Hacking Kubernetes - Helion
ebook
Autor: Andrew Martin, Michael HausenblasISBN: 9781492081685
stron: 314, Format: ebook
Data wydania: 2021-10-13
Księgarnia: Helion
Cena książki: 194,65 zł (poprzednio: 226,34 zł)
Oszczędzasz: 14% (-31,69 zł)
Want to run your Kubernetes workloads safely and securely? This practical book provides a threat-based guide to Kubernetes security. Each chapter examines a particular component's architecture and potential default settings and then reviews existing high-profile attacks and historical Common Vulnerabilities and Exposures (CVEs). Authors Andrew Martin and Michael Hausenblas share best-practice configuration to help you harden clusters from possible angles of attack.
This book begins with a vanilla Kubernetes installation with built-in defaults. You'll examine an abstract threat model of a distributed system running arbitrary workloads, and then progress to a detailed assessment of each component of a secure Kubernetes system.
- Understand where your Kubernetes system is vulnerable with threat modelling techniques
- Focus on pods, from configurations to attacks and defenses
- Secure your cluster and workload traffic
- Define and enforce policy with RBAC, OPA, and Kyverno
- Dive deep into sandboxing and isolation techniques
- Learn how to detect and mitigate supply chain attacks
- Explore filesystems, volumes, and sensitive information at rest
- Discover what can go wrong when running multitenant workloads in a cluster
- Learn what you can do if someone breaks in despite you having controls in place
Osoby które kupowały "Hacking Kubernetes", wybierały także:
- Windows Media Center. Domowe centrum rozrywki 66,67 zł, (8,00 zł -88%)
- Ruby on Rails. Ćwiczenia 18,75 zł, (3,00 zł -84%)
- Przywództwo w świecie VUCA. Jak być skutecznym liderem w niepewnym środowisku 58,64 zł, (12,90 zł -78%)
- Scrum. O zwinnym zarządzaniu projektami. Wydanie II rozszerzone 58,64 zł, (12,90 zł -78%)
- Od hierarchii do turkusu, czyli jak zarządzać w XXI wieku 58,64 zł, (12,90 zł -78%)
Spis treści
Hacking Kubernetes eBook -- spis treści
- Preface
- About You
- About Us
- How To Use This Book
- Conventions Used in This Book
- Using Code Examples
- OReilly Online Learning
- How to Contact Us
- Acknowledgments
- 1. Introduction
- Setting the Scene
- Starting to Threat Model
- Threat Actors
- Your First Threat Model
- Attack Trees
- Example Attack Trees
- Prior Art
- Conclusion
- 2. Pod-Level Resources
- Defaults
- Threat Model
- Anatomy of the Attack
- Remote Code Execution
- Network Attack Surface
- Kubernetes Workloads: Apps in a Pod
- Whats a Pod?
- Understanding Containers
- Sharing Network and Storage
- Whats the Worst That Could Happen?
- Container Breakout
- Pod Configuration and Threats
- Pod Header
- Reverse Uptime
- Labels
- Managed Fields
- Pod Namespace and Owner
- Environment Variables
- Container Images
- Pod Probes
- CPU and Memory Limits and Requests
- DNS
- Pod securityContext
- Pod Service Accounts
- Scheduler and Tolerations
- Pod Volume Definitions
- Pod Network Status
- Using the securityContext Correctly
- Enhancing the securityContext with Kubesec
- Hardened securityContext
- containers[] .securityContext .privileged
- .spec .hostPID
- .spec .hostNetwork
- .spec .hostAliases
- .spec .hostIPC
- containers[] .securityContext .runAsNonRoot
- containers[] .securityContext .runAsUser > 10000
- containers[] .securityContext .readOnlyRootFilesystem
- containers[] .securityContext .capabilities .drop | index(ALL)
- containers[] .securityContext .capabilities .add | index(SYS_ADMIN)
- containers[] .resources .limits .cpu, .memory
- containers[] .resources .requests .cpu, .memory
- .spec .volumes[] .hostPath .path
- Into the Eye of the Storm
- Conclusion
- 3. Container Runtime Isolation
- Defaults
- Threat Model
- Containers, Virtual Machines, and Sandboxes
- How Virtual Machines Work
- Benefits of Virtualization
- Whats Wrong with Containers?
- User Namespace Vulnerabilities
- Sandboxing
- gVisor
- Firecracker
- Kata Containers
- rust-vmm
- Risks of Sandboxing
- Kubernetes Runtime Class
- Conclusion
- 4. Applications and Supply Chain
- Defaults
- Threat Model
- The Supply Chain
- Software
- Scanning for CVEs
- Ingesting Open Source Software
- Which Producers Do We Trust?
- CNCF Security Technical Advisory Group
- Architecting Containerized Apps for Resilience
- Detecting Trojans
- Captain Hashjack Attacks a Supply Chain
- Post-Compromise Persistence
- Risks to Your Systems
- Container Image Build Supply Chains
- Software Factories
- Blessed Image Factory
- Base Images
- The State of Your Container Supply Chains
- Third-Party Code Risk
- Software Bills of Materials
- Human Identity and GPG
- Signing Builds and Metadata
- Notary v1
- sigstore
- in-toto and TUF
- GCP Binary Authorization
- Grafeas
- Infrastructure Supply Chain
- Operator Privileges
- Attacking Higher Up the Supply Chain
- Types of Supply Chain Attack
- Open Source Ingestion
- Application Vulnerability Throughout the SDLC
- Defending Against SUNBURST
- Conclusion
- 5. Networking
- Defaults
- Intra-Pod Networking
- Inter-Pod Traffic
- Pod-to-Worker Node Traffic
- Cluster-External Traffic
- The State of the ARP
- No securityContext
- No Workload Identity
- No Encryption on the Wire
- Threat Model
- Traffic Flow Control
- The Setup
- Network Policies to the Rescue!
- Service Meshes
- Concept
- Options and Uptake
- Case Study: mTLS with Linkerd
- eBPF
- Concept
- Options and Uptake
- Case Study: Attaching a Probe to a Go Program
- Conclusion
- Defaults
- 6. Storage
- Defaults
- Threat Model
- Volumes and Datastores
- Everything Is a Stream of Bytes
- Whats a Filesystem?
- Container Volumes and Mounts
- OverlayFS
- tmpfs
- Volume Mount Breaks Container Isolation
- The /proc/self/exe CVE
- Sensitive Information at Rest
- Mounted Secrets
- Attacking Mounted Secrets
- Storage Concepts
- Container Storage Interface
- Projected Volumes
- Attacking Volumes
- The Dangers of Host Mounts
- Other Secrets and Exfiltraing from Datastores
- Conclusion
- 7. Hard Multitenancy
- Defaults
- Threat Model
- Namespaced Resources
- Node Pools
- Node Taints
- Soft Multitenancy
- Hard Multitenancy
- Hostile Tenants
- Sandboxing and Policy
- Public Cloud Multitenancy
- Control Plane
- API Server and etcd
- Scheduler and Controller Manager
- Data Plane
- Cluster Isolation Architecture
- Cluster Support Services and Tooling Environments
- Security Monitoring and Visibility
- Conclusion
- 8. Policy
- Types of Policies
- Defaults
- Network Traffic
- Limiting Resource Allocations
- Resource Quotas
- Runtime Policies
- Access Control Policies
- Threat Model
- Common Expectations
- Breakglass Scenario
- Auditing
- Authentication and Authorization
- Human Users
- Workload Identity
- Service accounts
- Cryptographically strong identities
- Role-Based Access Control (RBAC)
- RBAC Recap
- A Simple RBAC Example
- Authoring RBAC
- Analyzing and Visualizing RBAC
- RBAC-Related Attacks
- Generic Policy Engines
- Open Policy Agent
- Using OPA directly
- Gatekeeper
- Kyverno
- Other Policy Offerings
- Open Policy Agent
- Conclusion
- 9. Intrusion Detection
- Defaults
- Threat Model
- Traditional IDS
- eBPF-Based IDS
- Kubernetes and Container Intrusion Detection
- Falco
- Machine Learning Approaches to IDS
- Container Forensics
- Honeypots
- Auditing
- Detection Evasion
- Security Operations Centers
- Conclusion
- 10. Organizations
- The Weakest Link
- Cloud Providers
- Shared Responsibility
- Account Hygiene
- Grouping People and Resources
- Other Considerations
- Dealing with root certificate authorities
- Avoid leaking credentials
- On-Premises Environments
- Common Considerations
- Threat Model Explosion
- How SLOs Can Put Additional Pressure on You
- Social Engineering
- Privacy and Regulatory Concerns
- Conclusion
- A. A Pod-Level Attack
- Filesystem
- tmpfs
- Host Mounts
- Hostile Containers
- Runtime
- B. Resources
- General
- References
- Books
- Further Reading by Chapter
- Intro
- Pods
- Supply Chains
- Networking
- Policy
- Notable CVEs
- General
- Index