Verfügbarkeit: Hacking Kubernetes | Technische Universität München

Hacking Kubernetes: threat-driven analysis and defense

Gespeichert in:

Bibliographische Detailangaben
Beteiligte Personen:	Martin, Andrew (VerfasserIn), Hausenblas, Michael 19XX- (VerfasserIn)
Format:	Buch
Sprache:	Englisch
Veröffentlicht:	Beijing ; Boston ; Farnham ; Sebastopol ; Tokyo O'Reilly Oktober 2022
Ausgabe:	First edition
Schlagwörter:	Open Source Cloud Computing Kubernetes Computersicherheit Open source software / Security measures Application software / Security measures
Links:	http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=032955210&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA
Umfang:	xiv, 295 Seiten Illustrationen 24 cm
ISBN:	9781492081739

Internformat

MARC


LEADER	00000nam a2200000 c 4500
001	BV047569561
003	DE-604
005	20221124
007	t\|
008	211102s2022 xx a\|\|\| \|\|\|\| 00\|\|\| eng d
020			\|a 9781492081739 \|c Pb.: 59.99 USD \|9 978-1-4920-8173-9
035			\|a (OCoLC)1286866438
035			\|a (DE-599)BVBBV047569561
040			\|a DE-604 \|b ger \|e rda
041	0		\|a eng
049			\|a DE-706 \|a DE-M347 \|a DE-739
084			\|a ST 277 \|0 (DE-625)143643: \|2 rvk
100	1		\|a Martin, Andrew \|e Verfasser \|0 (DE-588)1246375206 \|4 aut
245	1	0	\|a Hacking Kubernetes \|b threat-driven analysis and defense \|c Andrew Martin and Michael Hausenblas
250			\|a First edition
264		1	\|a Beijing ; Boston ; Farnham ; Sebastopol ; Tokyo \|b O'Reilly \|c Oktober 2022
300			\|a xiv, 295 Seiten \|b Illustrationen \|c 24 cm
336			\|b txt \|2 rdacontent
337			\|b n \|2 rdamedia
338			\|b nc \|2 rdacarrier
650	0	7	\|a Open Source \|0 (DE-588)4548264-0 \|2 gnd \|9 rswk-swf
650	0	7	\|a Cloud Computing \|0 (DE-588)7623494-0 \|2 gnd \|9 rswk-swf
650	0	7	\|a Kubernetes \|0 (DE-588)1153019000 \|2 gnd \|9 rswk-swf
650	0	7	\|a Computersicherheit \|0 (DE-588)4274324-2 \|2 gnd \|9 rswk-swf
653		0	\|a Open source software / Security measures
653		0	\|a Application software / Security measures
689	0	0	\|a Kubernetes \|0 (DE-588)1153019000 \|D s
689	0	1	\|a Cloud Computing \|0 (DE-588)7623494-0 \|D s
689	0	2	\|a Open Source \|0 (DE-588)4548264-0 \|D s
689	0	3	\|a Computersicherheit \|0 (DE-588)4274324-2 \|D s
689	0		\|5 DE-604
700	1		\|a Hausenblas, Michael \|d 19XX- \|e Verfasser \|0 (DE-588)1160323100 \|4 aut
856	4	2	\|m Digitalisierung UB Passau - ADAM Catalogue Enrichment \|q application/pdf \|u http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=032955210&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA \|3 Inhaltsverzeichnis
943	1		\|a oai:aleph.bib-bvb.de:BVB01-032955210

Datensatz im Suchindex

_version_	1819323120149856256
adam_text	Table of Contents Preface....................................................................................................... ix 1. Introduđion............................................................................................. 1 Setting the Scene Starting to Threat Model Threat Actors Your First Threat Model Attack Trees Example Attack Trees Prior Art Conclusion 2 3 4 7 9 11 13 13 2. Pod-Level Resources................................................................................. 15 Defaults.................................................................................................................. 15 Threat Model......................................................................................................... 16 Anatomy of the Attack.......................................................................................... 17 Remote Code Execution................................................................................ 18 Network Attack Surface Kübemetes Workloads: Apps in a Pod What’s a Pod? Understanding Containers Sharing Network and Storage What’s the Worst That Could Happen? Container Breakout Pod Configuration and Threats Pod Header Reverse Uptime Labels 19 20 22 27 28 30 34 37 37 38 39 iii Managed Fields Pod Namespace and Owner Environment Variables Container Images Pod Probes CPU and Memory Limits and Requests DNS Pod securityContext Pod Service Accounts Scheduler and Tolerations Pod Volume Definitions Pod Network Status Using the securityContext Correctly Enhancing the securityContext with Kubesec Hardened securityContext Into the Eye of the Storm Conclusion 39 40 40 41 43 43 44 46 49 49 49 50 50 52 53 57 58 3. Container Runtime Isolation....................................................................... 59 Defaults Threat Model Containers, Virtual Machines, and Sandboxes How Virtual Machines Work Benefits of Virtualization What’s Wrong with Containers? User Namespace Vulnerabilities Sandboxing gVisor Firecracker Kata Containers rust-vmm Risks of Sandboxing Kübemetes Runtime Class Conclusion 59 60 62 64 67 67 69 73 75 82 84 85 86 87 88 4. Applications and Supply Chain.................................................................... 89 Defaults Threat Model The Supply Chain Software Scanning for CVEs Ingesting Open Source Software iv I Table of Contents 90 90 91 94 95 96 Which Producers Do We Trust? CNCF Security Technical Advisory Group Architecting Containerized Apps for Resilience Detecting Trojans Captain Hashjack Attacks a Supply Chain Post-Compromise Persistence Risks to Your Systems Container Image Build Supply Chains Software Factories Blessed Image Factory Base Images The State of Your Container Supply Chains Third-Party Code Risk Software Bills of Materials Human Identity and GPG Signing Builds and Metadata Notary vl sigstore in-toto and TUF GCP Binary Authorization Grafeas Infrastructure Supply Chain Operator Privileges Attacking Higher Up the Supply Chain Types of Supply Chain Attack Open Source Ingestion Application Vulnerability Throughout the SDLC Defending Against SUNBURST Conclusion 97 98 98 99 100 102 102 103 103 104 105 106 107 108 110 110 111 111 113 113 114 114 114 114 115 117 119 120 123 5. Networking................................................................................................... Defaults Intra-Pod Networking Inter-Pod Traffic Pod-to-Worker Node Traffic Cluster-External Traffic The State of the ARP No securityContext No Workload Identity No Encryption on the Wire Threat Model Traffic Flow Control 125 126 128 128 129 129 130 131 132 132 133 134 Table of Contents \| v The Setup Network Policies to the Rescue! Service Meshes Concept Options and Uptake Case Study: mTLS with Linkerd eBPF Concept Options and Uptake Case Study: Attaching a Probe to a Go Program Conclusion 134 137 139 139 140 141 144 144 144 145 147 6. Storage........................................................................................ 149 Defaults Threat Model Volumes and Datastores Everything Is a Stream of Bytes What’s a Filesystem? Container Volumes and Mounts OverlayFS tmpfs Volume Mount Breaks Container Isolation The /proc/self/exe CVE Sensitive Information at Rest Mounted Secrets Attacking Mounted Secrets Storage Concepts Container Storage Interface Projected Volumes Attacking Volumes The Dangers of Host Mounts Other Secrets and Exfiltraing from Datastores Conclusion 150 150 152 152 153 154 155 156 158 160 162 162 163 164 164 165 167 169 169 170 7. Hard Multitenancy........................................................................... 171 Defaults Threat Model Namespaced Resources Node Pools Node Taints Soft Multitenancy Hard Multitenancy vi I Table of Contents 172 172 173 174 176 177 178 Hostile Tenants Sandboxing and Policy Public Cloud Multitenancy Control Plane API Server and eted Scheduler and Controller Manager Data Plane Cluster Isolation Architecture Cluster Support Services and Tooling Environments Security Monitoring and Visibility Conclusion 178 179 180 181 182 184 187 188 190 191 191 8. Policy.................................................................................................... 193 Types of Policies Defaults Network Traffic Limiting Resource Allocations Resource Quotas Runtime Policies Access Control Policies Threat Model Common Expectations Breakglass Scenario Auditing Authentication and Authorization Human Users Workload Identity Role-Based Access Control (RBAC) RBAC Recap A Simple RBAC Example Authoring RBAC Analyzing and Visualizing RBAC RBAC-Related Attacks Generic Policy Engines Open Policy Agent Kyverno Other Policy Offerings Conclusion 194 194 195 195 196 197 197 198 198 199 199 200 201 201 204 204 205 207 209 211 212 212 218 220 221 9. Intrusion Detection................................................................................... 223 223 224 Defaults Threat Model Table of Contents \| vii Traditional IDS eBPF-Based IDS Kübemetes and Container Intrusion Detection Falco Machine Learning Approaches to IDS Container Forensics Honeypots Auditing Detection Evasion Security Operations Centers Conclusion 224 226 227 227 229 230 232 234 235 236 237 10. Organizations..................................................................... ................... 239 The Weakest Link Cloud Providers Shared Responsibility Account Hygiene Grouping People and Resources Other Considerations On-Premises Environments Common Considerations Threat Model Explosion How SLOs Can Put Additional Pressure on You Social Engineering Privacy and Regulatory Concerns Conclusion 240 241 242 243 245 246 247 249 249 252 252 254 255 A. A Pod-Level Attack.................................................................................... 257 B. Resources............................................................................................. 271 Index....................................................................................................... 279 viii Į Table of Contents
any_adam_object	1
author	Martin, Andrew Hausenblas, Michael 19XX-
author_GND	(DE-588)1246375206 (DE-588)1160323100
author_facet	Martin, Andrew Hausenblas, Michael 19XX-
author_role	aut aut
author_sort	Martin, Andrew
author_variant	a m am m h mh
building	Verbundindex
bvnumber	BV047569561
classification_rvk	ST 277
ctrlnum	(OCoLC)1286866438 (DE-599)BVBBV047569561
discipline	Informatik
edition	First edition
format	Book
fullrecord	<?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>01901nam a2200433 c 4500</leader><controlfield tag="001">BV047569561</controlfield><controlfield tag="003">DE-604</controlfield><controlfield tag="005">20221124 </controlfield><controlfield tag="007">t\|</controlfield><controlfield tag="008">211102s2022 xx a\|\|\| \|\|\|\| 00\|\|\| eng d</controlfield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">9781492081739</subfield><subfield code="c">Pb.: 59.99 USD</subfield><subfield code="9">978-1-4920-8173-9</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(OCoLC)1286866438</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-599)BVBBV047569561</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-604</subfield><subfield code="b">ger</subfield><subfield code="e">rda</subfield></datafield><datafield tag="041" ind1="0" ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="049" ind1=" " ind2=" "><subfield code="a">DE-706</subfield><subfield code="a">DE-M347</subfield><subfield code="a">DE-739</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">ST 277</subfield><subfield code="0">(DE-625)143643:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Martin, Andrew</subfield><subfield code="e">Verfasser</subfield><subfield code="0">(DE-588)1246375206</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">Hacking Kubernetes</subfield><subfield code="b">threat-driven analysis and defense</subfield><subfield code="c">Andrew Martin and Michael Hausenblas</subfield></datafield><datafield tag="250" ind1=" " ind2=" "><subfield code="a">First edition</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="a">Beijing ; Boston ; Farnham ; Sebastopol ; Tokyo</subfield><subfield code="b">O'Reilly</subfield><subfield code="c">Oktober 2022</subfield></datafield><datafield tag="300" ind1=" " ind2=" "><subfield code="a">xiv, 295 Seiten</subfield><subfield code="b">Illustrationen</subfield><subfield code="c">24 cm</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="b">n</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="b">nc</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Open Source</subfield><subfield code="0">(DE-588)4548264-0</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Cloud Computing</subfield><subfield code="0">(DE-588)7623494-0</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Kubernetes</subfield><subfield code="0">(DE-588)1153019000</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Computersicherheit</subfield><subfield code="0">(DE-588)4274324-2</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="653" ind1=" " ind2="0"><subfield code="a">Open source software / Security measures</subfield></datafield><datafield tag="653" ind1=" " ind2="0"><subfield code="a">Application software / Security measures</subfield></datafield><datafield tag="689" ind1="0" ind2="0"><subfield code="a">Kubernetes</subfield><subfield code="0">(DE-588)1153019000</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2="1"><subfield code="a">Cloud Computing</subfield><subfield code="0">(DE-588)7623494-0</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2="2"><subfield code="a">Open Source</subfield><subfield code="0">(DE-588)4548264-0</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2="3"><subfield code="a">Computersicherheit</subfield><subfield code="0">(DE-588)4274324-2</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2=" "><subfield code="5">DE-604</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Hausenblas, Michael</subfield><subfield code="d">19XX-</subfield><subfield code="e">Verfasser</subfield><subfield code="0">(DE-588)1160323100</subfield><subfield code="4">aut</subfield></datafield><datafield tag="856" ind1="4" ind2="2"><subfield code="m">Digitalisierung UB Passau - ADAM Catalogue Enrichment</subfield><subfield code="q">application/pdf</subfield><subfield code="u">http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=032955210&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA</subfield><subfield code="3">Inhaltsverzeichnis</subfield></datafield><datafield tag="943" ind1="1" ind2=" "><subfield code="a">oai:aleph.bib-bvb.de:BVB01-032955210</subfield></datafield></record></collection>
id	DE-604.BV047569561
illustrated	Illustrated
indexdate	2024-12-20T19:22:39Z
institution	BVB
isbn	9781492081739
language	English
oai_aleph_id	oai:aleph.bib-bvb.de:BVB01-032955210
oclc_num	1286866438
open_access_boolean
owner	DE-706 DE-M347 DE-739
owner_facet	DE-706 DE-M347 DE-739
physical	xiv, 295 Seiten Illustrationen 24 cm
publishDate	2022
publishDateSearch	2022
publishDateSort	2022
publisher	O'Reilly
record_format	marc
spellingShingle	Martin, Andrew Hausenblas, Michael 19XX- Hacking Kubernetes threat-driven analysis and defense Open Source (DE-588)4548264-0 gnd Cloud Computing (DE-588)7623494-0 gnd Kubernetes (DE-588)1153019000 gnd Computersicherheit (DE-588)4274324-2 gnd
subject_GND	(DE-588)4548264-0 (DE-588)7623494-0 (DE-588)1153019000 (DE-588)4274324-2
title	Hacking Kubernetes threat-driven analysis and defense
title_auth	Hacking Kubernetes threat-driven analysis and defense
title_exact_search	Hacking Kubernetes threat-driven analysis and defense
title_full	Hacking Kubernetes threat-driven analysis and defense Andrew Martin and Michael Hausenblas
title_fullStr	Hacking Kubernetes threat-driven analysis and defense Andrew Martin and Michael Hausenblas
title_full_unstemmed	Hacking Kubernetes threat-driven analysis and defense Andrew Martin and Michael Hausenblas
title_short	Hacking Kubernetes
title_sort	hacking kubernetes threat driven analysis and defense
title_sub	threat-driven analysis and defense
topic	Open Source (DE-588)4548264-0 gnd Cloud Computing (DE-588)7623494-0 gnd Kubernetes (DE-588)1153019000 gnd Computersicherheit (DE-588)4274324-2 gnd
topic_facet	Open Source Cloud Computing Kubernetes Computersicherheit
url	http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=032955210&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA
work_keys_str_mv	AT martinandrew hackingkubernetesthreatdrivenanalysisanddefense AT hausenblasmichael hackingkubernetesthreatdrivenanalysisanddefense

Verfügbarkeit

‌

Per Fernleihe bestellen Inhaltsverzeichnis