Muutke küpsiste eelistusi

Kubernetes Security and Observability: A Holistic Approach to Securing Containers and Cloud Native Applications [Pehme köide]

3.50/5 (14 hinnangut Goodreads-ist)
,
  • Formaat: Paperback / softback, 182 pages
  • Ilmumisaeg: 30-Nov-2021
  • Kirjastus: O'Reilly Media
  • ISBN-10: 1098107101
  • ISBN-13: 9781098107109
Teised raamatud teemal:
  • Pehme köide
  • Hind: 54,01 €*
  • * hind on lõplik, st. muud allahindlused enam ei rakendu
  • Tavahind: 63,54 €
  • Säästad 15%
  • Raamatu kohalejõudmiseks kirjastusest kulub orienteeruvalt 2-4 nädalat
  • Kogus:
  • Lisa ostukorvi
  • Tasuta tarne
  • Tellimisaeg 2-4 nädalat
  • Lisa soovinimekirja
Kubernetes Security and Observability: A Holistic Approach to Securing Containers and Cloud Native ApplicationsSuurem pilt
  • Formaat: Paperback / softback, 182 pages
  • Ilmumisaeg: 30-Nov-2021
  • Kirjastus: O'Reilly Media
  • ISBN-10: 1098107101
  • ISBN-13: 9781098107109
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781098107109.html
Märksõnad:

Securing, observing, and troubleshooting containerized workloads on Kubernetes can be daunting. It requires a range of considerations, from infrastructure choices and cluster configuration to deployment controls and runtime and network security. With this practical book, you'll learn how to adopt a holistic security and observability strategy for building and securing cloud native applications running on Kubernetes.

Whether you're already working on cloud native applications or are in the process of migrating to its architecture, this guide introduces key security and observability concepts and best practices to help you unleash the power of cloud native applications. Authors Brendan Creane and Amit Gupta from Tigera take you through the full breadth of new cloud native approaches for establishing security and observability for applications running on Kubernetes.

  • Learn why you need a security and observability strategy for cloud native applications and determine your scope of coverage
  • Understand key concepts behind the book's security and observability approach
  • Explore the technology choices available to support this strategy
  • Discover how to share security responsibilities across multiple teams or roles
  • Learn how to architect Kubernetes security and observability for multicloud and hybrid environments
Preface ix
1 Security and Observability Strategy
1(18)
Security for Kubernetes: A New and Different World
1(2)
Deploying a Workload in Kubernetes: Security at Each Stage
3(2)
Build-Time Security: Shift Left
5(1)
Deploy-Time Security
6(1)
Runtime Security
7(6)
Observability
13(2)
Security Frameworks
15(2)
Security and Observability
17(1)
Conclusion
18(1)
2 Infrastructure Security
19(14)
Host Hardening
20(1)
Choice of Operating System
20(1)
Nonessential Processes
21(1)
Host-Based Firewalling
21(1)
Always Research the Latest Best Practices
21(1)
Cluster Hardening
22(1)
Secure the Kubernetes Datastore
22(1)
Secure the Kubernetes API Server
23(1)
Encrypt Kubernetes Secrets at Rest
23(2)
Rotate Credentials Frequently
25(1)
Authentication and RBAC
25(1)
Restricting Cloud Metadata API Access
26(1)
Enable Auditing
26(2)
Restrict Access to Alpha or Beta Features
28(1)
Upgrade Kubernetes Frequently
29(1)
Use a Managed Kubernetes Service
29(1)
CIS Benchmarks
29(1)
Network Security
30(2)
Conclusion
32(1)
3 Workload Deployment Controls
33(20)
Image Building and Scanning
33(1)
Choice of a Base Image
33(2)
Container Image Hardening
35(1)
Container Image Scanning Solution
36(1)
Privacy Concerns
37(1)
Container Threat Analysis
37(1)
CI/CD
38(1)
Scan Images by Registry Scanning Services
39(1)
Scan Images After Builds
40(1)
Inline Image Scanning
41(1)
Kubernetes Admission Controller
42(1)
Securing the CI/CD Pipeline
42(1)
Organization Policy
43(1)
Secrets Management
43(1)
ETCD to Store Secrets
43(1)
Secrets Management Service
44(1)
Kubernetes Secrets Store CSI Driver
44(1)
Secrets Management Best Practices
44(2)
Authentication
46(1)
X509 Client Certificates
46(1)
Bearer Token
47(1)
OIDC Tokens
47(1)
Authentication Proxy
47(1)
Anonymous Requests
47(1)
User Impersonation
48(1)
Authorization
48(1)
Node
48(1)
ABAC
48(1)
AlwaysDeny/AlwaysAllow
48(1)
RBAC
49(1)
Namespaced RBAC
50(1)
Privilege Escalation Mitigation
50(1)
Conclusion
51(2)
4 Workload Runtime Security
53(16)
Pod Security Policies
53(1)
Using Pod Security Policies
54(2)
Pod Security Policy Capabilities
56(2)
Pod Security Context
58(1)
Limitations of PSPs
59(1)
Process Monitoring
59(1)
Kubernetes Native Monitoring
60(2)
Seccomp
62(2)
SELinux
64(2)
AppArmor
66(1)
Sysctl
67(1)
Conclusion
68(1)
5 Observability
69(20)
Monitoring
69(3)
Observability
72(1)
How Observability Works for Kubernetes
72(4)
Implementing Observability for Kubernetes
76(3)
Linux Kernel Tools
79(1)
Observability Components
80(1)
Aggregation and Correlation
81(3)
Visualization
84(1)
Service Graph
84(1)
Visualization of Network Flows
85(1)
Analytics and Troubleshooting
86(1)
Distributed Tracing
86(1)
Packet Capture
87(1)
Conclusion
87(2)
6 Observability and Security
89(10)
Alerting
89(3)
Machine Learning
92(1)
Examples of Machine Learning Jobs
93(1)
Security Operations Center
94(2)
User and Entity Behavior Analytics
96(2)
Conclusion
98(1)
7 Network Policy
99(12)
What Is Network Policy?
99(1)
Why Is Network Policy Important?
100(1)
Network Policy Implementations
101(1)
Network Policy Best Practices
102(1)
Ingress and Egress
103(1)
Not Just Mission-Critical Workloads
103(1)
Policy and Label Schemas
103(2)
Default Deny and Default App Policy
105(2)
Policy Tooling
107(1)
Development Processes and Microservices Benefits
107(1)
Policy Recommendations
108(1)
Policy Impact Previews
108(1)
Policy Staging and Audit Modes
109(1)
Conclusion
109(2)
8 Managing Trust Across Teams
111(10)
Role-Based Access Control
112(1)
Limitations with Kubernetes Network Policies
112(1)
Richer Network Policy Implementations
113(4)
Admission Controllers
117(2)
Conclusion
119(2)
9 Exposing Services to External Clients
121(16)
Understanding Direct Pod Connections
122(1)
Understanding Kubernetes Services
123(1)
Cluster IP Services
123(1)
Node Port Services
124(1)
Load Balancer Services
125(1)
externalTrafficPolicy:local
126(1)
Network Policy Extensions
127(1)
Alternatives to kube-proxy
128(1)
Direct Server Return
129(1)
Limiting Service External IPs
130(2)
Advertising Service IPs
132(1)
Understanding Kubernetes Ingress
133(3)
Conclusion
136(1)
10 Encryption of Data in Transit
137(6)
Building Encryption into Your Code
138(1)
Sidecar or Service Mesh Encryption
139(1)
Network-Layer Encryption
140(2)
Conclusion
142(1)
11 Threat Defense and Intrusion Detection
143(16)
Threat Defense for Kubernetes (Stages of an Attack)
143(4)
Intrusion Detection
147(1)
Intrusion Detection Systems
147(1)
IP Address and Domain Name Threat Feeds
147(3)
Special Considerations for Domain Name Feeds
150(4)
Advanced Threat Defense Techniques
154(1)
Canary Pods/Resources
154(1)
DNS-Based Attacks and Defense
155(1)
Conclusion
156(3)
Conclusion 159(4)
Index 163
Brendan Creane is Head of Engineering at Tigera, where he is responsible for all engineering operations, including Calico Cloud, Calico Enterprise, and Project Calico. Brendan has several decades of experience building enterprise security, observability, and networking products.

Amit Gupta is VP Product Management & Business Development at Tigera, where he is responsible for the strategy and vision of Tigera's products and leads the delivery of the company's roadmap. Amit is a hands-on product executive with expertise in building software products and services across various domains including cloud security, cloud-native applications, and public and private cloud infrastructure.