Duration
5 Days
30 CPD hours
This course is intended for
Security Professionals working with Kubernetes Clusters
Container Orchestration Engineers
DevOps Professionals
Overview
In this course, students will learn and practice essential Kubernetes concepts and tasks in the following sections:
Cloud Security Fundamentals
Cluster Hardening
System Hardening
Minimize Microservice Vulnerabilities
Supply Chain Security
Disaster Recovery
Secure Back-up and Restore
This class prepares students for the Certified Kubernetes Security Specialist (CKS) exam. Kubernetes is a Cloud Orchestration Platform providing reliability, replication, and stabilitywhile maximizing resource utilization for applications and services. By the conclusion of this hands-on, vendor agnostic training you will be equipped with a thorough understanding ofcloud security fundamentals, along with the knowledge, skills and abilities to secure a Kubernetes cluster, detect threats, and properly resolve a security catastrophe. This courseincludes hands-on instruction which develops skills and knowledge for securing container-based applications and Kubernetes platforms, during build, deployment, and runtime. We prioritizecovering all objectives and concepts necessary for passing the Certified Kubernetes Security Specialist (CKS) exam. You will be provided the components necessary to assemble your ownhigh availability Kubernetes environment and harden it for your security needs.
Learning Your Environment
Underlying Infrastructure
Using Vim
Tmux
Cloud Security Primer
Basic Principles
Threat Analysis
Approach
CIS Benchmarks
Securing your Kubernetes Cluster
Kubernetes Architecture
Pods and the Control Plane
Kubernetes Security Concepts
Install Kubernetes using kubeadm
Configure Network Plugin Requirements
Kubeadm Basic Cluster
Installing Kubeadm
Join Node to Cluster
Kubeadm Token
Manage Kubeadm Tokens
Kubeadm Cluster Upgrade
Securing the kube-apiserver
Configuring the kube-apiserver
Enable Audit Logging
Falco
Deploy Falco to Monitor System Calls
Enable Pod Security Policies
Encrypt Data at Rest
Encryption Configuration
Benchmark Cluster with Kube-Bench
Kube-Bench
Securing ETCD
ETCD Isolation
ETCD Disaster Recovery
ETCD Snapshot and Restore
Purge Kubernetes
Purge Kubeadm
3Purge Kubeadm
Image Scanning
Container Essentials
Secure Containers
Creating a Docker Image
Scanning with Trivy
Trivy
Snyk Security
Manually Installing Kubernetes
Kubernetes the Alta3 Way
Deploy Kubernetes the Alta3 Way
Validate your Kubernetes Installation
Sonobuoy K8s Validation Test
Kubectl (Optional)
Kubectl get and sorting
kubectl get
kubectl describe
Labels (Optional)
Labels
Labels and Selectors
Annotations
Insert an Annotation
Securing your Application
Scan a Running Container
Tracee
Security Contexts for Pods
Understanding Security Contexts
AppArmor Profiles
AppArmor
Isolate Container Kernels
gVisor
Pod Security
Pod Security Policies
Deploy a PSP
Pod Security Standards
Enable PSS
Open Policy Agent (OPA)
Admission Controller
Create a LimitRange
Open Policy Agent
Policy as Code
Deploy Gatekeeper
User Administration
Contexts
Contexts
Authentication and Authorization
Role Based Access Control
Role Based Access Control
RBAC Distributing Access
Service Accounts
Limit Pod Service Accounts
Securing Secrets
Secrets
Create and Consume Secrets
Hashicorp Vault
Deploy Vault
Securing the Network
Networking Plugins
NetworkPolicy
Deploy a NetworkPolicy
mTLS
Linkerd
mTLS with istio
istio
Threat Detection
Active Threat Analysis
Host Intrusion Detection
Deploy OSSEC
Network Intrusion Detection
Deploy Suricata
Physical Intrusion Detection
Disaster Recovery
Harsh Reality of Security
Deploy a Response Plan
Kasten K10 Backups
Deploy K10