// Comparison

Container Security vs Kubernetes Security: Which Should You Read?

Two cybersecurity books on Cloud, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

4/52020

Fundamentals for Securing Containerized Applications

Liz Rice

Liz Rice's first-principles introduction to how Linux containers actually work — namespaces, cgroups, capabilities, seccomp, image layering — and the security implications that fall out of those mechanics.

Intermediate

4/52018

Kubernetes Security

Liz Rice, Michael Hausenblas

Liz Rice and Michael Hausenblas's freely-available O'Reilly short on the Kubernetes-specific security model: API server, RBAC, network policy, secrets, and the typical hardening steps that move a cluster from default to defensible.

Read this if

Engineers and security people who use containers daily but treat them as boxes. The book is the rare introduction that explains containers as compositions of Linux primitives rather than as a Docker-shaped product, and that is exactly what makes the security argument legible.

Engineers spinning up their first production cluster who need the 99-page distillation of what to do before the first incident. The freely available PDF makes it the obvious 'send to the team' reference for Kubernetes hardening basics.

Skip this if

Readers needing in-depth Kubernetes, supply-chain (SLSA, in-toto, Sigstore), or cloud-runtime-specific (Fargate, Cloud Run, ECS) coverage; pair with the Kubernetes books and current SLSA documentation. Also light on Wasm-runtime alternatives, which are an increasing fraction of the field.

Readers needing depth on runtime detection, supply-chain integrity, multi-cluster identity, or service-mesh security; the book is deliberately a primer, not a comprehensive reference. By 2026 Pod Security Admission, Gateway API, and signed-image standards have moved past the book's coverage.

Key takeaways

A container is not a box; it is a process with curated views of namespaces and resources, and most container vulnerabilities live in the gap between that mental model and the box mental model.
Capability dropping, read-only root filesystems, and seccomp profiles are not optional — Rice makes the case persuasively with concrete examples.
Image-supply-chain hygiene is half the security story; the book pre-dates SLSA but motivates it cleanly.

The Kubernetes security model is API-server-centric — most attacks are RBAC and network-policy failures, and the book makes this its spine.
Default-deny network policy is the highest-leverage hardening step in any cluster, and the book's framing of why is the most quotable in print.
Treat it as the on-ramp — once you have the basics, graduate to Kubernetes Security and Observability (Creane / Gupta) and current CNCF guidance.

How they compare

Container Security and Kubernetes Security are both rated 4/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Container Security and Kubernetes Security both cover Cloud, Containers, DevSecOps, so reading them in sequence reinforces the same material from different angles.

Keep reading

Container Security

→ Alternatives to Container Security → What to read after Container Security