Kubernetes Security and Observability: A Holistic Approach to Securing and Troubleshooting Cloud Native Applications
- Length: 182 pages
- Edition: 1
- Language: English
- Publisher: O'Reilly Media
- Publication Date: 2021-11-23
- ISBN-10: 1098107101
- ISBN-13: 9781098107109
- Sales Rank: #415000 (See Top 100 Books)
This practical book introduces new cloud native approaches for Kubernetes practitioners, like yourself, who care about the security and observability of mission-critical microservices. Through practical guidance and best practice recommendations, this book helps you understand why cloud native applications require a modern approach to security and observability practices and how to implement them.
Do you want to know how to secure and troubleshoot your cloud native applications? Or are you part of a group that wants to solve security and observability challenges before fully adopting Kubernetes in your organization? This book takes you through the full breadth of new cloud native approaches for establishing security and observability with Kubernetes.
- Learn why you need a security and observability strategy for cloud native applications and determine your scope of coverage
- Understand key concepts behind Kubernetes’s security and observability approach
- Explore the technology choices you can make to meet each aspect of this strategy
- Discover how to split security responsibilities across multiple teams or roles
- Learn ways to architect Kubernetes security and observability for multicloud and hybrid environments
Preface The Stages of Kubernetes Adoption Who This Book Is For The Platform Team The Networking Team The Security Team The Compliance Team The Operations Team What You Will Learn Conventions Used in This Book Using Code Examples O’Reilly Online Learning How to Contact Us Acknowledgments 1. Security and Observability Strategy Security for Kubernetes: A New and Different World Deploying a Workload in Kubernetes: Security at Each Stage Build-Time Security: Shift Left Deploy-Time Security Runtime Security Observability Security Frameworks Security and Observability Conclusion 2. Infrastructure Security Host Hardening Choice of Operating System Nonessential Processes Host-Based Firewalling Always Research the Latest Best Practices Cluster Hardening Secure the Kubernetes Datastore Secure the Kubernetes API Server Encrypt Kubernetes Secrets at Rest Rotate Credentials Frequently Authentication and RBAC Restricting Cloud Metadata API Access Enable Auditing Restrict Access to Alpha or Beta Features Upgrade Kubernetes Frequently Use a Managed Kubernetes Service CIS Benchmarks Network Security Conclusion 3. Workload Deployment Controls Image Building and Scanning Choice of a base image Container Image Hardening Container Image Scanning Solution Privacy Concerns Container Threat Analysis CI/CD Scan Images by Registry Scanning Services Scan Images After Builds Inline Image Scanning Kubernetes Admission Controller Securing the CI/CD pipeline Organization Policy Secrets Management etcd to Store Secrets Secrets Management Service Kubernetes Secrets Store CSI Driver Secrets Management Best Practices Authentication X509 Client Certificates Bearer Token OIDC Tokens Authentication Proxy Anonymous Requests User impersonation Authorization Node ABAC AlwaysDeny/AlwaysAllow RBAC Namespaced RBAC Privilege escalation mitigation Conclusion 4. Workload runtime security Pod Security Policies (PSPs) Using Pod Security Policies Pod Security Policy Capabilities Pod Security Context Limitations of PSPs Process Monitoring Kubernetes Native Monitoring Seccomp SELinux AppArmor Sysctl Conclusion 5. Observability Monitoring Observability How Observability Works for Kubernetes Implementing Observability for Kubernetes Linux Kernel Tools Observability Components Aggregation and Correlation Visualization Service Graph Visualization of Network Flows Analytics and Troubleshooting Distributed Tracing Packet Capture Conclusion 6. Observability and Security Alerting Machine Learning Security Operations Center User and Entity Behavior Analytics Conclusion 7. Network Policy What Is Network Policy? Why Is Network Policy Important? Network Policy Implementations Network Policy Best Practices Ingress and egress Not Just Mission-Critical Workloads Policy and Label Schemas Default Deny and Default App Policy Policy Tooling Development Processes and Microservices Benefits Policy Recommendations Policy Impact Previews Policy Staging and Audit Modes Conclusion 8. Managing Trust Across Teams Role-Based Access Control Limitations with Kubernetes Network Policies Richer Network Policy Implementations Admissions Controllers Conclusion 9. Exposing Services to External Clients Understanding Direct Pod Connections Understanding Kubernetes Services Cluster IP Services Node Port Services Load Balancer Services externalTrafficPolicy:local Network Policy Extensions Alternatives to kube-proxy Direct Server Return Limiting Service External IPs Advertising Service IPs Understanding Kubernetes Ingress Conclusion 10. Encryption of Data in Transit Building Encryption into Your Ccode Sidecar or Service Mesh Encryption Network-Layer Encryption Conclusion 11. Threat Defense and Intrusion Detection Threat Defense for Kubernetes (Stages of an Attack) Intrusion Detection Intrusion Detection Systems IP Address and Domain Name Threat feeds Special Considerations for Domain Name Feeds Advanced Threat Defense techniques Canary Pods/Resources DNS-Based Attacks and Defense Conclusion Conclusion
Donate to keep this site alive
How to download source code?
1. Go to: https://www.oreilly.com/
2. Search the book title: Kubernetes Security and Observability: A Holistic Approach to Securing and Troubleshooting Cloud Native Applications
, sometime you may not get the results, please search the main title
3. Click the book title in the search results
3. Publisher resources
section, click Download Example Code
.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.