This Kubernetes Security Specialist course offers foundational knowledge through concepts and hands-on demonstrations of securing a Kubernetes cluster and its applications. Emphasizing practical skills, it requires a running Kubernetes cluster for participation.
The course covers all security aspects in Kubernetes, including cluster setup, ingress creation and security, and cluster hardening with RBAC, roles, and role bindings. It delves into system and kernel hardening, minimizing microservice vulnerabilities, supply chain security, monitoring, logging, and runtime security.
By the end, learners will have comprehensive knowledge to become Kubernetes security specialists. Key topics include creating a Kubernetes cluster, setting default deny NetworkPolicy, installing the Kubernetes Dashboard, verifying Kubernetes releases, and managing roles and role bindings.
Designed for Kubernetes administrators and security specialists aiming to master the Certified Kubernetes Security Specialist certification, this course assumes prior knowledge of Kubernetes administration.
Overview
Syllabus
- Become a Certified Kubernetes Security Specialist (CKS)
- In this module, we will guide you through the steps to become a Certified Kubernetes Security Specialist (CKS). You'll learn about the certification process, the requirements, and the best resources to help you succeed in your certification journey.
- Create Kubernetes Cluster
- In this module, we will cover the creation of a Kubernetes cluster and delve into some common errors you might encounter. You'll learn how to set up your cluster and troubleshoot issues to maintain a stable and functional environment.
- Cluster Setup - Use Network Security Policies to Restrict Cluster Level Access
- In this module, we will explore the use of Network Policies to restrict access at the cluster level. You'll learn about default deny policies, how to set up egress and ingress rules, and how to create policies for different namespaces.
- Cluster Setup - Minimize Use of and Access to GUI Elements
- In this module, we will focus on minimizing the use and access to GUI elements in Kubernetes. You'll learn how to install the Kubernetes Dashboard, understand the risks of insecure access, and implement RBAC to enhance security.
- Cluster Setup - Properly Set Up Ingress Objects with Security Control
- In this module, we will guide you through the creation and securing of Ingress objects in Kubernetes. You'll learn how to set up Ingress and apply security controls to protect your cluster.
- Protect Node Metadata and Endpoints
- In this module, we will discuss how to access and protect node metadata in a Kubernetes cluster. You'll learn about the security implications and how to use Network Policy to safeguard node endpoints.
- Use CIS Benchmark to Review the Security Configuration of Kubernetes Components
- In this module, we will explore the CIS benchmark for Kubernetes security and how to use kube-bench to review and improve your cluster's security configuration.
- Verify Platform Binaries before Deploying
- In this module, we will cover the importance of verifying platform binaries before deployment. You'll learn how to delete custom networks and verify the apiserver binary to ensure your cluster's security.
- Cluster Hardening - RBAC
- In this module, we will focus on RBAC for cluster hardening. You'll learn about roles, rolebindings, and how to manage accounts and Certificate Signing Requests to enhance security.
- Exercise Caution in Using Service Accounts
- In this module, we will discuss the cautious use of Service Accounts in Kubernetes. You'll learn about custom Service Accounts, disabling their mounting, and limiting their permissions with RBAC.
- Cluster Hardening - Restrict API Access
- In this module, we will explore methods to restrict API access for cluster hardening. You'll learn about enabling/disabling anonymous access, performing secure API requests, and using Node Restriction Admission Controller.
- Cluster Hardening - Upgrade Kubernetes
- In this module, we will cover the upgrade process for Kubernetes clusters. You'll learn how to verify Node Restriction, create clusters with older versions, and upgrade to ensure your cluster remains secure and up-to-date.
- Microservice Vulnerabilities - Manage Kubernetes Secrets
- In this module, we will focus on managing Kubernetes secrets and understanding their vulnerabilities. You'll learn how to create secrets, hack them to understand their weaknesses and implement ETCD encryption for protection.
- Use Container Runtime Sandboxes in a Multi-Tenant Environment
- In this module, we will explore the use of container runtime sandboxes in a multi-tenant environment. You'll learn about calling the Linux kernel, the OCI, and how to use Crictl and create Runtime Classes.
- Microservices Vulnerabilities - OS Level Security Domains
- In this module, we will delve into OS-level security domains for microservices. You'll learn how to set container users and groups, enforce non-root policies, manage privileged containers, and create Pod Security Policy.
- Microservices Vulnerabilities - mTLS
- In this module, we will cover mTLS and its implementation. You'll learn the basics of mTLS and how to create a sidecar proxy to secure communications.
- Open Policy Agent (OPA)
- In this module, we will explore the Open Policy Agent (OPA) and its use in Kubernetes security. You'll learn about installing an OPA gatekeeper, enforcing policies, and implementing Deny All policies and namespace label enforcement.
- Supply Chain Security - Image Footprint
- In this module, we will focus on supply chain security by reducing image footprint. You'll learn how to use multi-stage builds and secure and harden container images.
- Supply Chain Security - Static Analysis
- In this module, we will explore static analysis for supply chain security. You'll learn about using Kubesec, performing static analysis with Docker images, and utilizing OPA Conftest.
- Supply Chain Security - Image Vulnerability Scanning
- In this module, we will cover image vulnerability scanning using Trivy. You'll learn how to scan container images to identify and mitigate vulnerabilities.
- Supply Chain Security - Secure Supply Chain
- In this module, we will focus on securing the supply chain in Kubernetes. You'll learn about image digests and how to whitelist registries using OPA to enhance security.
- Behavioral Analytics at Host and Container Level
- In this module, we will explore behavioral analytics at the host and container levels. You'll learn how to use Strace, access /proc, and environment variables, and implement Falco for threat detection and monitoring.
- Runtime Security - Immutability of Containers at Runtime
- In this module, we will discuss the immutability of containers at runtime. You'll learn about the concept of immutability, how to implement Startup Probe, and use Security Context to render containers immutable.
- Runtime Security - Auditing
- In this module, we will cover auditing for runtime security in Kubernetes. You'll learn about the importance of auditing, how to implement audit policies, enable audit logging, and check logs for compliance.
- System Hardening - Kernel Hardening
- In this module, we will focus on system hardening through kernel hardening techniques. You'll learn how to implement AppArmor and Seccomp profiles for various Kubernetes components to enhance overall security.
Taught by
Packt - Course Instructors