This chapter covers
- Security basics
- Container security
- Securing Pods
The only secure computer is in a secure building, locked in a guarded vault, inside a Faraday cage, with a biometric login, and not connected to the internet. Add up all of these precautions, and they still aren’t enough to be truly secure. As Kubernetes practitioners, we need to be reasonable and make security decisions based on business needs. Utilizing simple and basic practices, you can reduce the blast radius of security risk. The phrase 'blast radius' refers to the breadth and depth of a security intrusion.
When Kubernetes first came out, security via obscurity was feasible. It simply wasn’t a major attack vector; however, nowadays, CVEs in Kubernetes are a frequent occurrence. When you get hacked, the questions to ask are:
- What can they get into
- What can they do
- What data can they get
With security comes a balancing act—security can slow down business and businesses thrive when they are operating at full speed. Being security conscious is different from overdoing security. The more you can automate, the more secure your system is, however, at the end of the day, a computer on the internet, is simply NOT secure.