Docker & Kubernetes Security
Learn how to securely orchestrate and operate containers.
About
Good understanding of Linux and Networking topics are highly recommended, if not required. The training consists of five days of extremely hard work, as the knowledge presented is professionally considered highly difficult and elite.
On-site, ask to schedule
Type of training
- Exclusively on-site
- 5 intensive days
- Theory and laboratories
Who should attend
- Operation teams (DevOps/DevSecOps)
- Senior-rank Developers
- Technology Leaders
Required knowledge
- Docker & Kubernetes - min. Good
- Linux - Good to Great
- Networking - Good to Great
Agenda
I. Containerization overview
- What is containerization, per se?
- How containerization differs from virtualisation?
- The history of Docker. What is Docker? Is Docker the first and the only one containerization technology?
- How Docker differs from other containerization technologies, like LXC, OpenVZ, BSD-jails?
- What kind of operating systems can handle Docker?
- How Docker runs on non-Linux based systems, like MacOS or Windows?
II. High-level overview on Docker
- What is a Docker container?
- What is a Docker image?
- How are containers and images connected?
- What does it mean that container is ephemeral?
- What is a Docker registry?
- How to build your first Docker image?
- How to run your first Docker container?
III. Isolation
- What kind of isolation layers are provided by Docker?
- What are the responsibilities of the following isolation layers: cgroups, namespaces, capabilities?
- What are cgroups? What are soft and hard limits in cgroups?
- What is a namespace? What kind of namespaces could be created in namespaces?
- What are the capabilities? What kind of capabilities are currently available?
- How does out of memory interfere with the container?
IV. Networking
- How can containers be accessed from the outside world, accordingly to the namespaces?
- What kind of network drivers can be used with Docker?
- What are host, bridge, local?
- What is the overlay network? What are VXLAN networks?
- What are macvlan networks?
- What are ipvlan networks?
V. Stateful containers
- What are stateful containers?
- How stateful containers, like MySQL can be achieved on Docker?
- What is a volume?
- How is the volume achieved on on-premise infrastructures and clouds?
- What are the advantages and disadvantages of volume?
VI. Secrets Management
- How to handle secrets in images and containers?
- What are the ways to handle secrets in containers?
- What are recommended patterns for secrets management in containers?
- What are compromised secrets? How to rotate secrets?
VII. Running multiple containers
- What is docker-compose?
- What is docker-compose.yaml file?
- How docker-compose affects inter-services communication?
VIII. Linux-host security aspects
- What privileges are required to run Docker containers?
- What kind of authentication or authorization is provided by Docker daemon?
- What kind of attack surfaces can be applied to Docker daemon?
- What is aufs? What is overlayfs? What is btrfs in Docker storage conception? How these storage drivers impact security and performance?
- What are authorization plugins on Docker client?
- What is live-restore functionality?
- How to handle registry security from a host perspective?
- How to test host security automatically?
IX. Image security aspects
- What does it mean that an image is secure? How can we define image security?
- What is registry spoofing? How can Docker image be affected?
- How can an image be poisoned?
- Is image secure and will be forever?
- What are Dockerfile best practices in regards to image building and its security?
- What is .dockerignore file? How can we use it properly?
- What are multi-stage builds?
- How can they improve the security of the image?
- What is a GPG-sign on an image? How can it be verified? What is DOCKER_CONTENT_TRUST?
- What are LABEL-s? What is label-schema (http://label-schema.org/rc1/)? How do they impact security?
- What is image squashing? How does it improve security?
- What are HEALTHCHECK-s?
X. Runtime security aspects
- What is the UTC namespace?
- What is the IPC namespace?
- What are namespace kernel parameters?
- What is user namespace binding? How does it impact the security of the host?
- What are restart policies? How can they affect runtime and host security?
- What is container cleanup?
- Why should the latest tag should never ever be used in a production system?
- What is seccomp? How seccomp policies can improve security of Docker runtime?
- What is SELinux? How SELinux Mandatory Access Control can improve security? How to build a SELinux module to make your web-application more secure? How to use AppAmor for improved Security?
- What is read-only mode for runtime? Why is it so valuable?
- What are container break-outs?
XI. Logging
- How logging affects security?
- What kind of logging is the most effective and appropriate for containerized systems?
- How does Elasticsearch stack improve the security of a system?
- What are logging best-practices on Docker daemon and Docker container runtime?
XII. Kubernetes & Security
- What is Kubernetes? How Kubernetes improves Docker orchestration?
- How to achieve Kubernetes compliance?
- What is RBAC? How RBAC improves Docker security?
- How Kubernetes improves networking security?
- What is a Pod Security Policy?
- What is Network Policy? How do they impact security?
- Control plane TLS certificates
- What are pod quotas? How do they impact security?
- What is Cloud Metadata Server? How to use it for further exfiltration?
- How to manage secrets in Kubernetes? What is HashiCorpVault?
- What are Admission Webhooks?
- What is Audit log?
- What is CIS-Benchmark? How to check CIS compliance?
- How to achieve secure pod to pod communication? What is mTLS?
- What is an Open Policy Agent? How does it improve security?
- What is Envoy and Istio? How does it compare to Linkerd?
- What is Helm? What are attack vectors on Helm Charts? How to attack Tiller server?
A sample set of laboratories
- Infrastructure exfiltration by runC privilege escalation
- Kubernetes exfiltration and session-persistence with Helm Charts and Tiller
- Image-security scanning with Trivy and vulns
- Host take-over with exposed DockerAPI
- Denial of the service attack with crushing Docker-based application
- Container image-poisoning
- Information and secrets gathering from Docker image
- Generating seccomp-profiles with a set of tools
- Protecting Docker-container using PodSecurityPolicies
- Auditing Kubernetes infrastructure with fast Host Intrusion Detection System implementation and Kubernetes API auditlog
- Man in the middle for Docker-registry
- Host-pivoting through Kubernetes infrastructure
- Cloud account exfiltration by Cloud Metadata Server
- Enforcing compliance by AdmissionControllers and WebHooks
- Automated application checks
Articles
Training Concept
"Docker and Kubernetes have been widely adopted, as the most popular foundation of infrastructure. However, even though they both solve a lot of problems, for each issue solved, another takes its place. Containers and pods might be better equipped to handle the current needs and desires of your business, but if they are insecure, are the risks of devastating financial, reputation, and code-wise losses acceptable? If you cannot keep your environments safe, you are doomed, no matter if you're running Kubernetes or any other kind of orchestrator, that is for sure."
- Kamil Zabielski
Trainer, CEO, Sysdogs
Questions
How to contact you?
Who is our training suitable for?
Will I be able to register for those as an individual?
Are those courses on-site, or available on-line?
Are there any requirements for participants?
Recommendations
"Professionalism, partnership and high-quality. We can surely say, Sysdogs is one of the most experienced companies in Poland, when speaking about security, contenerization and Kubernetes. They are deeply integrated in development process, understand the business needs and really automate all the things. Anything in DevOps and DevSecOps areas - only sysdogs!"
- Maciej Gastol
Chief Executive Officer, Going. Sp. z o.o.
"sysdogs is not just an another software company which claims to do DevOps. They are a team of enthusiasts with many years of experience in the field of System Administration, Infrastructure, Network and Security that loves what they do. They are real professionals, act as a real partner who is ready to advise and is not afraid of pointing your mistakes. If you have any needs in DevOps area - they should be your first choice!"
- Karol Wiszowaty
Chief Operating Officer, Inspeerity
"At every moment of our cooperation, our wishes and expectations were met and exceeded by the Sysdogs team. Thanks to their knowledge in the creation of our new cloud infrastructure, we have created a foundation for scalable and secure network applications. A pro-customer approach at every stage of implementation makes cooperation with Sysdogs a real pleasure."
- Tymoteusz Wisniowski
Manager, ROLV Group Sp. z o.o.
"Sysdogs has reduced the delivery time of the applications and has delivered high-quality infrastructures. The team creates solutions that are tailored for the business needs and requirements. Overall, their vast experience in DevOps ensures a successful ongoing partnership."
- Maciej Kurek
Chief Technology Officer, Library X
"Thanks to Sysdogs engagement, the production environment can expect to process four petabytes of data growing by 200-500 GB a day with consistency and productivity. The team has established multiple communication tools to provide progress updates. Their optimal solutions are impressive."
- Maciej Lach
Chief Technology Officer, big xyt
