Chapter 7 — Container & Kubernetes Security
PART III — COMPUTE, CONTAINERS, AND IAC
7.1 Kubernetes Security Architecture
Section titled “7.1 Kubernetes Security Architecture”Cluster Hardening
Section titled “Cluster Hardening”Master Node Security
MasterNodeSecurity: AccessControl: - RBAC_enabled - ABAC_disabled - Anonymous_access_disabled - API_server_authentication
NetworkSecurity: - Network_policies_enabled - Pod_security_policies - Service_mesh_integration - Ingress_controller_security
etcdSecurity: - Encrypted_communication - Encrypted_data_at_rest - Regular_backups - Access_loggingWorker Node Security
WorkerNodeSecurity: HostSecurity: - Read-only_filesystems - SELinux/AppArmor - Kernel_hardening - Resource_limits
ContainerRuntime: - Secure_runtime_configuration - Image_scan_integration - Runtime_security_monitoring - SandboxingNetwork Security
Section titled “Network Security”Pod Security Standards
PodSecurityStandards: Privileged: Level: "Restricted" Controls: - privileged_containers: "Forbidden" - host_network: "Forbidden" - host_pid: "Forbidden" - host_ipc: "Forbidden"
Capabilities: Level: "Baseline" Allowed: - "NET_BIND_SERVICE" - "CHOWN" Denied: - "ALL"
Volumes: TypeRestrictions: - hostPath: "Forbidden" - configMap: "Allowed" - secret: "Allowed" - persistentVolumeClaim: "Allowed"7.2 Container Security
Section titled “7.2 Container Security”Visualizing the Secure Supply Chain:
graph TD
%% Classes
classDef dev fill:#f3f4f6,stroke:#374151,stroke-width:2px,color:#1f2937,font-weight:bold
classDef pipeline fill:#dbeafe,stroke:#2563eb,stroke-width:2px,color:#1e40af
classDef registry fill:#fce7f3,stroke:#db2777,stroke-width:2px,color:#9d174d
classDef runtime fill:#d1fae5,stroke:#059669,stroke-width:2px,color:#065f46
Dev[Developer]:::dev
subgraph BE [Build Phase]
direction TB
CI[CI/CD Pipeline]:::pipeline
Scan[Image Scanning]:::pipeline
end
subgraph Dist [Distribution]
direction TB
Reg[Container Registry]:::registry
Sign[Image Signing]:::registry
end
subgraph Run [Runtime Phase]
direction TB
Adm[Admission Controller]:::runtime
K8s[Kubernetes Cluster]:::runtime
end
Dev -->|Commit Code| CI
CI -->|Build Image| Scan
Scan -->|Clean Image| Reg
Reg -->|Sign Image| Sign
Sign -->|Verified Image| Adm
Adm -->|Deploy Pod| K8s
%% Styling
style BE fill:#1f293b,stroke:#475569,stroke-dasharray: 5 5,rx:5,ry:5
style Dist fill:#1f293b,stroke:#475569,stroke-dasharray: 5 5,rx:5,ry:5
style Run fill:#1f293b,stroke:#475569,stroke-dasharray: 5 5,rx:5,ry:5
Image Security Pipeline
Section titled “Image Security Pipeline”Multi-Stage Build Process
FROM golang:1.19-alpine AS builderWORKDIR /appCOPY go.mod go.sum ./RUN go mod downloadCOPY . .RUN CGO_ENABLED=0 GOOS=linux go build -o main .
# Security-hardened runtime stageFROM scratchWORKDIR /COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/COPY --from=builder /app/main .USER 65534:65534 # non-root userEXPOSE 8080ENTRYPOINT ["/main"]Image Scanning Integration
CI/CD_Security_Pipeline: Stages: - name: "build" security_scan: false
- name: "vulnerability_scan" tools: - Trivy - Clair - Grype fail_threshold: "high"
- name: "compliance_check" policies: - no_root_user - minimal_base_image - no_secrets_in_image
- name: "image_signing" tool: "cosign" key_management: "KMS"
- name: "deploy" conditions: - scan_passed - signed - approvedRuntime Security
Section titled “Runtime Security”Container Runtime Monitoring
RuntimeSecurity: BehavioralMonitoring: - Process_execution_monitoring - File_access_monitoring - Network_connection_tracking - System_call_filtering
ThreatDetection: - Anomaly_detection - Known_malware_signatures - Container_escape_attempts - Privilege_escalation_detection
Response: - Automatic_isolation - Alert_generation - Forensic_data_collection - Policy_enforcement