13 Security and policies

Scott Surovich

Google has made deploying Anthos clusters an easy, automated process. Because the process is automated, administrators may not consider anything past the initial simple cluster creation. When you deploy a cluster without considering postinstallation tasks like security, the likelihood is high that an attacker will be able to take control of your cluster with little effort.

Like many base installations of a product, a new Kubernetes cluster will include few, if any, enhanced security settings. For most enterprise systems, this setup is by design. Rather than force a rigid security model on an organization, potentially enabling features that may not be usable in some organizations, Kubernetes designers opt to make security a post-cluster-installation process that is designed and implemented by the organization.

13.1 Technical requirements

13.2 Hypervisors vs. container runtimes

13.3 Kubernetes security overview

13.3.1 Understanding Kubernetes security objects

13.3.2 Types of security

13.4 Common security concerns

13.4.1 Understanding the Policy Controller

13.4.2 Using Binary Authorization to secure the supply chain

13.4.3 Using Gatekeeper to replace PSPs

13.5 Understanding container scanning

13.5.1 Enabling container scanning

13.5.2 Adding images to your repository

13.5.3 Reviewing image vulnerabilities

13.6 Understanding container security

13.6.1 Running containers as root