Kubernetes Security and Observability
A Holistic Approach to Securing Containers and Cloud-Native Applications
Brendan Creane and Amit Gupta's combined treatment of Kubernetes security and observability — RBAC, network policy, runtime detection, and the telemetry needed to make any of it operationally real.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Brendan Creane,Amit Gupta
- Published
- 2021
- Publisher
- O'Reilly Media
- Pages
- 196
- Language
- English
Read this if
Platform engineers and SRE-security hybrids running production Kubernetes who want a single reference for the security-and-observability boundary. Strongest on the network-policy and runtime-detection sections, where most teams are weakest in practice.
Skip this if
Readers wanting depth on Kubernetes architecture itself, multi-tenancy patterns, or supply-chain (SLSA, signed images) detail. Also somewhat Calico-flavored — the authors are from Tigera — which is fine if you know to read past the marketing.
Key takeaways
- Security without observability is unfalsifiable; the book's central argument is that they are one workstream, not two.
- Network policy is operationally hard, not conceptually hard — the chapters on rolling out default-deny in production are the most useful.
- Runtime detection is necessary because admission controllers cannot catch everything; the book treats the trade-off honestly.
Notes
Pair with Kubernetes Security (Rice / Hausenblas) for the lighter introduction and with Brendan Burns's Designing Distributed Systems for the architecture frame the security model assumes. CNCF's TAG-Security guidance and the latest CIS Kubernetes Benchmark are the ongoing-update companions. A stronger second book than first book; read after Container Security (Rice).
What to read before
What to read before Kubernetes Security and Observability →Intermediate · 2020
Container Security
Liz Rice's first-principles introduction to how Linux containers actually work — namespaces, cgroups, capabilities, seccomp, image layering — and the security implications that fall out of those mechanics.
Intermediate · 2018
Kubernetes Security
Liz Rice and Michael Hausenblas's freely-available O'Reilly short on the Kubernetes-specific security model: API server, RBAC, network policy, secrets, and the typical hardening steps that move a cluster from default to defensible.
Intermediate · 2018
Pentesting Azure Applications
Matt Burrough on attacker behaviour against Azure tenants: identity, storage, VMs, key material handling, and the recon paths that work against real subscriptions.
What to read next
What to read after Kubernetes Security and Observability →Intermediate · 2020
Container Security
Liz Rice's first-principles introduction to how Linux containers actually work — namespaces, cgroups, capabilities, seccomp, image layering — and the security implications that fall out of those mechanics.
Intermediate · 2018
Kubernetes Security
Liz Rice and Michael Hausenblas's freely-available O'Reilly short on the Kubernetes-specific security model: API server, RBAC, network policy, secrets, and the typical hardening steps that move a cluster from default to defensible.
Advanced · 2017
Attacking Network Protocols
James Forshaw, Project Zero veteran, on how to capture, parse, and break protocols from the wire up to the application layer, with a strong focus on building reusable analysis tooling.
Explore similar books
Alternatives to Kubernetes Security and Observability →Intermediate · 2020
Container Security
Liz Rice's first-principles introduction to how Linux containers actually work — namespaces, cgroups, capabilities, seccomp, image layering — and the security implications that fall out of those mechanics.
Intermediate · 2018
Kubernetes Security
Liz Rice and Michael Hausenblas's freely-available O'Reilly short on the Kubernetes-specific security model: API server, RBAC, network policy, secrets, and the typical hardening steps that move a cluster from default to defensible.
Intermediate · 2018
Pentesting Azure Applications
Matt Burrough on attacker behaviour against Azure tenants: identity, storage, VMs, key material handling, and the recon paths that work against real subscriptions.