Kubernetes Security (Advanced Concepts)
July 12th, 2019
This course is the second part of the Kubernetes Security series. The first part is Kubernetes Security. This part is Advanced Concepts. This course guides the student through implementing network policy. It then goes through the administrative steps necessary to build, launch and maintain a secure Kubernetes Cluster.
Introduction to the Author
This video is the introduction to the course author.
Introduction to This Course
This is a brief introduction to the course, with some discussion of courses that are recommended as preparation for it.
This is a brief lesson covering what network overlays are with Kubernetes, and a few popular overlays available at the time this lesson was published.
This video provides examples of how network policies are implemented. The lesson also gives a brief introduction and explanation as to the examples covered in the lab.
Building a Kubernetes Infrastructure
Host Server Hardening
This lesson covers the steps necessary to harden an operating system image that may then be used for Kubernetes master and worker nodes. We'll look at Packer on AWS as an example. We'll also get a picture of the what the lab at the end of this section entails.
Secure Software Supply Chain
This lesson covers how a DevSecOps CI/CD Pipeline would control workflow for applications and the Kubernetes Cluster artifacts as well. We'll emphasize the ephemeral nature of both the applications and the infrastructures they run on.
Container Registries and Trusted Repositories
This lesson continues on the subject of a secure software supply chain by discussing some of the key capabilities of trusted repositories. We'll cover signing of content, secure authentication, and scanning as necessary practices that ensure a secure Kubernetes environment.
Choosing an Installer
This video discusses various approaches to Kubernetes installers and shows some of the considerations to keep in mind when making an installer choice.
This lesson covers the role of configuration management and its importance for maintaining a Kubernetes delivery pipeline.
Scanning and Static Analysis of YAML
This lesson covers the need for YAML scanning, and demonstrates the SonoBouy Scanning tool from HEPTIO.
Launching a Kubernetes Cluster
From Lab to Maiden Voyage
This lesson discusses the opportunity for system administrators to take advantage of cloud infrastructures. By allowing virtual instances of servers to become available on demand, it's possible to build a pipeline for the Kubernetes cluster. This is similar to how application code pipelines might be used. We'll look at the idea of building, launching, testing, and then promoting a cluster configuration into production.
Hardening the Cluster
In the upcoming hands-on lab, we'll harden a cluster the kube-bench utility. This lesson emphasizes the role that an installer (such as kops), and a configuration management tool (such as Ansible), might play in a Kubernetes build, launch, maintain type of deployment pipeline.
Monitoring and Alerts
This lesson covers the importance of configuring and testing the monitoring and alerting tools that are used later in production. The lesson provides a brief demo of the HEPTIO Sonobouy Scanning product.
Maintaining a Kubernetes Infrastructure
Patching Live Deployments
This lesson demonstrates utilizing the Kubernetes patch capabilities to update container workloads while they are running in a live cluster.
Upgrading Kubernetes Components
Thsi lesson covers using an installer to upgrade the Kubernetes Control Plane and Worker Node Components.
This lesson introduces the concept of node recycling. By using the kubectl drain command, the administrator may cordon a node, evict its running pods, and thus disconnect it from the cluster. This allows for patching of the operating system and other server-level configuration. Once the maintenance is complete, the server may be reconnected with the uncordon command.
Summation and Next Steps
This lesson is a quick summary of the course, and lists some third-party resources that students may find useful.