Chapter 2. Cluster Setup
The first domain of the exam deals with concerns related to Kubernetes cluster setup and configuration. In this chapter, we’ll only drill into the security-specific aspects and not the standard responsibilities of a Kubernetes administrator.
At a high level, this chapter covers the following concepts:
-
Using network policies to restrict Pod-to-Pod communication
-
Running CIS benchmark tooling to identify security risks for cluster components
-
Setting up an Ingress object with TLS support
-
Protecting node ports, API endpoints, and GUI access
-
Verifying platform binaries against their checksums
Using Network Policies to Restrict Pod-to-Pod Communication
For a microservice architecture to function in Kubernetes, a Pod needs to be able to reach another Pod running on the same or on a different node without Network Address Translation (NAT). Kubernetes assigns a unique IP address to every Pod upon creation from the Pod CIDR range of its node. The IP address is ephemeral and therefore cannot be considered stable over time. Every restart of a Pod leases a new IP address. It’s recommended to use Pod-to-Service communication over Pod-to-Pod communication so that you can rely on a consistent network interface.
The IP address assigned to a Pod is unique across all nodes and namespaces. This is achieved by assigning a dedicated subnet to each node when registering it. When creating a new Pod on a node, the IP address is leased from the assigned subnet. This ...
Get Certified Kubernetes Security Specialist (CKS) Study Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
