Kubernetes Security and Observability - Helion
ebook
Autor: Brendan Creane, Amit GuptaISBN: 9781098107055
stron: 194, Format: ebook
Data wydania: 2021-10-26
Księgarnia: Helion
Cena książki: 169,15 zł (poprzednio: 196,69 zł)
Oszczędzasz: 14% (-27,54 zł)
Tagi: Programowanie w chmurze
Securing, observing, and troubleshooting containerized workloads on Kubernetes can be daunting. It requires a range of considerations, from infrastructure choices and cluster configuration to deployment controls and runtime and network security. With this practical book, you'll learn how to adopt a holistic security and observability strategy for building and securing cloud native applications running on Kubernetes.
Whether you're already working on cloud native applications or are in the process of migrating to its architecture, this guide introduces key security and observability concepts and best practices to help you unleash the power of cloud native applications. Authors Brendan Creane and Amit Gupta from Tigera take you through the full breadth of new cloud native approaches for establishing security and observability for applications running on Kubernetes.
- Learn why you need a security and observability strategy for cloud native applications and determine your scope of coverage
- Understand key concepts behind the book's security and observability approach
- Explore the technology choices available to support this strategy
- Discover how to share security responsibilities across multiple teams or roles
- Learn how to architect Kubernetes security and observability for multicloud and hybrid environments
Osoby które kupowały "Kubernetes Security and Observability", wybierały także:
- Ansible 2 w praktyce. Automatyzacja infrastruktury, zarządzanie konfiguracją i wdrażanie aplikacji 77,10 zł, (23,90 zł -69%)
- Terraform w praktyce. Kurs video. Architektura serverless i us 169,00 zł, (67,60 zł -60%)
- Microsoft Azure. Kurs video. Zostań administratorem systemów IT 169,00 zł, (76,05 zł -55%)
- Amazon Web Services (AWS). Kurs video. Zostań administratorem systemów IT 199,00 zł, (89,55 zł -55%)
- Python dla DevOps. Naucz się bezlitośnie skutecznej automatyzacji 89,00 zł, (44,50 zł -50%)
Spis treści
Kubernetes Security and Observability eBook -- spis treści
- Preface
- The Stages of Kubernetes Adoption
- Who This Book Is For
- The Platform Team
- The Networking Team
- The Security Team
- The Compliance Team
- The Operations Team
- What You Will Learn
- Conventions Used in This Book
- Using Code Examples
- OReilly Online Learning
- How to Contact Us
- Acknowledgments
- 1. Security and Observability Strategy
- Security for Kubernetes: A New and Different World
- Deploying a Workload in Kubernetes: Security at Each Stage
- Build-Time Security: Shift Left
- Image scanning
- Host operating system hardening
- Minimizing the attack surface: Base container images
- Deploy-Time Security
- Runtime Security
- Network security controls
- Enterprise security controls
- Threat defense
- Observability
- Network traffic visibility
- DNS activity logs
- Application traffic visibility
- Kubernetes activity logs
- Machine learning/anomaly detection
- Security Frameworks
- MITRE
- Threat matrix for Kubernetes
- Build-Time Security: Shift Left
- Security and Observability
- Conclusion
- 2. Infrastructure Security
- Host Hardening
- Choice of Operating System
- Nonessential Processes
- Host-Based Firewalling
- Always Research the Latest Best Practices
- Cluster Hardening
- Secure the Kubernetes Datastore
- Secure the Kubernetes API Server
- Encrypt Kubernetes Secrets at Rest
- Rotate Credentials Frequently
- Authentication and RBAC
- Restricting Cloud Metadata API Access
- Enable Auditing
- Restrict Access to Alpha or Beta Features
- Upgrade Kubernetes Frequently
- Use a Managed Kubernetes Service
- CIS Benchmarks
- Network Security
- Conclusion
- Host Hardening
- 3. Workload Deployment Controls
- Image Building and Scanning
- Choice of a Base Image
- Container Image Hardening
- Container Image Scanning Solution
- Privacy Concerns
- Container Threat Analysis
- CI/CD
- Scan Images by Registry Scanning Services
- Scan Images After Builds
- Inline Image Scanning
- Kubernetes Admission Controller
- Securing the CI/CD Pipeline
- Zero-trust policy for CI/CD environment
- Secure secrets
- Access control
- Audit and monitoring
- Organization Policy
- Secrets Management
- etcd to Store Secrets
- Secrets Management Service
- Kubernetes Secrets Store CSI Driver
- Secrets Management Best Practices
- Avoid secrets sprawl
- Use anti-affinity rules
- Data encryption (transit and rest)
- Use automated secret rotation
- Ephemeral or dynamic secret
- Enable audit log
- Store secrets in container memory
- Secret zero problem
- Use your Certificate Authority
- Authentication
- X509 Client Certificates
- Bearer Token
- OIDC Tokens
- Authentication Proxy
- Anonymous Requests
- User Impersonation
- Authorization
- Node
- ABAC
- AlwaysDeny/AlwaysAllow
- RBAC
- Namespaced RBAC
- Privilege Escalation Mitigation
- Conclusion
- Image Building and Scanning
- 4. Workload Runtime Security
- Pod Security Policies
- Using Pod Security Policies
- Pod Security Policy Capabilities
- Pod Security Context
- Limitations of PSPs
- Process Monitoring
- Kubernetes Native Monitoring
- Seccomp
- SELinux
- AppArmor
- Sysctl
- Conclusion
- Pod Security Policies
- 5. Observability
- Monitoring
- Observability
- How Observability Works for Kubernetes
- Implementing Observability for Kubernetes
- Linux Kernel Tools
- Observability Components
- Aggregation and Correlation
- Visualization
- Service Graph
- Visualization of Network Flows
- Analytics and Troubleshooting
- Distributed Tracing
- Packet Capture
- Conclusion
- 6. Observability and Security
- Alerting
- Machine Learning
- Examples of Machine Learning Jobs
- Security Operations Center
- User and Entity Behavior Analytics
- Conclusion
- Alerting
- 7. Network Policy
- What Is Network Policy?
- Why Is Network Policy Important?
- Network Policy Implementations
- Network Policy Best Practices
- Ingress and Egress
- Not Just Mission-Critical Workloads
- Policy and Label Schemas
- Default Deny and Default App Policy
- Policy Tooling
- Development Processes and Microservices Benefits
- Policy Recommendations
- Policy Impact Previews
- Policy Staging and Audit Modes
- Conclusion
- 8. Managing Trust Across Teams
- Role-Based Access Control
- Limitations with Kubernetes Network Policies
- Richer Network Policy Implementations
- Admission Controllers
- Conclusion
- Role-Based Access Control
- 9. Exposing Services to External Clients
- Understanding Direct Pod Connections
- Understanding Kubernetes Services
- Cluster IP Services
- Node Port Services
- Load Balancer Services
- externalTrafficPolicy:local
- Network Policy Extensions
- Alternatives to kube-proxy
- Direct Server Return
- Limiting Service External IPs
- Advertising Service IPs
- Understanding Kubernetes Ingress
- In-cluster ingress solutions
- External ingress solutions
- Conclusion
- 10. Encryption of Data in Transit
- Building Encryption into Your Code
- Sidecar or Service Mesh Encryption
- Network-Layer Encryption
- Conclusion
- 11. Threat Defense and Intrusion Detection
- Threat Defense for Kubernetes (Stages of an Attack)
- Intrusion Detection
- Intrusion Detection Systems
- IP Address and Domain Name Threat Feeds
- Threat feed controller
- Network policy engine
- Log processing engine
- Special Considerations for Domain Name Feeds
- Deep packet inspection
- Logging and visibility
- Advanced Threat Defense Techniques
- Canary Pods/Resources
- DNS-Based Attacks and Defense
- Conclusion
- Conclusion
- Index