Table of Contents

Preface

Section 1: Introduction to Kubernetes

Chapter 1: Kubernetes Architecture

The rise of Docker and the trend of microservices  4

Kubernetes adoption status  6

Kubernetes clusters  6

Kubernetes components   7

The Kubernetes interfaces  9

Kubernetes objects  9

Pods  10

Deployments  10

Services  10

Replica sets  10

Volumes  10

Namespaces  10

Service accounts  11

Network policies  11

Pod security policies  11

Kubernetes variations  11

Minikube  11

K3s  12

OpenShift  12

Kubernetes and cloud providers  13

Kubernetes as a service  13

Kops  15

Why worry about Kubernetes' security?  16

Summary  18

Questions  18

Further reading  18

Chapter 2: Kubernetes Networking

Overview of the Kubernetes network model  20

Port-sharing problems  20

Kubernetes network model  21

Communicating inside a pod  23

Linux namespaces and the pause container  23

Beyond network communication  25

Communicating between pods  26

The Kubernetes service  26

kube-proxy  26

Introducing the Kubernetes service  30

Service discovery  31

Service types  32

Ingress for routing external requests  32

Introducing the CNI and CNI plugins  35

CNI specification and plugins  35

Calico  38

Wrapping up  39

Summary  41

Questions  41

Further reading  41

Chapter 3: Threat Modeling

Introduction to threat modeling  44

Component interactions  46

Threat actors in Kubernetes environments  50

Threats in Kubernetes clusters  52

Threat modeling application in Kubernetes  55

Summary  57

Questions  58

Further reading  58

Chapter 4: Applying the Principle of Least Privilege in Kubernetes

The principle of least privilege  60

Authorization model  60

Rewards of the principle of least privilege  61

Least privilege of Kubernetes subjects  62

Introduction to RBAC  62

Service accounts, users, and groups  62

Role  63

RoleBinding  64

Kubernetes namespaces  64

Wrapping up least privilege for Kubernetes subjects  66

Least privilege for Kubernetes workloads  67

Least privilege for accessing system resources  67

Wrapping up least privilege for accessing system resources  70

Least privilege for accessing network resources  70

Least privilege for accessing application resources  72

Summary  72

Questions  73

Further reading  73

Chapter 5: Configuring Kubernetes Security Boundaries

Introduction to security boundaries  76

Security boundaries versus trust boundaries  77

Kubernetes security domains  77

Kubernetes entities as security boundaries  78

Security boundaries in the system layer  80

Linux namespaces as security boundaries  80

Linux capabilities as security boundaries  82

Wrapping up security boundaries in the system layer  84

Security boundaries in the network layer  84

Network policies  85

Summary  88

Questions  89

Further references  89

Section 2: Securing Kubernetes Deployments and Clusters

Chapter 6: Securing Cluster Components

Securing kube-apiserver  94

Securing kubelet  98

Securing etcd  99

Securing kube-scheduler  100

Securing kube-controller-manager  101

Securing CoreDNS  102

Benchmarking a cluster's security configuration  103

Summary  105

Questions  105

Further reading  105

Chapter 7: Authentication, Authorization, and Admission Control

Requesting a workflow in Kubernetes  108

Kubernetes authentication  109

Client certificates  109

Static tokens  111

Basic authentication  112

Bootstrap tokens  112

Service account tokens  113

Webhook tokens  114

Authentication proxy  115

User impersonation  115

Kubernetes authorization  116

Request attributes  116

Authorization modes  116

Node  116

ABAC  117

RBAC  118

Webhooks  119

Admission controllers  120

AlwaysPullImages  121

EventRateLimit  121

LimitRanger  121

NodeRestriction  122

PersistentVolumeClaimResize  122

PodSecurityPolicy  122

SecurityContextDeny  123

ServiceAccount  123

MutatingAdmissionWebhook and ValidatingAdmissionWebhook  123

Introduction to OPA  123

Summary  126

Questions  126

Further reading  127

Chapter 8: Securing Kubernetes Pods

Hardening container images  130

Container images and Dockerfiles  130

CIS Docker benchmarks  132

Configuring the security attributes of pods  133

Setting host-level namespaces for pods  134

Security context for containers  135

Security context for pods  137

AppArmor profiles  139

The power of PodSecurityPolicy  141

Understanding PodSecurityPolicy  141

Kubernetes PodSecurityPolicy Advisor  145

Summary  149

Questions  149

Further reading  149

Chapter 9: Image Scanning in DevOps Pipelines

Introducing container images and vulnerabilities  152

Container images  152

Detecting known vulnerabilities  154

Scanning images with Anchore Engine  157

Introduction to Anchore Engine  158

Scanning images with anchore-cli  159

Integrating image scanning into the CI/CD pipeline  165

Scanning at the build stage  166

Scanning at the deployment stage  168

Scanning at the runtime stage  172

Summary  172

Questions  173

Further references  173

Chapter 10: Real-Time Monitoring and Resource Management of a Kubernetes Cluster

Real-time monitoring and management in monolith environments  176

Managing resources in Kubernetes  177

Resource requests and limits  177

Namespace resource quotas  182

LimitRanger  184

Monitoring resources in Kubernetes   187

Built-in monitors  187

Third-party monitoring tools   193

Prometheus and Grafana  194

Summary  204

Questions  204

Further references   205

Chapter 11: Defense in Depth

Introducing Kubernetes auditing  208

Kubernetes audit policy  209

Configuring the audit backend  214

Enabling high availability in a Kubernetes cluster  216

Enabling high availability of Kubernetes workloads  216

Enabling high availability of Kubernetes components  217

Enabling high availability of a cloud infrastructure  219

Managing secrets with Vault  221

Setting up Vault  221

Provisioning and rotating secrets  224

Detecting anomalies with Falco  227

An overview of Falco   227

Creating Falco rules to detect anomalies  231

Conducting forensics with Sysdig Inspect and CRIU  235

Using CRIU to collect data  236

Using Sysdig and Sysdig Inspect  238

Summary  243

Questions  243

Further references  244

Section 3: Learning from Mistakes and Pitfalls

Chapter 12: Analyzing and Detecting Crypto-Mining Attacks

Analyzing crypto-mining attacks  248

An introduction to crypto-mining attacks  248

The crypto-mining attack on Tesla's Kubernetes cluster  249

Graboid – a crypto-worm attack  250

Lessons learned  251

Detecting crypto-mining attacks  251

Monitoring CPU utilization  252

Detecting network traffic to a mining pool  253

Detecting launched crypto-mining processes   256

Checking the binary signature   258

Defending against attacks  260

Securing Kubernetes cluster provisioning   260

Securing the build  261

Securing deployment  262

Securing runtime  263

Summary  264

Questions  264

Further reading  264

Chapter 13: Learning from Kubernetes CVEs

The path traversal issue in kubectl cp – CVE-2019-11246  269

Mitigation strategy  270

DoS issues in JSON parsing – CVE-2019-1002100  273

Mitigation strategy  273

A DoS issue in YAML parsing – CVE-2019-11253  275

Mitigation strategy  275

The Privilege escalation issue in role parsing – CVE-2019-11247  276

Mitigation strategy  277

Scanning for known vulnerabilities using kube-hunter  278

Summary  280

Questions  280

Further references  281

Assessments

Chapter 1  283

Chapter 2  283

Chapter 3  284

Chapter 4  284

Chapter 5  284

Chapter 6  285

Chapter 7  285

Chapter 8  286

Chapter 9  287

Chapter 10  287

Chapter 11  288

Chapter 12  288

Chapter 13  288

Other Books You May Enjoy

Leave a review - let other readers know what you think  293