Cloud Native Security

Explore the latest and most comprehensive guide to securing your Cloud Native technology stack

Cloud Native Security delivers a detailed study into minimizing the attack surfaces found on today's Cloud Native infrastructure. Throughout the work hands-on examples walk through mitigating threats and the areas of concern that need to be addressed. The book contains the information that professionals need in order to build a diverse mix of the niche knowledge required to harden Cloud Native estates.

The book begins with more accessible content about understanding Linux containers and container runtime protection before moving on to more advanced subject matter like advanced attacks on Kubernetes. You'll also learn about:

• Installing and configuring multiple types of DevSecOps tooling in CI/CD pipelines
• Building a forensic logging system that can provide exceptional levels of detail, suited to busy containerized estates
• Securing the most popular container orchestrator, Kubernetes
• Hardening cloud platforms and automating security enforcement in the cloud using sophisticated policies

Perfect for DevOps engineers, platform engineers, security professionals and students, Cloud Native Security will earn a place in the libraries of all professionals who wish to improve their understanding of modern security challenges.

Introduction xix

Part I Container and Orchestrator Security 1

Chapter 1 What is a Container? 3

Common Misconceptions 4

Container Components 6

Kernel Capabilities 7

Other Containers 13

Summary 14

Chapter 2 Rootless Runtimes 17

Docker Rootless Mode 18

Installing Rootless Mode 20

Running Rootless Podman 25

Setting Up Podman 26

Summary 31

Chapter 3 Container Runtime Protection 33

Running Falco 34

Configuring Rules 38

Changing Rules 39

Macros 41

Lists 41

Getting Your Priorities Right 41

Tagging Rulesets 42

Outputting Alerts 42

Summary 43

Chapter 4 Forensic Logging 45

Things to Consider 46

Salient Files 47

Breaking the Rules 49

Key Commands 52

The Rules 52

Parsing Rules 54

Monitoring 58

Ordering and Performance 62

Summary 63

Chapter 5 Kubernetes Vulnerabilities 65

Mini Kubernetes 66

Options for Using kube-hunter 68

Deployment Methods 68

Scanning Approaches 69

Hunting Modes 69

Container Deployment 70

Inside Cluster Tests 71

Minikube vs. kube-hunter 74

Getting a List of Tests 76

Summary 77

Chapter 6 Container Image CVEs 79

Understanding CVEs 80

Trivy 82

Getting Started 83

Exploring Anchore 88

Clair 96

Secure Registries 97

Summary 101

Part II DevSecOps Tooling 103

Chapter 7 Baseline Scanning (or, Zap Your Apps) 105

Where to Find ZAP 106

Baseline Scanning 107

Scanning Nmap’s Host 113

Adding Regular Expressions 114

Summary 116

Chapter 8 Codifying Security 117

Security Tooling 117

Installation 118

Simple Tests 122

Example Attack Files 124

Summary 127

Chapter 9 Kubernetes Compliance 129

Mini Kubernetes 130

Using kube-bench 133

Troubleshooting 138

Automation 139

Summary 140

Chapter 10 Securing Your Git Repositories 141

Things to Consider 142

Installing and Running Gitleaks 144

Installing and Running GitRob 149

Summary 151

Chapter 11 Automated Host Security 153

Machine Images 155

Idempotency 156

Secure Shell Example 158

Kernel Changes 162

Summary 163

Chapter 12 Server Scanning With Nikto 165

Things to Consider 165

Installation 166

Scanning a Second Host 170

Running Options 171

Command-Line Options 172

Evasion Techniques 172

The Main Nikto Configuration File 175

Summary 176

Part III Cloud Security 177

Chapter 13 Monitoring Cloud Operations 179

Host Dashboarding with NetData 180

Installing Netdata 180

Host Installation 180

Container Installation 183

Collectors 186

Uninstalling Host Packages 186

Cloud Platform Interrogation with Komiser 186

Installation Options 190

Summary 191

Chapter 14 Cloud Guardianship 193

Installing Cloud Custodian 193

Wrapper Installation 194

Python Installation 195

EC2 Interaction 196

More Complex Policies 201

IAM Policies 202

S3 Data at Rest 202

Generating Alerts 203

Summary 205

Chapter 15 Cloud Auditing 207

Runtime, Host, and Cloud Testing with Lunar 207

Installing to a Bash Default Shell 209

Execution 209

Cloud Auditing Against Benchmarks 213

AWS Auditing with Cloud Reports 215

Generating Reports 217

EC2 Auditing 219

CIS Benchmarks and AWS Auditing with Prowler 220

Summary 223

Chapter 16 AWS Cloud Storage 225

Buckets 226

Native Security Settings 229

Automated S3 Attacks 231

Storage Hunting 234

Summary 236

Part IV Advanced Kubernetes and Runtime Security 239

Chapter 17 Kubernetes External Attacks 241

The Kubernetes Network Footprint 242

Attacking the API Server 243

API Server Information Discovery 243

Avoiding API Server Information Disclosure 244

Exploiting Misconfigured API Servers 245

Preventing Unauthenticated Access to the API Server 246

Attacking etcd 246

etcd Information Discovery 246

Exploiting Misconfigured etcd Servers 246

Preventing Unauthorized etcd Access 247

Attacking the Kubelet 248

Kubelet Information Discovery 248

Exploiting Misconfigured Kubelets 249

Preventing Unauthenticated Kubelet Access 250

Summary 250

Chapter 18 Kubernetes Authorization with RBAC 251

Kubernetes Authorization Mechanisms 251

RBAC Overview 252

RBAC Gotchas 253

Avoid the cluster-admin Role 253

Built-In Users and Groups Can Be Dangerous 254

Read-Only Can Be Dangerous 254

Create Pod is Dangerous 256

Kubernetes Rights Can Be Transient 257

Other Dangerous Objects 258

Auditing RBAC 258

Using kubectl 258

Additional Tooling 259

Rakkess 259

kubectl-who-can 261

Rback 261

Summary 262

Chapter 19 Network Hardening 265

Container Network Overview 265

Node IP Addresses 266

Pod IP Addresses 266

Service IP Addresses 267

Restricting Traffic in Kubernetes Clusters 267

Setting Up a Cluster with Network Policies 268

Getting Started 268

Allowing Access 271

Egress Restrictions 273

Network Policy Restrictions 274

CNI Network Policy Extensions 275

Cilium 275

Calico 276

Summary 278

Chapter 20 Workload Hardening 279

Using Security Context in Manifests 279

General Approach 280

allowPrivilegeEscalation 280

Capabilities 281

privileged 283

readOnlyRootFilesystem 283

seccompProfile 283

Mandatory Workload Security 285

Pod Security Standards 285

PodSecurityPolicy 286

Setting Up PSPs 286

Setting Up PSPs 288

PSPs and RBAC 289

PSP Alternatives 291

Open Policy Agent 292

Installation 292

Enforcement Actions 295

Kyverno 295

Installation 296

Operation 296

Summary 298

Index 299

CHRIS BINNIE is a Technical Consultant who has worked for almost 25 years with critical Linux systems in banking and government, both on-premise and in the cloud. He has written two Linux books, has written for Linux and ADMIN magazines and has five years of experience in DevOps security consultancy roles.

RORY MCCUNE has over 20 years of experience in the Information and IT security arenas. His professional focus is on container, cloud, and application security and he is an author of the CIS Benchmarks for Docker and Kubernetes and has authored and delivered container security training at conferences around the world.