k8s security
- Description
- Curriculum
- FAQ
- Announcement
- Reviews
Docker and Kubernetes is one of the world’s most popular container and container orchestration tools. Established by the Cloud Native Computing Foundation (CNCF),
Developers often struggle when first encountering the cloud. Learning about distributed systems, becoming familiar with technologies such as containers and functions, and knowing how to put everything together can be daunting. With this practical guide, you’ll get up to speed on patterns for building cloud native applications and best practices for common tasks such as messaging, eventing, and DevOps.
Learning Objectives
The Learning Path will prepare you to understand and demonstrate your knowledge in each of the general domains of developing cloud native applications using docker and deploying and kubernetes
- Learn the fundamentals of cloud native applications
- Explore key cloud native communication, connectivity, and composition patterns
- Learn decentralized data management techniques
- Use event-driven architecture to build distributed and scalable cloud native applications
- Explore the most commonly used patterns for API management and consumption
- Examine some of the tools and technologies you’ll need for building cloud native systems
Intended Audience
This Learning Path is intended specifically for Docker and Kubernetes application developers. Anyone interested in learning how to work with Kubernetes will also benefit from this Learning Path.
Prerequisites
A solid understanding of containers, and Docker in particular, will be of value. If you are not comfortable with Docker and Kubernetes , you are encouraged to complete the Docker and Kubernetes Learning Path.
This Learning path helps you to learn from fundamentals to advanced Docker and Kubernetes running on Linux machines. You should be comfortable working with basic Linux commands.
Additional Documentation
Kubernetes Architecture
-
1
The rise of Docker and the trend of microservices -
2
Kubernetes adoption status
-
3
Kubernetes clusters
-
4
Kubernetes components
-
5
The Kubernetes interfaces
-
6
Kubernetes objects
-
7
Pods
-
8
Deployments
-
9
Services
-
10
Replica sets
-
11
Volumes
-
12
Namespaces
-
13
Service accounts
-
14
Network policies
-
15
Pod security policies
-
16
Kubernetes variations
-
17
Minikube
-
18
Kubernetes and cloud providers
-
19
Kubernetes as a service
-
20
Why worry about Kubernetes' security?
Kubernetes Networking
-
21
Overview of the Kubernetes network model
-
22
Port-sharing problems
-
23
Kubernetes network model
-
24
Communicating inside a pod
-
25
Linux namespaces and the pause container
-
26
Beyond network communication
-
27
Communicating between pods
-
28
The Kubernetes service
-
29
kube-proxy
-
30
Introducing the Kubernetes service
-
31
Service discovery
-
32
Service types
-
33
Ingress for routing external requests
-
34
Introducing the CNI and CNI plugins
-
35
CNI specification and plugins
-
36
Calico
Threat Modeling
Applying The Principle Of Least Privilege In Kubernetes
-
45
queue
-
46
64% of section complete
-
47
The principle of least privilege
-
48
Authorization model
-
49
Rewards of the principle of least privilege
-
50
Least privilege of Kubernetes subjects
-
51
Introduction to RBAC
-
52
Service accounts, users, and groups
-
53
Role
-
54
RoleBinding
-
55
Kubernetes namespaces
-
56
Wrapping up least privilege for Kubernetes subjects
-
57
Least privilege for Kubernetes workloads
-
58
Least privilege for accessing system resources
-
59
Wrapping up least privilege for accessing system resources
-
60
Least privilege for accessing network resources
-
61
Least privilege for accessing application resources
Configuring Kubernetes Security Boundaries
-
62
Introduction to security boundaries
-
63
Security boundaries versus trust boundaries
-
64
Kubernetes security domains
-
65
Kubernetes entities as security boundaries
-
66
Security boundaries in the system layer
-
67
Linux namespaces as security boundaries
-
68
Linux capabilities as security boundaries
-
69
Wrapping up security boundaries in the system layer
-
70
Security boundaries in the network layer
-
71
Network policies
Securing Cluster Components
Authentication
Authorization
And Admission Control
-
79
Requesting a workflow in Kubernetes
-
80
Kubernetes authentication
-
81
Client certificates
-
82
Static tokens
-
83
Basic authentication
-
84
Bootstrap tokens
-
85
Service account tokens
-
86
Webhook tokens
-
87
Authentication proxy
-
88
User impersonation
-
89
Kubernetes authorization
-
90
Request attributes
-
91
Authorization modes
-
92
Node
-
93
ABAC
-
94
RBAC
-
95
Webhooks
-
96
Admission controllers
-
97
AlwaysPullImages
-
98
EventRateLimit
-
99
LimitRanger
-
100
NodeRestriction
-
101
PersistentVolumeClaimResize
-
102
PodSecurityPolicy
-
103
SecurityContextDeny
-
104
ServiceAccount
-
105
MutatingAdmissionWebhook and ValidatingAdmissionWebhook
-
106
Introduction to OPA
Securing Kubernetes Pods
-
107
Hardening container images
-
108
Container images and Dockerfiles
-
109
CIS Docker benchmarks
-
110
Configuring the security attributes of pods
-
111
Setting host-level namespaces for pods
-
112
Security context for containers
-
113
Security context for pods
-
114
AppArmor profiles
-
115
The power of PodSecurityPolicy
-
116
Understanding PodSecurityPolicy
-
117
Kubernetes PodSecurityPolicy Advisor
Image Scanning In DevOps Pipelines
-
118
Introducing container images and vulnerabilities
-
119
Container images
-
120
Detecting known vulnerabilities
-
121
Scanning images with Anchore Engine
-
122
Introduction to Anchore Engine
-
123
Scanning images with anchore-cli
-
124
Integrating image scanning into the CI/CD pipeline
-
125
Scanning at the build stage
-
126
Scanning at the deployment stage
-
127
Scanning at the runtime stage
Real-Time Monitoring And Resource Management Of A Kubernetes Cluster
-
128
Real-time monitoring and management in monolith environments
-
129
Managing resources in Kubernetes
-
130
Resource requests and limits
-
131
Namespace resource quotas
-
132
LimitRanger
-
133
Monitoring resources in Kubernetes
-
134
Built-in monitors
-
135
Third-party monitoring tools
-
136
Prometheus and Grafana
Defense In Depth
-
137
Introducing Kubernetes auditing
-
138
Kubernetes audit policy
-
139
Configuring the audit backend
-
140
Enabling high availability in a Kubernetes cluster
-
141
Enabling high availability of Kubernetes workloads
-
142
Enabling high availability of Kubernetes components
-
143
Enabling high availability of a cloud infrastructure
-
144
Managing secrets with Vault
-
145
Setting up Vault
-
146
Provisioning and rotating secrets
-
147
Detecting anomalies with Falco
-
148
An overview of Falco
-
149
Creating Falco rules to detect anomalies
-
150
Conducting forensics with Sysdig Inspect and CRIU
-
151
Using CRIU to collect data
-
152
Using Sysdig and Sysdig Inspect
Analyzing And Detecting Crypto-Mining Attacks
-
153
Analyzing crypto-mining attacks
-
154
An introduction to crypto-mining attacks
-
155
The crypto-mining attack on Tesla's Kubernetes cluster
-
156
Graboid – a crypto-worm attack
-
157
Lessons learned
-
158
Detecting crypto-mining attacks
-
159
Monitoring CPU utilization
-
160
Detecting network traffic to a mining pool
-
161
Detecting launched crypto-mining processes
-
162
Checking the binary signature
-
163
Defending against attacks
-
164
Securing Kubernetes cluster provisioning
-
165
Securing the build
-
166
Securing deployment
-
167
Securing runtime
Learning From Kubernetes CVEs
-
168
The path traversal issue in kubectl cp – CVE-2019-11246
-
169
Mitigation strategy
-
170
DoS issues in JSON parsing – CVE-2019-1002100
-
171
Mitigation strategy
-
172
A DoS issue in YAML parsing – CVE-2019-11253
-
173
Mitigation strategy
-
174
The Privilege escalation issue in role parsing – CVE-2019-11247
-
175
Mitigation strategy
-
176
Scanning for known vulnerabilities using kube-hunter
Coming Soon
Coming Soon
Coming Soon
Please, login to leave a review
