Security in Kubernetes - course 50,000 rub. from Slurm, training, Date: November 28, 2023.

#1: Introduction

We'll tell you everything about the learning process and how to get access.

#2: Introduction to Kubernetes project security

Engineer's task: Understand the basic security principles of a project living in Kubernetes. Know about threat models.

Practice and theory: What is project security in the context of Kubernetes? Sec, Dev, Ops - how can everyone make friends and live happily?

No. 3: Protection of the Control Plane cluster

Engineer's task: Prevent an attacker from taking control of the cluster. Know the best practices for protecting the main components of Kubernetes and have a checklist on hand that allows you to check the project for potential vulnerabilities.

Practice and theory: Insecure port API, ETCD protection, anonymous authorization, what else should you pay attention to? How can you use CIS Benchmarks to improve your security confidence?

No. 4: Authorization, authentication and accounting in Kubernetes

Engineer's task: At a deep level, understand how authorization and authentication work in a Kubernetes cluster and know how to prepare them correctly. Be able to not only set up these processes securely, but also visualize them, and make the user identification process more convenient using Keycloak.

Practice and theory: How to use Keycloak to build a working, convenient and secure process for identifying users in a cluster? How does authorization and authentication work in Kubernetes?

#5: Scanning Automation

Engineer's task: Learn to work with security at the inception of a project - at the stage of writing code.

Practice and theory: How to make sure that there are no vulnerabilities in the written code? How can tools like Sast/SecretScan help and how to use them? How to analyze sensitive data directly in CI?

#6: Using Policy Engine and Admission Controllers

Engineer's task: Be able to configure security policies using the Policy Engine inside a Kubernetes cluster. Understand how Admission Controllers work and know how Pod Security Policy can be replaced.

Practice and theory: How, using Policy Engine representatives such as Kyverno or Open Policy Agent, control everything that is created in the cluster and replace most Admission Controllers, such as PSP? How do Admission Webhooks work, and how can they be used to validate and change almost anything in a cluster?

#7: Container security

Engineer's task: Know the tools that can ensure the security of the container and make life as difficult as possible for an attacker.

Practice and theory: What's up with SELinux and Kubernetes, is it necessary? Should I use AppArmor or not? How to tighten the screws on container processes using Seccomp profiles and Capabilities? What are the Best Practices for container security in the context of Kubernetes and beyond?

#8: Safe storage of Secrets

Engineer's task: Know how to properly store your sensitive data in a Kubernetes cluster.

Practice and theory: Where and how to store passwords and tokens of your project so that they are safe?

#9: Kubernetes Networking

Engineer's task: Be able to flexibly create and manage network rules in a Kubernetes cluster.

Practice and theory: How to organize network isolation of environments within a cluster? How to make sure that the project accesses only selected endpoints over the network?

#10: Threat Management in Kubernetes

Engineer's task: Understand what you need to pay attention to in your project from a safety point of view and at what points to keep your finger on the pulse.

Practice and theory: How does observability help in project security?