You're reading from Learning Kubernetes Security A practical guide for secure and scalable containerized environments

Product type Paperback

Published in Jun 2025

Publisher Packt

ISBN-13 9781835886380

Length 390 pages

Edition 2nd Edition

Concepts

Cloud Security

Author (1):

Raul Lapaz

View More author details

Table of Contents (18) Chapters

Preface

1. Kubernetes Architecture FREE CHAPTER

2. Kubernetes Networking

3. Threat Modeling

4. Applying the Principle of Least Privilege in Kubernetes

5. Configuring Kubernetes Security Boundaries

6. Securing Cluster Components

7. Authentication, Authorization, and Admission Control

8. Securing Pods

9. Shift Left (Scanning, SBOM, and CI/CD)

10. Real-Time Monitoring and Observability

11. Security Monitoring and Log Analysis

12. Defense in Depth

13. Kubernetes Vulnerabilities and Container Escapes

14. Third-Party Plugins for Securing Kubernetes

15. Other Books You May Enjoy

Stay relevant in a rapidly changing cybersecurity world – join 65,000+ SecPro subscribers

16. Index

Download a Free PDF Copy of This Book

Appendix: Enhancements in Kubernetes 1.30–1.33

Security boundaries in the system layer

Microservices run inside Pods, where Pods are scheduled to run on worker nodes in a cluster. In the previous chapters, we already emphasized that a container is a process assigned with dedicated Linux namespaces. A container or Pod consumes all the necessary resources provided by the worker node. So, it is important to understand the security boundaries from the system’s perspective and how to fortify it. In this section, we will talk about the security boundaries built upon Linux namespaces and Linux capabilities together for microservices.

Linux namespaces as security boundaries

Linux namespaces are a feature of the Linux kernel to partition resources for isolation purposes. With namespaces assigned, a set of processes sees one set of resources while another set of processes sees another set of resources. We already introduced Linux namespaces in Chapter 2, Kubernetes Networking. By default, each Pod has its own network namespace...