Docker & Kubernetes Security

Learn how to securely orchestrate and operate containers.

About

Created for teams that rely on Docker and Kubernetes for their daily work, this training is an extensive guide to security aspects of both tools. We teach, how to attack Kubernetes-based environments, which attack vectors are available, which are the most crucial, what are the best practices regarding containerized environments, and how to defend against malicious actors. This training is meant to teach you how to secure containers, pods, and clusters against the threats you will surely encounter.

Good understanding of Linux and Networking topics are highly recommended, if not required. The training consists of five days of extremely hard work, as the knowledge presented is professionally considered highly difficult and elite.

On-site, ask to schedule

Ask for this training

Type of training

Exclusively on-site
5 intensive days
Theory and laboratories

Who should attend

Operation teams (DevOps/DevSecOps)
Senior-rank Developers
Technology Leaders

Required knowledge

Docker & Kubernetes - min. Good
Linux - Good to Great
Networking - Good to Great

Agenda

What is containerization, per se?
How containerization differs from virtualisation?
The history of Docker. What is Docker? Is Docker the first and the only one containerization technology?
How Docker differs from other containerization technologies, like LXC, OpenVZ, BSD-jails?
What kind of operating systems can handle Docker?
How Docker runs on non-Linux based systems, like MacOS or Windows?

What is a Docker container?
What is a Docker image?
How are containers and images connected?
What does it mean that container is ephemeral?
What is a Docker registry?
How to build your first Docker image?
How to run your first Docker container?

What kind of isolation layers are provided by Docker?
What are the responsibilities of the following isolation layers: cgroups, namespaces, capabilities?
What are cgroups? What are soft and hard limits in cgroups?
What is a namespace? What kind of namespaces could be created in namespaces?
What are the capabilities? What kind of capabilities are currently available?
How does out of memory interfere with the container?

How can containers be accessed from the outside world, accordingly to the namespaces?
What kind of network drivers can be used with Docker?
What are host, bridge, local?
What is the overlay network? What are VXLAN networks?
What are macvlan networks?
What are ipvlan networks?

What are stateful containers?
How stateful containers, like MySQL can be achieved on Docker?
What is a volume?
How is the volume achieved on on-premise infrastructures and clouds?
What are the advantages and disadvantages of volume?

How to handle secrets in images and containers?
What are the ways to handle secrets in containers?
What are recommended patterns for secrets management in containers?
What are compromised secrets? How to rotate secrets?

What is docker-compose?
What is docker-compose.yaml file?
How docker-compose affects inter-services communication?

What privileges are required to run Docker containers?
What kind of authentication or authorization is provided by Docker daemon?
What kind of attack surfaces can be applied to Docker daemon?
What is aufs? What is overlayfs? What is btrfs in Docker storage conception? How these storage drivers impact security and performance?
What are authorization plugins on Docker client?
What is live-restore functionality?
How to handle registry security from a host perspective?
How to test host security automatically?

What does it mean that an image is secure? How can we define image security?
What is registry spoofing? How can Docker image be affected?
How can an image be poisoned?
Is image secure and will be forever?
What are Dockerfile best practices in regards to image building and its security?
What is .dockerignore file? How can we use it properly?
What are multi-stage builds?
How can they improve the security of the image?
What is a GPG-sign on an image? How can it be verified? What is DOCKER_CONTENT_TRUST?
What are LABEL-s? What is label-schema (http://label-schema.org/rc1/)? How do they impact security?
What is image squashing? How does it improve security?
What are HEALTHCHECK-s?

What is the UTC namespace?
What is the IPC namespace?
What are namespace kernel parameters?
What is user namespace binding? How does it impact the security of the host?
What are restart policies? How can they affect runtime and host security?
What is container cleanup?
Why should the latest tag should never ever be used in a production system?
What is seccomp? How seccomp policies can improve security of Docker runtime?
What is SELinux? How SELinux Mandatory Access Control can improve security? How to build a SELinux module to make your web-application more secure? How to use AppAmor for improved Security?
What is read-only mode for runtime? Why is it so valuable?
What are container break-outs?

How logging affects security?
What kind of logging is the most effective and appropriate for containerized systems?
How does Elasticsearch stack improve the security of a system?
What are logging best-practices on Docker daemon and Docker container runtime?

What is Kubernetes? How Kubernetes improves Docker orchestration?
How to achieve Kubernetes compliance?
What is RBAC? How RBAC improves Docker security?
How Kubernetes improves networking security?
What is a Pod Security Policy?
What is Network Policy? How do they impact security?
Control plane TLS certificates
What are pod quotas? How do they impact security?
What is Cloud Metadata Server? How to use it for further exfiltration?
How to manage secrets in Kubernetes? What is HashiCorpVault?
What are Admission Webhooks?
What is Audit log?
What is CIS-Benchmark? How to check CIS compliance?
How to achieve secure pod to pod communication? What is mTLS?
What is an Open Policy Agent? How does it improve security?
What is Envoy and Istio? How does it compare to Linkerd?
What is Helm? What are attack vectors on Helm Charts? How to attack Tiller server?

A sample set of laboratories

Infrastructure exfiltration by runC privilege escalation
Kubernetes exfiltration and session-persistence with Helm Charts and Tiller
Image-security scanning with Trivy and vulns
Host take-over with exposed DockerAPI
Denial of the service attack with crushing Docker-based application
Container image-poisoning
Information and secrets gathering from Docker image
Generating seccomp-profiles with a set of tools

Protecting Docker-container using PodSecurityPolicies
Auditing Kubernetes infrastructure with fast Host Intrusion Detection System implementation and Kubernetes API auditlog
Man in the middle for Docker-registry
Host-pivoting through Kubernetes infrastructure
Cloud account exfiltration by Cloud Metadata Server
Enforcing compliance by AdmissionControllers and WebHooks
Automated application checks

Articles

Could you explain the basics of Docker?

How to secure container image?

Training Concept

"Docker and Kubernetes have been widely adopted, as the most popular foundation of infrastructure. However, even though they both solve a lot of problems, for each issue solved, another takes its place. Containers and pods might be better equipped to handle the current needs and desires of your business, but if they are insecure, are the risks of devastating financial, reputation, and code-wise losses acceptable? If you cannot keep your environments safe, you are doomed, no matter if you're running Kubernetes or any other kind of orchestrator, that is for sure."

- Kamil Zabielski

Trainer, CEO, Sysdogs

Questions

Email us: [email protected]

Our B2B training courses are tailored for the needs of teams operating in business sector - suited to the demands of company, current and expected competences of its team, and the expected future business needs.

Unfortunately, no. Those trainings are restricted to business clients only. But make sure to check our offering of high-quality personal courses, we're confident you will find something that will suit your needs.

B2B trainings are not available on-line - they are conducted on-site personally by our experienced engineers.

Our trainings are prepared in the BYOD (Bring Your Own Device) formula, therefore every participant needs a device that can be used for training purposes (Laptop, PC, or Mac with appropriate resources available). The additional requirements may vary, depending on the course - some may require basic understanding of some topics, or previous work experience with some tools.

Recommendations

"Professionalism, partnership and high-quality. We can surely say, Sysdogs is one of the most experienced companies in Poland, when speaking about security, contenerization and Kubernetes. They are deeply integrated in development process, understand the business needs and really automate all the things. Anything in DevOps and DevSecOps areas - only sysdogs!"

- Maciej Gastol

CEO, Going. Sp. z o.o.

"We have asked sysdogs for help, and they provided efficient, effective infrastructure right on time. The timeframe of this project was very limited, so naturally, we've been looking for experts, with immediate, tested and sure solutions for problems that we knew would occur. During the first meeting, the CTO has presented a few solutions for every issue we have mentioned, and more! We had no need to oversee or be significantly present in the process - the final result is perfectly in line with our requirements and needs, and requires little attention, so we can focus on growing the project with peace of mind. True DevOps magic, delivered by true DevOps magicians. Great cooperation, and understanding of the business. Worth recommending."

- Michał Kurdziel

CTO, StarTerra

"Sysdogs were recommended to us, and now we know why - they fulfill all your expectations, and go even beyond those. Our time was limited, but for Sysdogs this wasn't a problem, everything was delivered efficiently and on time. Brilliant solutions, quick and spot-on. Dependable people that you can trust with your business. We will recommend them to everyone we can, with pleasure. Unbeatable, true DevOps magicians."

- Simon Rahme

COO, Loop Finance

"sysdogs is not just an another software company which claims to do DevOps. They are a team of enthusiasts with many years of experience in the field of System Administration, Infrastructure, Network and Security that loves what they do. They are real professionals, act as a real partner who is ready to advise and is not afraid of pointing your mistakes. If you have any needs in DevOps area - they should be your first choice!"

- Karol Wiszowaty

COO, Inspeerity

"At every moment of our cooperation, our wishes and expectations were met and exceeded by the Sysdogs team. Thanks to their knowledge in the creation of our new cloud infrastructure, we have created a foundation for scalable and secure network applications. A pro-customer approach at every stage of implementation makes cooperation with Sysdogs a real pleasure."

- Tymoteusz Wisniowski

Manager, ROLV Group Sp. z o.o.

"Choosing the right team for cooperation is not simple. In case of a dynamic business like ours, we wanted our partner to also meet a number of specific requirements. It turned out that the sysdogs team fit perfectly. Many months of cooperation have shown us, that they always provide the best solutions. Their commitment and professionalism does not dissapear after the first month of partnership. The latest technologies, high-quality communication, business consulting - that's what you can expect. If you are looking for DevOps, DevSecOps or cloud engineers, look no further - this is the team of high-class specialists that you need."

- Tomasz Wojtkiewicz

CEO, Nextbike Poland

"Sysdogs has reduced the delivery time of the applications and has delivered high-quality infrastructures. The team creates solutions that are tailored for the business needs and requirements. Overall, their vast experience in DevOps ensures a successful ongoing partnership."

- Maciej Kurek

CTO, Library X

"Thanks to Sysdogs engagement, the production environment can expect to process four petabytes of data growing by 200-500 GB a day with consistency and productivity. The team has established multiple communication tools to provide progress updates. Their optimal solutions are impressive."

- Maciej Lach

CTO, big xyt

How to order?

We want to ensure you, that every incoming inquiry is important to us, treated with the highest level of care, and also guarantee, that you will receive a response within 48 hours or less.

Send an inquiry!

Each inquiry is treated individually.

Response within 48 hours guaranteed!

About

On-site, ask to schedule

Type of training

Who should attend

Required knowledge

Agenda

I. Containerization overview

I. Containerization overview

II. High-level overview on Docker

II. High-level overview on Docker

III. Isolation

III. Isolation

IV. Networking

IV. Networking

V. Stateful containers

V. Stateful containers

VI. Secrets Management

VI. Secrets Management

VII. Running multiple containers

VII. Running multiple containers

VIII. Linux-host security aspects

VIII. Linux-host security aspects

IX. Image security aspects

IX. Image security aspects

X. Runtime security aspects

X. Runtime security aspects

XI. Logging

XI. Logging

XII. Kubernetes & Security

XII. Kubernetes & Security

A sample set of laboratories

Articles

Training Concept

Questions

How to contact you?

How to contact you?

Who is our training suitable for?

Who is our training suitable for?

Will I be able to register for those as an individual?

Will I be able to register for those as an individual?

Are those courses on-site, or available on-line?

Are those courses on-site, or available on-line?

Are there any requirements for participants?

Are there any requirements for participants?

Recommendations

How to order?

Contact