Implementing DevSecOps with Docker and Kubernetes (José Manuel Ortega Candel) (Z-Library)

Implementing DevSecOps with Docker and Kubernetes An Experiential Guide to Operate in the DevOps Environment for Securing and Monitoring Container Applications José Manuel Ortega Candel www.bpbonline.com

FIRST EDITION 2022 Copyright © BPB Publications, India ISBN: 978-93-5551-118-8 All Rights Reserved. No part of this publication may be reproduced, distributed or transmitted in any form or by any means or stored in a database or retrieval system, without the prior written permission of the publisher with the exception to the program listings which may be entered, stored and executed in a computer system, but they can not be reproduced by the means of publication, photocopy, recording, or by any electronic and mechanical means. LIMITS OF LIABILITY AND DISCLAIMER OF WARRANTY The information contained in this book is true to correct and the best of author’s and publisher’s knowledge. The author has made every effort to ensure the accuracy of these publications, but publisher cannot be held responsible for any loss or damage arising from any information in this book. All trademarks referred to in the book are acknowledged as properties of their respective owners but BPB Publications cannot guarantee the accuracy of this information.

www.bpbonline.com

Dedicated to My parents and brothers

About the Author José Manuel Ortega has been working as a software engineer and security researcher, focusing on new technologies, open source, security, and testing. His aim has been to specialize in Python and DevOps security projects with Docker. He is currently working as a security tester engineer, analyzing and testing the security of applications. He has collaborated with universities and the official college of computer engineers, presenting articles and holding conferences. He has also been a speaker at national and international conferences. You can find his conferences and talks related to Python, Security, and Docker on his personal site - http://jmortega.github.io

About the Reviewers Ajay a DevOps enthusiast, is always eager to learn new technologies related to automating application lifecycle management. He has also reviewed Cloud Analytics using Microsoft Azure Stack. He loves R&D and has a keen interest in inventing or optimizing and implementing solutions. Prajeesh Prathap is an experienced technologist who specializes in building web scale, cloud native applications with special interest in event-driven, distributed systems. Prajeesh currently works as the platform and operations teams’ manager for IT&Care in the Netherlands, specializing in setting up the containerized environments, CI/CD using Azure DevOps, observability platforms etc. He is a regular speaker at numerous technology conferences and has authored courses on Reactive Microservices in .NET Core and Continuous Delivery with VSTS & PowerShell DSC.

Acknowledgements First and foremost, I would like to thank everyone at BPB Publications for giving me the opportunity to publish this book, which tries to cover some of the technologies that we can find within the DevSecOps ecosystem. I would also like to thank my teachers and friends at the University for giving me the ability to continuously learn in a world that becomes increasingly complex. Lastly, I would like to thank the editors, reviewers, and publishers for carrying out this project successfully.

Preface In the last few years, the knowledge of DevSecOps tools in IT companies has increased due to the growth of specific technologies based on containers like Docker and Kubernetes. Docker is an open source containerization tool that makes it easier to streamline product delivery, and Kubernetes is a portable and extensible open source platform for managing workloads and services. The primary goal of this book is to create a theory and practice mix that emphasizes on the core concepts of DevSecOps, Docker containers and Kubernetes clustering from a security, monitoring, and administration perspective. This book is helpful for learning the basic and advanced concepts of Docker containers from a security point of view. The book is divided into 14 chapters and provides a detailed description of the core concepts of DevSecOps tools: Docker containers and Kubernetes platforms. Chapter 1 introduces DevSecOps challenges, methodologies, and tools as a new movement that tries to improve the security of applications. The idea of DevSecOps is to take security as a requirement in the application design, development, and delivery process. Chapter 2 introduces main container platforms, like Docker and Kubernetes, that provide infrastructure for both the development and operations teams. The idea of this chapter is to introduce the

main technologies that will be used throughout the book and other alternatives for containers, like Podman. Chapter 3 covers topics like how Docker manages images and containers, the main commands used for generating our images from Dockerfile, and how we can optimize our docker images by minimizing their size and, in turn, reducing the attack surface. Chapter 4 explores security best practices and other aspects like Docker capabilities, which containers leverage in order to provide more features, such as the privileged container. We will also review Docker Content Trust and Docker Registry in this chapter; they provide a secure way to upload our images in Docker Hub Platform and private registry. Finally, we will review other registries like Harbor and Quay. Chapter 5 walks us through Docker daemon, AppArmor, and seccomp profiles, which provide kernel-enhancement features to limit system calls. We will also review tools like Docker Bench Security and Lynis, which follow security best practices in the Docker environment, and take a look at some of the important recommendations that can be followed during auditing and Docker deployment in a production environment. Chapter 6 discusses best practices for building container images securely. In addition to ensuring that your container is properly configured, you must ensure that all image layers in a container are free from known vulnerabilities. This is done through tools that perform a static scan of images in the Docker repositories. We will also review some open source tools, like Clair and

Anchore, in this chapter to discover vulnerabilities in container images. Chapter 7 explores attack vectors that can affect container deployments with Docker and covers topics like Docker Container threats and system attacks that can impact Docker applications. We will review examples of attacks and exploits that could target running containers. Additionally, we will review specific CVE in Docker images and understand how we can get details about specific vulnerabilities with the Vulners API. Chapter 8 teaches us about Docker secrets and the essential components of Docker networking, including how we can communicate with and link Docker containers. We will also review other concepts that Docker uses for exposing the TCP ports that provide services from the container to the host so that users accessing the host can access the services of a container, like port mapping. Chapter 9 covers Docker container monitoring as an important part of the maintenance of applications for getting metrics about application behavior. This chapter introduces some of the open source tools available for Docker container monitoring, such as cadvisor, dive, and sysdig falco. Chapter 10 introduces some of the open source tools available for Docker container administration, like Portainer, Rancher, and Openshift.

Chapter 11 looks at Kubernetes architecture, components, objects, networking model, and different tools for working with Kubernetes, explaining minikube as the main tool for deploying a cluster. Chapter 12 discusses Kubernetes security patterns and best practices for securing components and pods, applying the principle of the least privilege in Kubernetes. Chapter 13 talks about Kubernetes security and Kubernetes Bench for Security project as an application that checks whether Kubernetes is implemented securely by executing the controls documented in CIS Kubernetes Benchmark guide. We will also review main security projects for analyzing security in Kubernetes components and critical vulnerabilities discovered in Kubernetes in the last few years. Chapter 14 covers capabilities, which are recommended to be implemented when running Kubernetes in production. We will first analyze observability and monitoring in the context of Kubernetes, and then we will review Kubernetes dashboard for getting metrics in your cluster. Finally, we will look at the Kubernetes stack for observability and monitoring with Prometheus and Grafana.

Code Bundle and Coloured Images Please follow the link to download the Code Bundle and the Coloured Images of the book: https://rebrand.ly/43164f The code bundle for the book is also hosted on GitHub at In case there's an update to the code, it will be updated on the existing GitHub repository. We have code bundles from our rich catalogue of books and videos available at Check them out! Errata We take immense pride in our work at BPB Publications and follow best practices to ensure the accuracy of our content to provide with an indulging reading experience to our subscribers. Our readers are our mirrors, and we use their inputs to reflect and improve upon human errors, if any, that may have occurred during the publishing processes involved. To let us maintain the quality and help us reach out to any readers who might be having difficulties due to any unforeseen errors, please write to us at : errata@bpbonline.com

Your support, suggestions and feedbacks are highly appreciated by the BPB Publications’ Family. Did you know that BPB offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.bpbonline.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at: business@bpbonline.com for more details. At you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on BPB books and eBooks.

Piracy If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at business@bpbonline.com with a link to the material. If you are interested in becoming an author If there is a topic that you have expertise in, and you are interested in either writing or contributing to a book, please visit We have worked with thousands of developers and tech professionals, just like you, to help them share their insights with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea. Reviews Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions. We at BPB can understand what you think about our products, and our authors can see your feedback on their book. Thank you! For more information about BPB, please visit

Table of Contents 1. Getting Started with DevSecOps Structure Objectives From DevOps to DevSecOps Getting started with DevSecOps Advantages of implementing DevSecOps DevSecOps lifecycle ShiftLeft security DevSecOps methodologies Applying the DevSecOps methodology Security testing Security code review Continuous integration and continuous delivery Continuous Integration (CI) Orchestrating CI Selection of continuous integration tools Continuous delivery (CD) - Pipelines in software development Advantages of continuous delivery Continuous Integration (CI) versus Continuous Delivery (CD) DevSecOps tools Static Analysis Security Testing (SAST) Dynamic Analysis Security Testing (DAST) Dependency analysis Infrastructure as Code security Secrets management Vulnerability management Vulnerability assessment Alerts and monitoring

Conclusion Points to remember Multiple choice questions Answers Questions Key terms 2. Container Platforms Structure Objective Docker containers What is Docker? Containers versus virtual machines Docker features for container management Docker architecture Docker engine Docker client Containerd Podman Podman design and main functions Podman commands Container orchestration Docker compose Kubernetes Kubernetes architecture Kubernetes key terms Kubernetes cloud provider solutions Kubernetes alternatives Docker Swarm Nomad

Rancher - Kubernetes as a service Conclusion Points to remember Multiple choice questions Answers Questions Key terms 3. Managing Containers and Docker Images Introduction Structure Objectives Managing Docker images Introducing Docker images Docker layers Image tags Design considerations for Docker Images Dockerfile commands What is a Dockerfile? Building images from Dockerfile Best practices writing DockerFiles Managing Docker containers Searching and executing a Docker image Executing a container in background mode Inspecting Docker containers Optimizing Docker images Docker’s cache Building an application with NodeJS Reducing image size with multistage Reducing image size with alpine Linux

Distroless Docker images Conclusion Points to remember Multiple choice questions Answers Questions Key terms 4. Getting Started with Docker Security Introduction Structure Objectives Docker security principles and best practices Docker daemon attack surface Security best practices Execution with non-root user Start containers in read-only mode Disable the setuid and setgid permissions Verifying images with Docker Content Trust Resource limitation Docker capabilities Listing all capabilities Add and drop capabilities Disabling ping command in a container Adding capability for managing network Execution of privileged containers Docker Content Trust Notary as a tool for managing images Docker Registry What is a registry?