Hacking Kubernetes
by Andrew Martin and Michael Hausenblas
Copyright 2022 Andrew Martin and Michael Hausenblas. All rights reserved.
Printed in the United States of America.
Published by OReilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.
OReilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com .
- Acquisitions Editor: John Devins
- Development Editor: Angela Rufino
- Production Editor: Beth Kelly
- Copyeditor: Kim Cofer
- Proofreader: Justin Billing
- Indexer: nSight, Inc.
- Interior Designer: David Futato
- Cover Designer: Karen Montgomery
- Illustrator: Kate Dullea
- October 2021: First Edition
Revision History for the First Edition
- 2021-10-13: First Release
See http://oreilly.com/catalog/errata.csp?isbn=9781492081739 for release details.
The OReilly logo is a registered trademark of OReilly Media, Inc. Hacking Kubernetes, the cover image, and related trade dress are trademarks of OReilly Media, Inc.
The views expressed in this work are those of the authors, and do not represent the publishers views. While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.
978-1-492-08173-9
[LSI]
Preface
Welcome to Hacking Kubernetes, a book for Kubernetes practitioners who wantto run their workloads securely and safely. At time of writing, Kubernetes hasbeen around for some six years, give or take. There are over one hundredcertified Kubernetes offeringsavailable, such as distributions and managed services. With an increasing numberof organizations deciding to move their workloads to Kubernetes, we thoughtwed share our experiences in this space, to help make your workloads more secureand safe to deploy and operate. Thank you for joining us on this journey, and we hope you have as much fun reading this book and applying what you learn as we had writing it.
In this preface, we will paint a picture of our intended audience, talk aboutwhy we wrote the book, and explain how we think you should go about using it byproviding a quick content guide. We will also go over someadministrative details like Kubernetes versions and conventions used.
About You
To get most out of the book, we assume that you either have a DevOps role,are a Kubernetes platform person, a cloud native architect, a site reliabilityengineer (SRE), or something related to being a chief information security officer (CISO).We further assume that youre interested in being hands-onwhile we discussthreats and defenses in principle, we try our best to demonstrate them at thesame time and point you to tools that can help you.
At this point we also want to make sure you understand that the book yourereading is targeting advanced topics. We assume that youre alreadyfamiliar with Kubernetes, and specifically Kubernetes security topics, at least ona surface level. In other words, we dont go into much detail about how thingswork, but summarize or recap important concepts or mechanisms on a per-chapterbasis.
Warning
We wrote this book with Blue and Red Teams in mind. It goes without saying thatwhat we share here is to be used exclusively for defending your own Kubernetescluster and workloads.
In particular, we assume that you understand what containers are for and howthey run in Kubernetes. If you are not yet familiar with these topics, werecommend that you do some preliminary reading. The following are books wesuggest consulting:
Kubernetes: Up and Running by Brendan Burns, Kelsey Hightower, and Joe Beda (OReilly)
Managing Kubernetes by Brendan Burns and Craig Tracey (OReilly)
Kubernetes Security by Liz Rice and Michael Hausenblas (OReilly)
Container Security by Liz Rice (OReilly)
Cloud Native Security by Chris Binnie and Rory McCune (Wiley)
Now that we have made clear what this book aims to achieve and who will,in our view, benefit from it, lets move on to a different topic: the authors.
About Us
Based on our combined 10+ years of hands-on experience designing,running, attacking, and defending Kubernetes-based workloads and clusters,we, the authors, want to equip you, the cloud native security practitioner,with what you need to be successful in your job.
Security is often illuminated by the light of past mistakes, and both of us have been learning (and making mistakes in!) Kubernetes security for a while now.We wanted to be sure that what we thought we understood about the subject was true,so we wrote a book to verify our suspicions through a shared lens.
We have both served in different companies and roles, given training sessions,published material from tooling to blog posts, and we have sharedlessons learned on the topic in various public speaking engagements. Much of what motivates us hereand the examples we use are rooted in our experiences in our day-to-day jobs and/or things we observed at our clients companies.
How To Use This Book
This book is a threat-based guide to security in Kubernetes, using a vanillaKubernetes installation with its (built-in) defaults as a starting point.Well kick off discussions with an abstract threat model of a distributedsystem running arbitrary workloads and progress to a detailed assessmentof each component of a secure Kubernetes system.
In each chapter, we examine a components architecture and potential defaultsettings and review high-profile attacks and historical Common Vulnerabilities and Exposures (CVEs). We also demonstrateattacks and share best-practice configuration in order to demonstrate hardeningclusters from possible angles of attack.
In order to aid you in navigating the book, heres a quick rundown on thechapter level:
In we set the scene, introducing our main antagonist and also whatthreat modeling is.
then focuses on pods, from configurations toattacks to defenses.
Next up, in , we switch gears and dive deepinto sandboxing and isolation techniques.
then covers supply chain attacks and what youcan do to detect and mitigate them.
In we then review networking defaults and how to secureyour cluster and workload traffic.
Then, in we shift our focus to aspects of persistence, lookingat filesystems, volumes, and sensitive information at rest.
covers the topic of running workloads for multitenants in a cluster and what can go wrong with this.
Next up is , where we review different kinds of policiesin use, discuss access controlspecifically role-based access control (RBAC)andgeneric policy solutions such as Open Policy Agent (OPA).