16 Securing applications with Policies, Contexts and Admission Control
Containers are a lightweight wrapper around application processes. They start quickly and add very little overhead to your app because they use the operating system kernel of the machine they're running on. That makes them super efficient at the cost of strong isolation - containers can be compromised, and a compromised container could provide unrestricted access to the server and to all the other containers running on it. Kubernetes has lots of features to secure your applications, but none of them are enabled by default. In this chapter you'll learn how to use the security controls in Kubernetes, and how to set up your cluster so those controls are required for all your workloads.
Securing applications in Kubernetes is about limiting what containers can do, so if an attacker exploits an app vulnerability to run commands in the container, they can't get beyond that container. That means restricting network access to other containers and the Kubernetes API, restricting mounts of the host's filesystem, and limiting the operating system features the container can use. We'll cover the essential approaches but the security space is large and evolving. This is a longer chapter and you're about to learn a lot, but it will only be the start of your journey to a secure Kubernetes environment.