Learn Kubernetes Security
eBook - ePub

Learn Kubernetes Security

Securely orchestrate, scale, and manage your microservices in Kubernetes deployments

  1. 330 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Learn Kubernetes Security

Securely orchestrate, scale, and manage your microservices in Kubernetes deployments

Book details
Book preview
Table of contents
Citations

About This Book

Secure your container environment against cyberattacks and deliver robust deployments with this practical guide

Key Features

  • Explore a variety of Kubernetes components that help you to prevent cyberattacks
  • Perform effective resource management and monitoring with Prometheus and built-in Kubernetes tools
  • Learn techniques to prevent attackers from compromising applications and accessing resources for crypto-coin mining

Book Description

Kubernetes is an open source orchestration platform for managing containerized applications. Despite widespread adoption of the technology, DevOps engineers might be unaware of the pitfalls of containerized environments. With this comprehensive book, you'll learn how to use the different security integrations available on the Kubernetes platform to safeguard your deployments in a variety of scenarios.

Learn Kubernetes Security starts by taking you through the Kubernetes architecture and the networking model. You'll then learn about the Kubernetes threat model and get to grips with securing clusters. Throughout the book, you'll cover various security aspects such as authentication, authorization, image scanning, and resource monitoring. As you advance, you'll learn about securing cluster components (the kube-apiserver, CoreDNS, and kubelet) and pods (hardening image, security context, and PodSecurityPolicy). With the help of hands-on examples, you'll also learn how to use open source tools such as Anchore, Prometheus, OPA, and Falco to protect your deployments.

By the end of this Kubernetes book, you'll have gained a solid understanding of container security and be able to protect your clusters from cyberattacks and mitigate cybersecurity threats.

What you will learn

  • Understand the basics of Kubernetes architecture and networking
  • Gain insights into different security integrations provided by the Kubernetes platform
  • Delve into Kubernetes' threat modeling and security domains
  • Explore different security configurations from a variety of practical examples
  • Get to grips with using and deploying open source tools to protect your deployments
  • Discover techniques to mitigate or prevent known Kubernetes hacks

Who this book is for

This book is for security consultants, cloud administrators, system administrators, and DevOps engineers interested in securing their container deployments. If you're looking to secure your Kubernetes clusters and cloud-based deployments, you'll find this book useful. A basic understanding of cloud computing and containerization is necessary to make the most of this book.

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Learn Kubernetes Security by Kaizhe Huang, Pranjal Jumde in PDF and/or ePUB format, as well as other popular books in Computer Science & System Administration. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Packt Publishing
Year
2020
ISBN
9781839212185
Edition
1
Topic
Computer Science
Subtopic
System Administration
Index
Computer Science

Section 1: Introduction to Kubernetes

In this section, you will grasp the fundamental concepts of Kubernetes' architecture, network models, threat models, and the core security principles that should be applied to a Kubernetes cluster.
The following chapters are included in this section:
  • Chapter 1, Kubernetes Architecture
  • Chapter 2, Kubernetes Networking
  • Chapter 3, Threat Modeling
  • Chapter 4, Applying the Principle of Least Privilege in Kubernetes
  • Chapter 5, Configuring Kubernetes Security Boundaries

Chapter 1: Kubernetes Architecture

Traditional applications, such as web applications, are known to follow a modular architecture, splitting code into an application layer, business logic, a storage layer, and a communication layer. Despite the modular architecture, the components are packaged and deployed as a monolith. A monolith application, despite being easy to develop, test, and deploy, is hard to maintain and scale. This led to the growth of microservices architecture. Development of container runtimes like Docker and Linux Containers (LXC) has eased deployment and maintenance of applications as microservices.
Microservices architecture splits application deployment into small and interconnected entities. The increasing popularity of microservices architecture has led to the growth of orchestration platforms such as Apache Swarm, Mesos, and Kubernetes. Container orchestration platforms help manage containers in large and dynamic environments.
Kubernetes is an open source orchestration platform for containerized applications that support automated deployment, scaling, and management. It was originally developed by Google in 2014 and it is now maintained by the Cloud Native Computing Foundation (CNCF). Kubernetes is the first CNCF-graduated project that graduated in 2018. Established global organizations, such as Uber, Bloomberg, Blackrock, BlaBlaCar, The New York Times, Lyft, eBay, Buffer, Ancestry, GolfNow, Goldman Sachs, and many others, use Kubernetes in production at a massive scale (https://kubernetes.io/case-studies/). Large cloud providers, such as Elastic Kubernetes Service (Amazon), Azure Kubernetes Service (Microsoft), Google Kubernetes Engine (Google), and Alibaba Cloud Kubernetes (Alibaba), offer their own managed Kubernetes services.
In a microservices model, application developers ensure that the applications work correctly in containerized environments. They write a Docker file to bundle their applications. DevOps and infrastructure engineers interact with the Kubernetes cluster directly. They ensure that the application bundles provided by developers run smoothly within the cluster. They monitor the nodes, pods, and other Kubernetes components to ensure the cluster is healthy. However, security requires the joint effort of both parties and the security team. To learn how to secure a Kubernetes cluster, we will first have to understand what Kubernetes is and how it works.
In this chapter, we will cover the following topics:
  • The rise of Docker and the trend of microservices
  • Kubernetes components
  • Kubernetes objects
  • Kubernetes variations
  • Kubernetes and cloud providers

The rise of Docker and the trend of microservices

Before we start looking into Kubernetes, it's important to understand the growth of microservices and containerization. With the evolution of a monolithic application, developers face inevitable problems as the applications evolve:
  • Scaling: A monolith application is difficult to scale. It's been proven that the proper way to solve a scalability problem is via a distributed method.
  • Operational cost: The operation cost increases with the complexity of a monolith application. Updates and maintenance require careful analysis and enough testing before deployment. This is the opposite of scalability; you can't scale down a monolithic application easily as the minimum resource requirement is high.
  • Longer release cycle: The maintenance and development barrier is significantly high for monolith applications. For developers, when there is a bug, it takes a lot of time to identify the root cause in a complex and ever-growing code base. The testing time increases significantly. Regression, integration, and unit tests take significantly longer to pass with a complex code base. When the customer's requests come in, it takes months or even a year for a single feature to ship. This makes the release cycle long and impacts the company's business significantly.
This creates a huge incentive to break down monolithic applications into microservices. The benefits are obvious:
  • With a well-defined interface, developers only need to focus on the functionality of the services they own.
  • The code logic is simplified, which makes the application easier to maintain and easier to debug. Furthermore, the release cycle of microservices has shortened tremendously compared to monolithic applications, so customers do not have to wait for too long for a new feature.
When a monolithic application breaks down into many microservices, it increases the deployment and management complexity on the DevOps side. The complexity is obvious; microservices are usually written in different programming languages that require different runtimes or interpreters, with different package dependencies, different configurations, and so on, not to mention the interdependence among microservices. This is exactly the right time for Docker to come into the picture.
Let's look at the evolution of Docker. Process isolation has been a part of Linux for a long time in the form of Control Groups (cgroups) and namespaces. With the cgroup setting, each process has limited resources (CPU, memory, and so on) to use. With a dedicated process namespace, the processes within a namespace do not have any knowledge of other processes running in the same node but in different process namespaces. With a dedicated network namespace, processes cannot communicate with other processes without a proper network configuration, even though they're running on the same node.
Docker eases process management for infrastructure and DevOps engineers. In 2013, Docker as a company released the Docker open source project. Instead of managing namespaces and cgroups, DevOps engineers manage containers ...

Table of contents

  1. Learn Kubernetes Security
  2. Why subscribe?
  3. Preface
  4. Section 1: Introduction to Kubernetes
  5. Chapter 1: Kubernetes Architecture
  6. Chapter 2: Kubernetes Networking
  7. Chapter 3: Threat Modeling
  8. Chapter 4: Applying the Principle of Least Privilege in Kubernetes
  9. Chapter 5: Configuring Kubernetes Security Boundaries
  10. Section 2: Securing Kubernetes Deployments and Clusters
  11. Chapter 6: Securing Cluster Components
  12. Chapter 7: Authentication, Authorization, and Admission Control
  13. Chapter 8: Securing Kubernetes Pods
  14. Chapter 9: Image Scanning in DevOps Pipelines
  15. Chapter 10: Real-Time Monitoring and Resource Management of a Kubernetes Cluster
  16. Chapter 11: Defense in Depth
  17. Section 3: Learning from Mistakes and Pitfalls
  18. Chapter 12: Analyzing and Detecting Crypto-Mining Attacks
  19. Chapter 13: Learning from Kubernetes CVEs
  20. Assessments
  21. Other Books You May Enjoy