Introduction xixPart I Container and Orchestrator Security 1Chapter 1 What is a Container? 3Common Misconceptions 4Container Components 6Kernel Capabilities 7Other Containers 13Summary 14Chapter 2 Rootless Runtimes 17Docker Rootless Mode 18Installing Rootless Mode 20Running Rootless Podman 25Setting Up Podman 26Summary 31Chapter 3 Container Runtime Protection 33Running Falco 34Configuring Rules 38Changing Rules 39Macros 41Lists 41Getting Your Priorities Right 41Tagging Rulesets 42Outputting Alerts 42Summary 43Chapter 4 Forensic Logging 45Things to Consider 46Salient Files 47Breaking the Rules 49Key Commands 52The Rules 52Parsing Rules 54Monitoring 58Ordering and Performance 62Summary 63Chapter 5 Kubernetes Vulnerabilities 65Mini Kubernetes 66Options for Using kube-hunter 68Deployment Methods 68Scanning Approaches 69Hunting Modes 69Container Deployment 70Inside Cluster Tests 71Minikube vs. kube-hunter 74Getting a List of Tests 76Summary 77Chapter 6 Container Image CVEs 79Understanding CVEs 80Trivy 82Getting Started 83Exploring Anchore 88Clair 96Secure Registries 97Summary 101Part II DevSecOps Tooling 103Chapter 7 Baseline Scanning (or, Zap Your Apps) 105Where to Find ZAP 106Baseline Scanning 107Scanning Nmap's Host 113Adding Regular Expressions 114Summary 116Chapter 8 Codifying Security 117Security Tooling 117Installation 118Simple Tests 122Example Attack Files 124Summary 127Chapter 9 Kubernetes Compliance 129Mini Kubernetes 130Using kube-bench 133Troubleshooting 138Automation 139Summary 140Chapter 10 Securing Your Git Repositories 141Things to Consider 142Installing and Running Gitleaks 144Installing and Running GitRob 149Summary 151Chapter 11 Automated Host Security 153Machine Images 155Idempotency 156Secure Shell Example 158Kernel Changes 162Summary 163Chapter 12 Server Scanning With Nikto 165Things to Consider 165Installation 166Scanning a Second Host 170Running Options 171Command-Line Options 172Evasion Techniques 172The Main Nikto Configuration File 175Summary 176Part III Cloud Security 177Chapter 13 Monitoring Cloud Operations 179Host Dashboarding with NetData 180Installing Netdata 180Host Installation 180Container Installation 183Collectors 186Uninstalling Host Packages 186Cloud Platform Interrogation with Komiser 186Installation Options 190Summary 191Chapter 14 Cloud Guardianship 193Installing Cloud Custodian 193Wrapper Installation 194Python Installation 195EC2 Interaction 196More Complex Policies 201IAM Policies 202S3 Data at Rest 202Generating Alerts 203Summary 205Chapter 15 Cloud Auditing 207Runtime, Host, and Cloud Testing with Lunar 207Installing to a Bash Default Shell 209Execution 209Cloud Auditing Against Benchmarks 213AWS Auditing with Cloud Reports 215Generating Reports 217EC2 Auditing 219CIS Benchmarks and AWS Auditing with Prowler 220Summary 223Chapter 16 AWS Cloud Storage 225Buckets 226Native Security Settings 229Automated S3 Attacks 231Storage Hunting 234Summary 236Part IV Advanced Kubernetes and Runtime Security 239Chapter 17 Kubernetes External Attacks 241The Kubernetes Network Footprint 242Attacking the API Server 243API Server Information Discovery 243Avoiding API Server Information Disclosure 244Exploiting Misconfigured API Servers 245Preventing Unauthenticated Access to the API Server 246Attacking etcd 246etcd Information Discovery 246Exploiting Misconfigured etcd Servers 246Preventing Unauthorized etcd Access 247Attacking the Kubelet 248Kubelet Information Discovery 248Exploiting Misconfigured Kubelets 249Preventing Unauthenticated Kubelet Access 250Summary 250Chapter 18 Kubernetes Authorization with RBAC 251Kubernetes Authorization Mechanisms 251RBAC Overview 252RBAC Gotchas 253Avoid the cluster-admin Role 253Built-In Users and Groups Can Be Dangerous 254Read-Only Can Be Dangerous 254Create Pod is Dangerous 256Kubernetes Rights Can Be Transient 257Other Dangerous Objects 258Auditing RBAC 258Using kubectl 258Additional Tooling 259Rakkess 259kubectl-who-can 261Rback 261Summary 262Chapter 19 Network Hardening 265Container Network Overview 265Node IP Addresses 266Pod IP Addresses 266Service IP Addresses 267Restricting Traffic in Kubernetes Clusters 267Setting Up a Cluster with Network Policies 268Getting Started 268Allowing Access 271Egress Restrictions 273Network Policy Restrictions 274CNI Network Policy Extensions 275Cilium 275Calico 276Summary 278Chapter 20 Workload Hardening 279Using Security Context in Manifests 279General Approach 280allowPrivilegeEscalation 280Capabilities 281privileged 283readOnlyRootFilesystem 283seccompProfile 283Mandatory Workload Security 285Pod Security Standards 285PodSecurityPolicy 286Setting Up PSPs 286Setting Up PSPs 288PSPs and RBAC 289PSP Alternatives 291Open Policy Agent 292Installation 292Enforcement Actions 295Kyverno 295Installation 296Operation 296Summary 298Index 299

CHRIS BINNIE is a Technical Consultant who has worked for almost 25 years with critical Linux systems in banking and government, both on-premise and in the cloud. He has written two Linux books, has written for Linux and ADMIN magazines and has five years of experience in DevOps security consultancy roles.RORY MCCUNE has over 20 years of experience in the Information and IT security arenas. His professional focus is on container, cloud, and application security and he is an author of the CIS Benchmarks for Docker and Kubernetes and has authored and delivered container security training at conferences around the world.