Kubernetes Security Training Course

Duration

14 hours (usually 2 days including breaks)

Requirements

  • Previous experience working with Kubernetes

Audience

  • DevOps engineers
  • Developers

Overview

Kubernetes offers features for securing a cluster and its applications. The out-of-the-box settings, however, may not provide full protection from hackers and unintentionally harmful actors.

This instructor-led, live training (online or onsite) is aimed at engineers who wish to secure a Kubernetes cluster beyond the default security settings.

By the end of this training, participants will be able to:

  • Understand the vulnerabilities that are exposed by a default Kubernetes installation.
  • Prevent unauthenticated access to the Kubernetes API, database, and other services.
  • Protect a Kubernetes cluster from accidental or malicious access.
  • Put together a comprehensive security policy and set of best practices.

Format of the Course

  • Interactive lecture and discussion.
  • Lots of exercises and practice.
  • Hands-on implementation in a live-lab environment.

Course Customization Options

  • To request a customized training for this course, please contact us to arrange.

Course Outline

Introduction

Overview of the Kubernetes API and Security Features

  • Access to HTTPS endpoints, Kubernetes API, nodes, and containers
  • Kubernetes Authentication and Authorization features

How Hackers Attack Your Cluster

  • How hackers find your etcd port, Kubernetes API, and other services
  • How hackers execute code inside your container
  • How hackers escalate their privileges
  • Case study: How Tesla exposed its Kubernetes cluster

Setting up Kubernetes

  • Choosing a distribution
  • Installing Kubernetes

Using Credentials and Secrets

  • The credentials life cycle
  • Understanding secrets
  • Distributing credentials

Controlling Access to the Kubernetes API

  • Encrypting API traffic with TLS
  • Implementing authentication for API servers
  • Implementing authorization for different roles

Controlling User and Workload Capabilities

  • Understanding Kubernetes policies
  • Limiting resource usage
  • Limiting container privileges
  • Limiting network access

Controlling access to nodes

  • Separating workload access

Protecting Cluster Components

  • Restricting access to etcd
  • Disabling features
  • Changing, removing and revoking credentials and tokens

Securing Container Image

  • Managing Docker and Kubernetes images
  • Building secure images

Controlling Access to Cloud Resources

  • Understanding cloud platform metadata
  • Limiting permissions to cloud resources

Evaluating Third Party Integrations

  • Minimizing the permissions granted to third party software
  • Evaluating components that can create pods

Establishing a Security Policy

  • Reviewing the existing security profile
  • Creating a security model
  • Cloud native security considerations
  • Other best practices

Encrypting Inactive Data

  • Encrypting backups
  • Encrypting the entire disk
  • Encrypting secret resources in etcd

Monitoring Activity

  • Enabling audit logging
  • Auditing and governing the software supply chain
  • Subscribing to security alerts and updates

Summary and Conclusion

Leave a Reply

Your email address will not be published. Required fields are marked *