thebook
thebook copied to clipboard
Published
20 hours ago •
lizrice
lizrice
Links and resources for the O'Reilly Kubernetes Security book
Kubernetes Security
The book is expected to be published by fall 2018. Here are the links:
- Building container images
- Running containers
- Authentication and authorization
- Communication
- Apps
- Securing the control plane
- References
Building container images
Tooling:
- https://docs.docker.com/docker-cloud/builds/image-scan/
- https://github.com/coreos/clair
- https://www.open-scap.org/tools/
- https://www.aquasec.com/use-cases/continuous-image-assurance/
- https://neuvector.com/container-compliance-auditing-solutions/
- https://github.com/theupdateframework/notary
- https://github.com/in-toto
Further reading:
- Establishing Image Provenance and Security in Kubernetes
- Image Management & Mutability in Docker and Kubernetes
- Container security considerations in a Kubernetes deployment
- Building Container Images Securely on Kubernetes
- The OpenShift Build Process
- Introducing Grafeas: An open-source API to audit and govern your software supply chain
Running containers
Tooling:
- https://github.com/aquasecurity/kube-bench
- https://github.com/docker/docker-bench-security
- https://sysdig.com/opensource/falco/
- https://kubesec.io/
- https://www.twistlock.com/
- https://github.com/genuinetools/bane
Further reading:
- Just say no to root (in containers)
- Exploring Container Mechanisms Through the Story of a Syscall (slides | video)
- Improving your Kubernetes Workload Security Container Isolation at Scale (Introducing gVisor) (slides | video)
Authentication and authorization
Tooling:
- https://github.com/coreos/dex
- https://github.com/liggitt/audit2rbac
- https://github.com/heptio/authenticator
Further reading:
- Docs: Authentication, Authorization, Controlling Access to the Kubernetes API
- Kubernetes deep dive: API Server – part 1
- Certifik8s: All You Need to Know About Certificates in Kubernetes
- Kubernetes Auth and Access Control
- Effective RBAC
- Single Sign-On for Kubernetes: An Introduction
- Let's Encrypt, OAuth 2, and Kubernetes Ingress
Communication
Tooling:
- https://github.com/aporeto-inc/trireme-kubernetes
- https://github.com/jetstack/cert-manager/
- https://spiffe.io/
- https://www.openpolicyagent.org/
Further reading:
- Docs: Network policies
- How Kubernetes certificate authorities work
- Securing Kubernetes Cluster Networking
- Tutorials and Recipes for Kubernetes Network Policies feature
- Kubernetes Security Context and Kubernetes Network Policy
- Kubernetes Application Operator Basics
Apps
Tooling:
- https://github.com/kelseyhightower/konfd
- https://github.com/hashicorp/vault-plugin-auth-kubernetes
- https://github.com/bitnami-labs/sealed-secrets
- https://github.com/shyiko/kubesec
- https://github.com/weaveworks/flux
Further reading:
- Docs: Secrets, Configure a Security Context for a Pod or Container, Pod Security Policies
- Shipping in Pirate-Infested Waters: Practical Attack and Defense in Kubernetes
- Exploring container security: Isolation at different layers of the Kubernetes stack
- Security Best Practices for Kubernetes Deployment
- NIST Special Publication 800-190: Application Container Security Guide
- Kubernetes Security Best Practices
- Continuous Kubernetes Security
Securing the control plane
Tooling:
- https://github.com/bgeesaman/kubeatf
- https://github.com/Shopify/kubeaudit
- https://k8guard.github.io/
Further reading:
- Docs: Securing a Cluster, Encrypting Secret Data at Rest, Auditing
- Securing Kubernetes components: kubelet, etcd and Docker registry
- K8s security best practices
- Kubernetes Security - Best Practice Guide
- Lessons from the Cryptojacking Attack at Tesla
- Hacking and Hardening Kubernetes Clusters by Example
- What Does “Production Ready” Really Mean for a Kubernetes Cluster
- A Hacker's Guide to Kubernetes and the Cloud
- Kubernetes Container Clustering, Catastrophe
- Hardening Kubernetes from Scratch
References
Kubernetes (v1.10) docs references relevant to security:
- Namespace
- Secret
- ResourceQuota
- ServiceAccount
- Role / ClusterRole
- RoleBinding / ClusterRoleBinding
- PodSecurityPolicy
- NetworkPolicy
Useful kubectl commands:
-
kubectl create secret -
kubectl create serviceaccount -
kubectl create role -
kubectl create rolebinding -
kubectl auth can-i
lizrice