Kubernetes Security and Observability: A Holistic Approach to Securing Containers and Cloud Native Applications

Preface
   The Stages of Kubernetes Adoption
   Who This Book Is For
      The Platform Team
      The Networking Team
      The Security Team
      The Compliance Team
      The Operations Team
   What You Will Learn
   Conventions Used in This Book
   Using Code Examples
   O’Reilly Online Learning
   How to Contact Us
   Acknowledgments
1. Security and Observability Strategy
   Security for Kubernetes: A New and Different World
   Deploying a Workload in Kubernetes: Security at Each Stage
      Build-Time Security: Shift Left
         Image scanning
         Host operating system hardening
         Minimizing the attack surface: Base container images
      Deploy-Time Security
      Runtime Security
         Network security controls
         Enterprise security controls
         Threat defense
      Observability
         Network traffic visibility
         DNS activity logs
         Application traffic visibility
         Kubernetes activity logs
         Machine learning/anomaly detection
      Security Frameworks
         MITRE
         Threat matrix for Kubernetes
   Security and Observability
   Conclusion
2. Infrastructure Security
   Host Hardening
      Choice of Operating System
      Nonessential Processes
      Host-Based Firewalling
      Always Research the Latest Best Practices
   Cluster Hardening
      Secure the Kubernetes Datastore
      Secure the Kubernetes API Server
      Encrypt Kubernetes Secrets at Rest
      Rotate Credentials Frequently
      Authentication and RBAC
      Restricting Cloud Metadata API Access
      Enable Auditing
      Restrict Access to Alpha or Beta Features
      Upgrade Kubernetes Frequently
   Use a Managed Kubernetes Service
      CIS Benchmarks
      Network Security
   Conclusion
3. Workload Deployment Controls
   Image Building and Scanning
      Choice of a Base Image
      Container Image Hardening
      Container Image Scanning Solution
      Privacy Concerns
      Container Threat Analysis
   CI/CD
      Scan Images by Registry Scanning Services
      Scan Images After Builds
      Inline Image Scanning
      Kubernetes Admission Controller
      Securing the CI/CD Pipeline
         Zero-trust policy for CI/CD environment
         Secure secrets
         Access control
         Audit and monitoring
   Organization Policy
      Secrets Management
      etcd to Store Secrets
      Secrets Management Service
      Kubernetes Secrets Store CSI Driver
      Secrets Management Best Practices
         Avoid secrets sprawl
         Use anti-affinity rules
         Data encryption (transit and rest)
         Use automated secret rotation
         Ephemeral or dynamic secret
         Enable audit log
         Store secrets in container memory
         Secret zero problem
         Use your Certificate Authority
   Authentication
      X509 Client Certificates
      Bearer Token
      OIDC Tokens
      Authentication Proxy
      Anonymous Requests
      User Impersonation
   Authorization
      Node
      ABAC
      AlwaysDeny/AlwaysAllow
      RBAC
      Namespaced RBAC
      Privilege Escalation Mitigation
   Conclusion
4. Workload Runtime Security
   Pod Security Policies
      Using Pod Security Policies
      Pod Security Policy Capabilities
      Pod Security Context
      Limitations of PSPs
      Process Monitoring
      Kubernetes Native Monitoring
      Seccomp
      SELinux
      AppArmor
      Sysctl
   Conclusion
5. Observability
   Monitoring
   Observability
      How Observability Works for Kubernetes
      Implementing Observability for Kubernetes
      Linux Kernel Tools
   Observability Components
   Aggregation and Correlation
   Visualization
      Service Graph
      Visualization of Network Flows
   Analytics and Troubleshooting
      Distributed Tracing
      Packet Capture
   Conclusion
6. Observability and Security
   Alerting
      Machine Learning
      Examples of Machine Learning Jobs
   Security Operations Center
   User and Entity Behavior Analytics
   Conclusion
7. Network Policy
   What Is Network Policy?
   Why Is Network Policy Important?
   Network Policy Implementations
   Network Policy Best Practices
      Ingress and Egress
      Not Just Mission-Critical Workloads
      Policy and Label Schemas
      Default Deny and Default App Policy
   Policy Tooling
      Development Processes and Microservices Benefits
      Policy Recommendations
      Policy Impact Previews
      Policy Staging and Audit Modes
   Conclusion
8. Managing Trust Across Teams
   Role-Based Access Control
      Limitations with Kubernetes Network Policies
      Richer Network Policy Implementations
      Admission Controllers
   Conclusion
9. Exposing Services to External Clients
   Understanding Direct Pod Connections
   Understanding Kubernetes Services
      Cluster IP Services
      Node Port Services
      Load Balancer Services
      externalTrafficPolicy:local
      Network Policy Extensions
      Alternatives to kube-proxy
      Direct Server Return
      Limiting Service External IPs
      Advertising Service IPs
      Understanding Kubernetes Ingress
         In-cluster ingress solutions
         External ingress solutions
   Conclusion
10. Encryption of Data in Transit
   Building Encryption into Your Code
   Sidecar or Service Mesh Encryption
   Network-Layer Encryption
   Conclusion
11. Threat Defense and Intrusion Detection
   Threat Defense for Kubernetes (Stages of an Attack)
   Intrusion Detection
      Intrusion Detection Systems
      IP Address and Domain Name Threat Feeds
         Threat feed controller
         Network policy engine
         Log processing engine
      Special Considerations for Domain Name Feeds
         Deep packet inspection
         Logging and visibility
   Advanced Threat Defense Techniques
      Canary Pods/Resources
      DNS-Based Attacks and Defense
   Conclusion
Conclusion
Index