Muutke küpsiste eelistusi

E-raamat: Hacking Kubernetes: Threat-Driven Analysis and Defense

4.00/5 (52 hinnangut Goodreads-ist)
,
  • Formaat: 314 pages
  • Ilmumisaeg: 13-Oct-2021
  • Kirjastus: O'Reilly Media
  • Keel: eng
  • ISBN-13: 9781492081685
Teised raamatud teemal:
  • Formaat - EPUB+DRM
  • Hind: 47,96 €*
  • * hind on lõplik, st. muud allahindlused enam ei rakendu
  • Lisa ostukorvi
  • Lisa soovinimekirja
  • See e-raamat on mõeldud ainult isiklikuks kasutamiseks. E-raamatuid ei saa tagastada.
Hacking Kubernetes: Threat-Driven Analysis and DefenseSuurem pilt
  • Formaat: 314 pages
  • Ilmumisaeg: 13-Oct-2021
  • Kirjastus: O'Reilly Media
  • Keel: eng
  • ISBN-13: 9781492081685
Teised raamatud teemal:

DRM piirangud

  • Kopeerimine (copy/paste):

    ei ole lubatud

  • Printimine:

    ei ole lubatud

  • Kasutamine:

    Digitaalõiguste kaitse (DRM)
    Kirjastus on väljastanud selle e-raamatu krüpteeritud kujul, mis tähendab, et selle lugemiseks peate installeerima spetsiaalse tarkvara. Samuti peate looma endale  Adobe ID Rohkem infot siin. E-raamatut saab lugeda 1 kasutaja ning alla laadida kuni 6'de seadmesse (kõik autoriseeritud sama Adobe ID-ga).

    Vajalik tarkvara
    Mobiilsetes seadmetes (telefon või tahvelarvuti) lugemiseks peate installeerima selle tasuta rakenduse: PocketBook Reader (iOS / Android)

    PC või Mac seadmes lugemiseks peate installima Adobe Digital Editionsi (Seeon tasuta rakendus spetsiaalselt e-raamatute lugemiseks. Seda ei tohi segamini ajada Adober Reader'iga, mis tõenäoliselt on juba teie arvutisse installeeritud )

    Seda e-raamatut ei saa lugeda Amazon Kindle's. 

Want to run your Kubernetes workloads safely and securely? This practical book provides a threat-based guide to Kubernetes security. Each chapter examines a particular component's architecture and potential default settings and then reviews existing high-profile attacks and historical Common Vulnerabilities and Exposures (CVEs). Authors Andrew Martin and Michael Hausenblas share best-practice configuration to help you harden clusters from possible angles of attack.

This book begins with a vanilla Kubernetes installation with built-in defaults. You'll examine an abstract threat model of a distributed system running arbitrary workloads, and then progress to a detailed assessment of each component of a secure Kubernetes system.

  • Understand where your Kubernetes system is vulnerable with threat modelling techniques
  • Focus on pods, from configurations to attacks and defenses
  • Secure your cluster and workload traffic
  • Define and enforce policy with RBAC, OPA, and Kyverno
  • Dive deep into sandboxing and isolation techniques
  • Learn how to detect and mitigate supply chain attacks
  • Explore filesystems, volumes, and sensitive information at rest
  • Discover what can go wrong when running multitenant workloads in a cluster
  • Learn what you can do if someone breaks in despite you having controls in place
Preface ix
1 Introduction 1(14)
Setting the Scene
2(1)
Starting to Threat Model
3(6)
Threat Actors
4(3)
Your First Threat Model
7(2)
Attack Trees
9(2)
Example Attack Trees
11(2)
Prior Art
13(1)
Conclusion
13(2)
2 Pod-Level Resources 15(44)
Defaults
15(1)
Threat Model
16(1)
Anatomy of the Attack
17(3)
Remote Code Execution
18(1)
Network Attack Surface
19(1)
Kubernetes Workloads: Apps in a Pod
20(2)
What's a Pod?
22(5)
Understanding Containers
27(10)
Sharing Network and Storage
28(2)
What's the Worst That Could Happen?
30(4)
Container Breakout
34(3)
Pod Configuration and Threats
37(13)
Pod Header
37(1)
Reverse Uptime
38(1)
Labels
39(1)
Managed Fields
39(1)
Pod Namespace and Owner
40(1)
Environment Variables
40(1)
Container Images
41(2)
Pod Probes
43(1)
CPU and Memory Limits and Requests
43(1)
DNS
44(2)
Pod securityContext
46(3)
Pod Service Accounts
49(1)
Scheduler and Tolerations
49(1)
Pod Volume Definitions
49(1)
Pod Network Status
50(1)
Using the securityContext Correctly
50(7)
Enhancing the securityContext with Kubesec
52(1)
Hardened securityContext
53(4)
Into the Eye of the Storm
57(1)
Conclusion
58(1)
3 Container Runtime Isolation 59(30)
Defaults
59(1)
Threat Model
60(2)
Containers, Virtual Machines, and Sandboxes
62(11)
How Virtual Machines Work
64(3)
Benefits of Virtualization
67(1)
What's Wrong with Containers?
67(2)
User Namespace Vulnerabilities
69(4)
Sandboxing
73(13)
gVisor
75(7)
Firecracker
82(2)
Kata Containers
84(1)
rust-vmm
85(1)
Risks of Sandboxing
86(1)
Kubernetes Runtime Class
87(1)
Conclusion
88(1)
4 Applications and Supply Chain 89(36)
Defaults
90(1)
Threat Model
90(1)
The Supply Chain
91(7)
Software
94(1)
Scanning for CVEs
95(1)
Ingesting Open Source Software
96(1)
Which Producers Do We Trust?
97(1)
CNCF Security Technical Advisory Group
98(2)
Architecting Containerized Apps for Resilience
98(1)
Detecting Trojans
99(1)
Captain Hashjack Attacks a Supply Chain
100(3)
Post-Compromise Persistence
102(1)
Risks to Your Systems
102(1)
Container Image Build Supply Chains
103(3)
Software Factories
103(1)
Blessed Image Factory
104(1)
Base Images
105(1)
The State of Your Container Supply Chains
106(4)
Third-Party Code Risk
107(1)
Software Bills of Materials
108(2)
Human Identity and GPG
110(1)
Signing Builds and Metadata
110(4)
Notary v1
111(1)
sigstore
111(2)
in-toto and TUF
113(1)
GCP Binary Authorization
113(1)
Grafeas
114(1)
Infrastructure Supply Chain
114(1)
Operator Privileges
114(1)
Attacking Higher Up the Supply Chain
114(1)
Types of Supply Chain Attack
115(5)
Open Source Ingestion
117(2)
Application Vulnerability Throughout the SDLC
119(1)
Defending Against SUNBURST
120(3)
Conclusion
123(2)
5 Networking 125(24)
Defaults
126(7)
Intra-Pod Networking
128(1)
Inter-Pod Traffic
128(1)
Pod-to-Worker Node Traffic
129(1)
Cluster-External Traffic
129(1)
The State of the ARP
130(1)
No securityContext
131(1)
No Workload Identity
132(1)
No Encryption on the Wire
132(1)
Threat Model
133(1)
Traffic Flow Control
134(5)
The Setup
134(3)
Network Policies to the Rescue!
137(2)
Service Meshes
139(5)
Concept
139(1)
Options and Uptake
140(1)
Case Study: mTLS with Linkerd
141(3)
eBPF
144(3)
Concept
144(1)
Options and Uptake
144(1)
Case Study: Attaching a Probe to a Go Program
145(2)
Conclusion
147(2)
6 Storage 149(22)
Defaults
150(1)
Threat Model
150(2)
Volumes and Datastores
152(10)
Everything Is a Stream of Bytes
152(1)
What's a Filesystem?
153(1)
Container Volumes and Mounts
154(1)
OverlayFS
155(1)
tmpfs
156(2)
Volume Mount Breaks Container Isolation
158(2)
The /proc/self/exe CVE
160(2)
Sensitive Information at Rest
162(2)
Mounted Secrets
162(1)
Attacking Mounted Secrets
163(1)
Storage Concepts
164(6)
Container Storage Interface
164(1)
Projected Volumes
165(2)
Attacking Volumes
167(2)
The Dangers of Host Mounts
169(1)
Other Secrets and Exfiltraing from Datastores
169(1)
Conclusion
170(1)
7 Hard Multitenancy 171(22)
Defaults
172(1)
Threat Model
172(1)
Namespaced Resources
173(4)
Node Pools
174(2)
Node Taints
176(1)
Soft Multitenancy
177(1)
Hard Multitenancy
178(3)
Hostile Tenants
178(1)
Sandboxing and Policy
179(1)
Public Cloud Multitenancy
180(1)
Control Plane
181(6)
API Server and etcd
182(2)
Scheduler and Controller Manager
184(3)
Data Plane
187(1)
Cluster Isolation Architecture
188(2)
Cluster Support Services and Tooling Environments
190(1)
Security Monitoring and Visibility
191(1)
Conclusion
191(2)
8 Policy 193(30)
Types of Policies
194(1)
Defaults
194(4)
Network Traffic
195(1)
Limiting Resource Allocations
195(1)
Resource Quotas
196(1)
Runtime Policies
197(1)
Access Control Policies
197(1)
Threat Model
198(1)
Common Expectations
198(2)
Breakglass Scenario
199(1)
Auditing
199(1)
Authentication and Authorization
200(4)
Human Users
201(1)
Workload Identity
201(3)
Role-Based Access Control (RBAC)
204(8)
RBAC Recap
204(1)
A Simple RBAC Example
205(2)
Authoring RBAC
207(2)
Analyzing and Visualizing RBAC
209(2)
RBAC-Related Attacks
211(1)
Generic Policy Engines
212(9)
Open Policy Agent
212(6)
Kyverno
218(2)
Other Policy Offerings
220(1)
Conclusion
221(2)
9 Intrusion Detection 223(16)
Defaults
223(1)
Threat Model
224(1)
Traditional IDS
224(2)
eBPF-Based IDS
226(3)
Kubernetes and Container Intrusion Detection
227(1)
Falco
227(2)
Machine Learning Approaches to IDS
229(1)
Container Forensics
230(2)
Honeypots
232(2)
Auditing
234(1)
Detection Evasion
235(1)
Security Operations Centers
236(1)
Conclusion
237(2)
10 Organizations 239(18)
The Weakest Link
240(1)
Cloud Providers
241(6)
Shared Responsibility
242(1)
Account Hygiene
243(2)
Grouping People and Resources
245(1)
Other Considerations
246(1)
On-Premises Environments
247(2)
Common Considerations
249(6)
Threat Model Explosion
249(3)
How SLOs Can Put Additional Pressure on You
252(1)
Social Engineering
252(2)
Privacy and Regulatory Concerns
254(1)
Conclusion
255(2)
A A Pod-Level Attack 257(14)
B Resources 271(8)
Index 279
Lisainfo e-raamatute kohta Lisainfo e-raamatute kohta
Püsilink: https://www.kriso.ee/db/97814920816856e.html
Märksõnad: