Applying the Principle of Least Privilege in Kubernetes
The principle of least privilege
Authorization model
Rewards of the principle of least privilege
Least privilege of Kubernetes subjects
Introduction to RBAC
Service accounts, users, and groups
Role
RoleBinding
Kubernetes namespaces
Wrapping up least privilege for Kubernetes subjects
Least privilege for Kubernetes workloads
Least privilege for accessing system resources
Wrapping up least privilege for accessing system resources
Least privilege for accessing network resources
Least privilege for accessing application resources
Summary
Questions
Further reading
Chapter 5: Configuring Kubernetes Security Boundaries
Introduction to security boundaries
Security boundaries versus trust boundaries
Kubernetes security domains
Kubernetes entities as security boundaries
Security boundaries in the system layer
Linux namespaces as security boundaries
Linux capabilities as security boundaries
Wrapping up security boundaries in the system layer
Security boundaries in the network layer
Network policies
Summary
Questions
Further references
Section 2: Securing Kubernetes Deployments and Clusters
Chapter 6: Securing Cluster Components
Securing kube-apiserver
Securing kubelet
Securing etcd
Securing kube-scheduler
Securing kube-controller-manager
Securing CoreDNS
Benchmarking a cluster's security configuration
Summary
Questions
Further reading
Chapter 7: Authentication, Authorization, and Admission Control
Requesting a workflow in Kubernetes
Kubernetes authentication
Client certificates
Static tokens
Basic authentication
Bootstrap tokens
Service account tokens
Webhook tokens
Authentication proxy
User impersonation
Kubernetes authorization
Request attributes
Authorization modes
Node
ABAC
RBAC
Webhooks
Admission controllers
AlwaysPullImages
EventRateLimit
LimitRanger
NodeRestriction
PersistentVolumeClaimResize
PodSecurityPolicy
SecurityContextDeny
ServiceAccount
MutatingAdmissionWebhook and ValidatingAdmissionWebhook
Introduction to OPA
Summary
Questions
Further reading
Chapter 8: Securing Kubernetes Pods
Hardening container images
Container images and Dockerfiles
CIS Docker benchmarks
Configuring the security attributes of pods
Setting host-level namespaces for pods
Security context for containers
Security context for pods
AppArmor profiles
The power of PodSecurityPolicy
Understanding PodSecurityPolicy
Kubernetes PodSecurityPolicy Advisor
Summary
Questions
Further reading
Chapter 9: Image Scanning in DevOps Pipelines
Introducing container images and vulnerabilities
Container images
Detecting known vulnerabilities
Scanning images with Anchore Engine
Introduction to Anchore Engine
Scanning images with anchore-cli
Integrating image scanning into the CI/CD pipeline
Scanning at the build stage
Scanning at the deployment stage
Scanning at the runtime stage
Summary
Questions
Further references
Chapter 10: Real-Time Monitoring and Resource Management of a Kubernetes Cluster
Real-time monitoring and management in monolith environments
Managing resources in Kubernetes
Resource requests and limits
Namespace resource quotas
LimitRanger
Monitoring resources in Kubernetes
Built-in monitors
Third-party monitoring tools
Prometheus and Grafana
Summary
Questions
Further references
Chapter 11: Defense in Depth
Introducing Kubernetes auditing
Kubernetes audit policy
Configuring the audit backend
Enabling high availability in a Kubernetes cluster
Enabling high availability of Kubernetes workloads
Enabling high availability of Kubernetes components
Enabling high availability of a cloud infrastructure
Managing secrets with Vault
Setting up Vault
Provisioning and rotating secrets
Detecting anomalies with Falco
An overview of Falco
Creating Falco rules to detect anomalies
Conducting forensics with Sysdig Inspect and CRIU
Using CRIU to collect data
Using Sysdig and Sysdig Inspect
Summary
Questions
Further references
Section 3: Learning from Mistakes and Pitfalls
Chapter 12: Analyzing and Detecting Crypto-Mining Attacks
Analyzing crypto-mining attacks
An introduction to crypto-mining attacks
The crypto-mining attack on Tesla's Kubernetes cluster
Graboid – a crypto-worm attack
Lessons learned
Detecting crypto-mining attacks
Monitoring CPU utilization
Detecting network traffic to a mining pool
Detecting launched crypto-mining processes
Checking the binary signature
Defending against attacks
Securing Kubernetes cluster provisioning
Securing the build
Securing deployment
Securing runtime
Summary
Questions
Further reading
Chapter 13: Learning from Kubernetes CVEs
The path traversal issue in kubectl cp – CVE-2019-11246
Mitigation strategy
DoS issues in JSON parsing – CVE-2019-1002100
Mitigation strategy
A DoS issue in YAML parsing – CVE-2019-11253
Mitigation strategy
The Privilege escalation issue in role parsing – CVE-2019-11247
Mitigation strategy
Scanning for known vulnerabilities using kube-hunter
Summary
Questions
Further references
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Other Books You May Enjoy
Leave a review - let other readers know what you think
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Learn Kubernetes Security
Next
Next Chapter
Preface
Table of Contents
Preface
Section 1: Introduction to Kubernetes
Chapter 1
: Kubernetes Architecture
The rise of Docker and the trend of microservices 4
Kubernetes adoption status 6
Kubernetes clusters 6
Kubernetes components 7
The Kubernetes interfaces 9
Kubernetes objects 9
Pods 10
Deployments 10
Services 10
Replica sets 10
Volumes 10
Namespaces 10
Service accounts 11
Network policies 11
Pod security policies 11
Kubernetes variations 11
Minikube 11
K3s 12
OpenShift 12
Kubernetes and cloud providers 13
Kubernetes as a service 13
Kops 15
Why worry about Kubernetes' security? 16
Summary 18
Questions 18
Further reading 18
Chapter 2
: Kubernetes Networking
Overview of the Kubernetes network model 20
Port-sharing problems 20
Kubernetes network model 21
Communicating inside a pod 23
Linux namespaces and the pause container 23
Beyond network communication 25
Communicating between pods 26
The Kubernetes service 26
kube-proxy 26
Introducing the Kubernetes service 30
Service discovery 31
Service types 32
Ingress for routing external requests 32
Introducing the CNI and CNI plugins 35
CNI specification and plugins 35
Calico 38
Wrapping up 39
Summary 41
Questions 41
Further reading 41
Chapter 3
: Threat Modeling
Introduction to threat modeling 44
Component interactions 46
Threat actors in Kubernetes environments 50
Threats in Kubernetes clusters 52
Threat modeling application in Kubernetes 55
Summary 57
Questions 58
Further reading 58
Chapter 4
: Applying the Principle of Least Privilege in Kubernetes
The principle of least privilege 60
Authorization model 60
Rewards of the principle of least privilege 61
Least privilege of Kubernetes subjects 62
Introduction to RBAC 62
Service accounts, users, and groups 62
Role 63
RoleBinding 64
Kubernetes namespaces 64
Wrapping up least privilege for Kubernetes subjects 66
Least privilege for Kubernetes workloads 67
Least privilege for accessing system resources 67
Wrapping up least privilege for accessing system resources 70
Least privilege for accessing network resources 70
Least privilege for accessing application resources 72
Summary 72
Questions 73
Further reading 73
Chapter 5
: Configuring Kubernetes Security Boundaries
Introduction to security boundaries 76
Security boundaries versus trust boundaries 77
Kubernetes security domains 77
Kubernetes entities as security boundaries 78
Security boundaries in the system layer 80
Linux namespaces as security boundaries 80
Linux capabilities as security boundaries 82
Wrapping up security boundaries in the system layer 84
Security boundaries in the network layer 84
Network policies 85
Summary 88
Questions 89
Further references 89
Section 2: Securing Kubernetes Deployments and Clusters
Chapter 6
: Securing Cluster Components
Securing kube-apiserver 94
Securing kubelet 98
Securing etcd 99
Securing kube-scheduler 100
Securing kube-controller-manager 101
Securing CoreDNS 102
Benchmarking a cluster's security configuration 103
Summary 105
Questions 105
Further reading 105
Chapter 7
: Authentication, Authorization, and Admission Control
Requesting a workflow in Kubernetes 108
Kubernetes authentication 109
Client certificates 109
Static tokens 111
Basic authentication 112
Bootstrap tokens 112
Service account tokens 113
Webhook tokens 114
Authentication proxy 115
User impersonation 115
Kubernetes authorization 116
Request attributes 116
Authorization modes 116
Node 116
ABAC 117
RBAC 118
Webhooks 119
Admission controllers 120
AlwaysPullImages 121
EventRateLimit 121
LimitRanger 121
NodeRestriction 122
PersistentVolumeClaimResize 122
PodSecurityPolicy 122
SecurityContextDeny 123
ServiceAccount 123
MutatingAdmissionWebhook and ValidatingAdmissionWebhook 123
Introduction to OPA 123
Summary 126
Questions 126
Further reading 127
Chapter 8
: Securing Kubernetes Pods
Hardening container images 130
Container images and Dockerfiles 130
CIS Docker benchmarks 132
Configuring the security attributes of pods 133
Setting host-level namespaces for pods 134
Security context for containers 135
Security context for pods 137
AppArmor profiles 139
The power of PodSecurityPolicy 141
Understanding PodSecurityPolicy 141
Kubernetes PodSecurityPolicy Advisor 145
Summary 149
Questions 149
Further reading 149
Chapter 9
: Image Scanning in DevOps Pipelines
Introducing container images and vulnerabilities 152
Container images 152
Detecting known vulnerabilities 154
Scanning images with Anchore Engine 157
Introduction to Anchore Engine 158
Scanning images with anchore-cli 159
Integrating image scanning into the CI/CD pipeline 165
Scanning at the build stage 166
Scanning at the deployment stage 168
Scanning at the runtime stage 172
Summary 172
Questions 173
Further references 173
Chapter 10
: Real-Time Monitoring and Resource Management of a Kubernetes Cluster
Real-time monitoring and management in monolith environments 176
Managing resources in Kubernetes 177
Resource requests and limits 177
Namespace resource quotas 182
LimitRanger 184
Monitoring resources in Kubernetes 187
Built-in monitors 187
Third-party monitoring tools 193
Prometheus and Grafana 194
Summary 204
Questions 204
Further references 205
Chapter 11
: Defense in Depth
Introducing Kubernetes auditing 208
Kubernetes audit policy 209
Configuring the audit backend 214
Enabling high availability in a Kubernetes cluster 216
Enabling high availability of Kubernetes workloads 216
Enabling high availability of Kubernetes components 217
Enabling high availability of a cloud infrastructure 219
Managing secrets with Vault 221
Setting up Vault 221
Provisioning and rotating secrets 224
Detecting anomalies with Falco 227
An overview of Falco 227
Creating Falco rules to detect anomalies 231
Conducting forensics with Sysdig Inspect and CRIU 235
Using CRIU to collect data 236
Using Sysdig and Sysdig Inspect 238
Summary 243
Questions 243
Further references 244
Section 3: Learning from Mistakes and Pitfalls
Chapter 12
: Analyzing and Detecting Crypto-Mining Attacks
Analyzing crypto-mining attacks 248
An introduction to crypto-mining attacks 248
The crypto-mining attack on Tesla's Kubernetes cluster 249
Graboid – a crypto-worm attack 250
Lessons learned 251
Detecting crypto-mining attacks 251
Monitoring CPU utilization 252
Detecting network traffic to a mining pool 253
Detecting launched crypto-mining processes 256
Checking the binary signature 258
Defending against attacks 260
Securing Kubernetes cluster provisioning 260
Securing the build 261
Securing deployment 262
Securing runtime 263
Summary 264
Questions 264
Further reading 264
Chapter 13
: Learning from Kubernetes CVEs
The path traversal issue in kubectl cp – CVE-2019-11246 269
Mitigation strategy 270
DoS issues in JSON parsing – CVE-2019-1002100 273
Mitigation strategy 273
A DoS issue in YAML parsing – CVE-2019-11253 275
Mitigation strategy 275
The Privilege escalation issue in role parsing – CVE-2019-11247 276
Mitigation strategy 277
Scanning for known vulnerabilities using kube-hunter 278
Summary 280
Questions 280
Further references 281
Assessments
Chapter 1 283
Chapter 2 283
Chapter 3 284
Chapter 4 284
Chapter 5 284
Chapter 6 285
Chapter 7 285
Chapter 8 286
Chapter 9 287
Chapter 10 287
Chapter 11 288
Chapter 12 288
Chapter 13 288
Other Books You May Enjoy
Leave a review - let other readers know what you think 293
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset