Opleiding: Kubernetes Security
Overview
Kubernetes offers features for securing a cluster and its applications. The out-of-the-box settings, however, may not provide full protection from hackers and unintentionally harmful actors.
This instructor-led, live training (online or onsite) is aimed at engineers who wish to secure a Kubernetes cluster beyond the default security settings.
By the end of this training, participants will be able to:
- Understand the vulnerabilities that are exposed by a default Kubernetes installation.
- Prevent unauthenticated access to the Kubernetes API, database, and other services.
- Protect a Kubernetes cluster from accidental or malicious access.
- Put together a comprehensive security policy and set of best practices.
Format of the Course
- Interactive lecture and discussion.
- Lots of exercises and practice.
- Hands-on implementation in a live-lab environment.
Course Customization Options
- To request a customized training for this course, please contact us to arrange.
Requirements
- Previous experience working with Kubernetes
Audience
- DevOps engineers
- Developers
Course Outline
Introduction
Overview of the Kubernetes API and Security Features
- Access to HTTPS endpoints, Kubernetes API, nodes, and containers
- Kubernetes Authentication and Authorization features
How Hackers Attack Your Cluster
- How hackers find your etcd port, Kubernetes API, and other services
- How hackers execute code inside your container
- How hackers escalate their privileges
- Case study: How Tesla exposed its Kubernetes cluster
Setting up Kubernetes
- Choosing a distribution
- Installing Kubernetes
Using Credentials and Secrets
- The credentials life cycle
- Understanding secrets
- Distributing credentials
Controlling Access to the Kubernetes API
- Encrypting API traffic with TLS
- Implementing authentication for API servers
- Implementing authorization for different roles
Controlling User and Workload Capabilities
- Understanding Kubernetes policies
- Limiting resource usage
- Limiting container privileges
- Limiting network access
Controlling access to nodes
- Separating workload access
Protecting Cluster Components
- Restricting access to etcd
- Disabling features
- Changing, removing and revoking credentials and tokens
Securing Container Image
- Managing Docker and Kubernetes images
- Building secure images
Controlling Access to Cloud Resources
- Understanding cloud platform metadata
- Limiting permissions to cloud resources
Evaluating Third Party Integrations
- Minimizing the permissions granted to third party software
- Evaluating components that can create pods
Establishing a Security Policy
- Reviewing the existing security profile
- Creating a security model
- Cloud native security considerations
- Other best practices
Encrypting Inactive Data
- Encrypting backups
- Encrypting the entire disk
- Encrypting secret resources in etcd
Monitoring Activity
- Enabling audit logging
- Auditing and governing the software supply chain
- Subscribing to security alerts and updates
Summary and Conclusion
.
Onze on line trainingen worden door een live instructeur verzorgd.
- Onze DaDesktop® -technologie creeert een digitale leeromgeving (en indien nodig een geclusterde enterprise infrastructuur) waarmee opdrachten en oefeningen uitgevoerd kunnen worden.
- De deelnemers (en de trainer) hebben toegang tot deze virtuele leeromgeving via de browser zodat hij/zij oefeningen kan doen die real time ingezien kunnen worden door de trainer.
- De trainer monitort niet alleen de voortgang van de prakitische oefeningen maar kan ook te hulp schieten en ingrijpen mocht dat nodig zijn.
- Onze remote trainingen verschillen niet van onze klassikale cursussen zowel qua duur, interactiviteit, praktische oefeningen als het cursusmateriaal.
- Door de flexibiliteit in de trainingsopbouw, de hoge mate van interactie tussen trainer en deelnemer en de hands-on oefeningen zijn onze onlinetrainingen zeer efficiënte en effectief.
- Ook onze in-company trainingen leveren wij on line met live instructeur.
