16 Securing applications with policies, contexts, and admission control

 

Containers are a lightweight wrapper around application processes. They start quickly and add little overhead to your app because they use the operating system kernel of the machine on which they’re running. That makes them super efficient, but at the cost of strong isolation—containers can be compromised, and a compromised container could provide unrestricted access to the server and to all the other containers running on it. Kubernetes has many features to secure your applications, but none of them are enabled by default. In this chapter, you’ll learn how to use the security controls in Kubernetes and how to set up your cluster so those controls are required for all your workloads.

Securing applications in Kubernetes is about limiting what containers can do, so if an attacker exploits an app vulnerability to run commands in the container, they can’t get beyond that container. We can do this by restricting network access to other containers and the Kubernetes API, restricting mounts of the host’s filesystem, and limiting the operating system features the container can use. We’ll cover the essential approaches, but the security space is large and evolving. This chapter is even longer than the others—you’re about to learn a lot, but it will be only the start of your journey to a secure Kubernetes environment.

16.1 Securing communication with network policies

16.2 Restricting container capabilities with security contexts

16.3 Blocking and modifying workloads with webhooks

16.4 Controlling admission with Open Policy Agent

16.5 Understanding security in depth in Kubernetes

16.6 Lab