Hello and welcome to Kubernetes Security, the resource center for the O'Reilly book on this topic by Liz Rice and Michael Hausenblas.

In the book we explore security concepts including defense in depth, least privilege, and limiting the attack surface. We discuss and show how to secure clusters, and you'll also learn how Kubernetes uses authentication and authorization. The book will teache you how to secure container images against known vulnerabilities and abuse by third parties, enforce policies on the container runtime level as well as the networking level, and give you to rundown on how to handle sensitive information such as credentials.

Table of contents

• Securing the cluster
• Authentication and authorization
• Securing your container images
• Running containers securely
• Secrets management
• Advanced topics
• References

---

Securing the cluster

Relevant pages in the official Kubernetes documentation:

• Securing a Cluster
• Encrypting Secret Data at Rest
• Installation—Recommended setup
• Auditing
• Certificate Rotation

Further reading:

• etcd's transport security model
• Securing Kubernetes components: kubelet, etcd and Docker registry
• K8s security best practices
• Kubernetes Security - Best Practice Guide
• Lessons from the Cryptojacking Attack at Tesla
• Hacking and Hardening Kubernetes Clusters by Example
• What Does “Production Ready” Really Mean for a Kubernetes Cluster
• A Hacker's Guide to Kubernetes and the Cloud
• Kubernetes Container Clustering, Catastrophe
• Hardening Kubernetes from Scratch
• Analysis of a Kubernetes hack — Backdooring through kubelet
• 11 Ways (Not) to get Hacked
• Testing access to the Kubelet API

Tooling:

• Center for Internet Security (CIS) Benchmark for Kubernetes
• Center for Internet Security (CIS) Benchmark for Docker
• aquasecurity/kube-bench
• aquasecurity/kube-hunter
• k8guard.github.io
• bgeesaman/kubeatf
• docker/docker-bench-security

Authentication and authorization

Introductions and overview resources for authn & authz in Kubernetes:

• Kubernetes deep dive: API Server – part 1 by Stefan Schimanski and Michael Hausenblas
• Kubernetes Auth and Access Control by Eric Chiang
• Webhook Mode via Kubernetes documentation
• Certifik8s: All You Need to Know About Certificates in Kubernetes by Alexander Brand,
• RFC 7519 JSON Web Token (JWT)
• RFC 7617 The 'Basic' HTTP Authentication Scheme
• X.509 certificates
• OpenID Connect

Tooling:

• jwt.io
• kubeadm

Authentication

Relevant pages in the official Kubernetes documentation:

• Authentication
• Authenticating with Bootstrap Tokens

Further reading:

• Single Sign-On for Kubernetes: An Introduction by Joel Speed
• Let's Encrypt, OAuth 2, and Kubernetes Ingress by Ian Chiles
• Comparing Kubernetes Authentication Methods Etienne Dilocker
• K8s auth proxy example
• K8s authentication with Conjur

Tooling:

• Keycloak
• coreos/dex
• heptio/authenticator
• hashicorp/vault-plugin-auth-kubernetes
• appscode/guard
• cyberark/conjur

Authorization

Relevant pages in the official Kubernetes documentation:

• Authorization
• Using RBAC Authorization
• Controlling Access to the Kubernetes API
• Configure Service Accounts for Pods

Further reading:

• Effective RBAC by Jordan Liggitt
• Configure RBAC In Your Kubernetes Cluster via Bitnami
• Using RBAC, Generally Available in Kubernetes v1.8 by Eric Chiang

Tooling:

• liggitt/audit2rbac
• reactiveops/rbac-manager
• jtblin/kube2iam

Securing your container images

Further reading:

• Establishing Image Provenance and Security in Kubernetes
• Image Management & Mutability in Docker and Kubernetes
• Container security considerations in a Kubernetes deployment
• Using Docker tags to mess with people’s minds
• If you run SSHD in your Docker containers, you're doing it wrong!
• Creating Effective Images
• How to containerize your Go code
• Building Container Images Securely on Kubernetes
• The OpenShift Build Process
• Introducing Grafeas: An open-source API to audit and govern your software supply chain
• Secure Kubernetes Application Delivery
• Set up Security Scanning in DTR
• Pain spotting: Russia's Aeroflot Docker server lands internal source code, config files on public internet

Tooling:

• National Vulnerability Database
• OpenSCAP tools
• coreos/clair
• aquasecurity/microscanner
• Docker Registry Server
• GitLab Container Registry
• Red Hat Quay container registry
• Amazon Elastic Container Registry
• theupdateframework/notary
• weaveworks/flux
• IBM/portieris
• Grafeas
• in-toto

Running containers securely

Relevant pages in the official Kubernetes documentation:

• Configure Quality of Service for Pods
• Configure a Security Context for a Pod or Container
• Pod Security Policies
• Network policies

Further reading:

• Just say no to root (in containers)
• Non-privileged containers FTW!
• Running with Scissors
• Containers are a lie
• Exploring Container Mechanisms Through the Story of a Syscall: slides, video
• Improving your Kubernetes Workload Security
• Container Isolation at Scale (Introducing gVisor): slides, video
• Shipping in Pirate-Infested Waters: Practical Attack and Defense in Kubernetes
• Exploring container security: Isolation at different layers of the Kubernetes stack
• Security Best Practices for Kubernetes Deployment
• NIST Special Publication 800-190: Application Container Security Guide
• Kubernetes Security Best Practices
• Securing Kubernetes Cluster Networking
• Tutorials and Recipes for Kubernetes Network Policies feature
• Kubernetes Security Context and Kubernetes Network Policy
• Continuous Kubernetes Security
• Cilium: Making BPF Easy on Kubernetes for Improved Security, Performance

Tooling:

• Shopify/kubeaudit
• opensource/falco
• genuinetools/bane
• kubesec.io

Secrets management

Relevant pages in the official Kubernetes documentation:

• Secrets
• Securing etcd clusters
• Distribute Credentials Securely Using Secrets

Further reading:

• Kubernetes secrets examples
• Dynamic secrets on Kubernetes pods using Hashicorp Vault
• Managing Secrets on OpenShift – Vault Integration
• Using AWS KMS for application secrets in Kubernetes
• Injecting secrets with Aqua
• Your secret's safe with me
• How you could be leaking your secrets onto GitHub
• The problems with forcing regular password expiry
• Managing Secrets in OpenShift with CyberArk Conjur and the CyberArk Vault

Tooling:

• kelseyhightower/konfd
• bitnami-labs/sealed-secrets
• shyiko/kubesec
• cyberark/conjur

Advanced topics

• How Kubernetes certificate authorities work
• Kubernetes Application Operator Basics
• Are your servers PETS or CATTLE?
• Principles of Chaos Engineering
• gVisor in depth
• Nabla containers: a new approach to container isolation
• A step by step guide for getting started with Grafeas and Kubernetes
• Network Nano-Segmentation for Container Security in Aqua 2.0
• Using Network Policy in concert with Istio
• Multi-tenancy in Kubernetes
• SSRF in Exchange leads to ROOT access in all instances
• PIDs per Pod limit
• Lessons from the Cryptojacking Attack at Tesla
• Cryptocurrency Miners Abusing Containers: Anatomy of an (Attempted) Attack

Tooling:

• Prometheus
• Istio
• Linkerd
• Open Vulnerability and Assessment Language
• aporeto-inc/trireme-kubernetes
• jetstack/cert-manager
• Kata Containers
• google/gvisor
• SPIFFE
• Open Policy Agent

References

Official Kubernetes documentation

API and resource references relevant to security (Kubernetes v1.11) docs:

• Namespace
• Secret
• ResourceQuota
• ServiceAccount
• Role
• ClusterRole
• RoleBinding
• ClusterRoleBinding
• PodSecurityPolicy
• NetworkPolicy

Useful kubectl commands

• kubectl create secret … docs
• kubectl create serviceaccount … docs
• kubectl create role … docs
• kubectl create rolebinding … docs
• kubectl auth can-i … docs

Providers

• Aqua Security
• Twistlock
• Neuvector

---

The logo uses a padlock icon by Freepik from www.flaticon.com and the Kubernetes logo kudos to the CNCF, The Linux Foundation.