Chapter 13. Securing cluster nodes and the network

 

This chapter covers

  • Using the node’s default Linux namespaces in pods
  • Running containers as different users
  • Running privileged containers
  • Adding or dropping a container’s kernel capabilities
  • Defining security policies to limit what pods can do
  • Securing the pod network

In the previous chapter, we talked about securing the API server. If an attacker gets access to the API server, they can run whatever they like by packaging their code into a container image and running it in a pod. But can they do any real damage? Aren’t containers isolated from other containers and from the node they’re running on?

Not necessarily. In this chapter, you’ll learn how to allow pods to access the resources of the node they’re running on. You’ll also learn how to configure the cluster so users aren’t able to do whatever they want with their pods. Then, in the last part of the chapter, you’ll also learn how to secure the network the pods use to communicate.

13.1. Using the host node’s namespaces in a pod

Containers in a pod usually run under separate Linux namespaces, which isolate their processes from processes running in other containers or in the node’s default namespaces.

13.1.1. Using the node’s network namespace in a pod

 
 
 
 

13.1.2. Binding to a host port without using the host’s network namespace

 
 
 
 

13.1.3. Using the node’s PID and IPC namespaces

 
 

13.2. Configuring the container’s security context

 
 
 

13.2.1. Running a container as a specific user

 
 

13.2.2. Preventing a container from running as root

 
 

13.2.3. Running pods in privileged mode

 

13.2.4. Adding individual kernel capabilities to a container

 

13.2.5. Dropping capabilities from a container

 
 
 

13.2.6. Preventing processes from writing to the container’s filesystem

 
 
 

13.2.7. Sharing volumes when containers run as different users

 
 

13.3. Restricting the use of security-related features in pods

 
 

13.3.1. Introducing the PodSecurityPolicy resource

 

13.3.2. Understanding runAsUser, fsGroup, and supplementalGroups policies

 
 
 
 

13.3.3. Configuring allowed, default, and disallowed capabilities

 
 
 

13.3.4. Constraining the types of volumes pods can use

 
 
 
 

13.3.5. Assigning different PodSecurityPolicies to different users and groups

 

13.4. Isolating the pod network

 
 

13.4.1. Enabling network isolation in a namespace

 
 
 

13.4.2. Allowing only some pods in the namespace to connect to a server pod

 
 
 
 

13.4.3. Isolating the network between Kubernetes namespaces

 
 
sitemap

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage