Kubernetes Security (Advanced Concepts)


Intro Video

Photo of John Marx

John Marx

Training Architect





Course Details

This course is the second part of the Kubernetes Security series. The first part is Kubernetes Security. This part is Advanced Concepts. This course guides the student through implementing network policy. It then goes through the administrative steps necessary to build, launch and maintain a secure Kubernetes Cluster.



Introduction to the Author


Lesson Description:

This video is the introduction to the course author.

Introduction to This Course


Lesson Description:

This is a brief introduction to the course, with some discussion of courses that are recommended as preparation for it.

Kubernetes Networking

Network Overlays


Lesson Description:

This is a brief lesson covering what network overlays are with Kubernetes, and a few popular overlays available at the time this lesson was published.

Network Policy


Lesson Description:

This video provides examples of how network policies are implemented. The lesson also gives a brief introduction and explanation as to the examples covered in the lab.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.


Building a Kubernetes Infrastructure

Host Server Hardening


Lesson Description:

This lesson covers the steps necessary to harden an operating system image that may then be used for Kubernetes master and worker nodes. We'll look at Packer on AWS as an example. We'll also get a picture of the what the lab at the end of this section entails.

Secure Software Supply Chain


Lesson Description:

This lesson covers how a DevSecOps CI/CD Pipeline would control workflow for applications and the Kubernetes Cluster artifacts as well. We'll emphasize the ephemeral nature of both the applications and the infrastructures they run on.

Container Registries and Trusted Repositories


Lesson Description:

This lesson continues on the subject of a secure software supply chain by discussing some of the key capabilities of trusted repositories. We'll cover signing of content, secure authentication, and scanning as necessary practices that ensure a secure Kubernetes environment.

Choosing an Installer


Lesson Description:

This video discusses various approaches to Kubernetes installers and shows some of the considerations to keep in mind when making an installer choice.

Configuration Management


Lesson Description:

This lesson covers the role of configuration management and its importance for maintaining a Kubernetes delivery pipeline.

Scanning and Static Analysis of YAML


Lesson Description:

This lesson covers the need for YAML scanning, and demonstrates the SonoBouy Scanning tool from HEPTIO.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.


Launching a Kubernetes Cluster

From Lab to Maiden Voyage


Lesson Description:

This lesson discusses the opportunity for system administrators to take advantage of cloud infrastructures. By allowing virtual instances of servers to become available on demand, it's possible to build a pipeline for the Kubernetes cluster. This is similar to how application code pipelines might be used. We'll look at the idea of building, launching, testing, and then promoting a cluster configuration into production.

Hardening the Cluster


Lesson Description:

In the upcoming hands-on lab, we'll harden a cluster the kube-bench utility. This lesson emphasizes the role that an installer (such as kops), and a configuration management tool (such as Ansible), might play in a Kubernetes build, launch, maintain type of deployment pipeline.

Monitoring and Alerts


Lesson Description:

This lesson covers the importance of configuring and testing the monitoring and alerting tools that are used later in production. The lesson provides a brief demo of the HEPTIO Sonobouy Scanning product.

Maintaining a Kubernetes Infrastructure

Patching Live Deployments


Lesson Description:

This lesson demonstrates utilizing the Kubernetes patch capabilities to update container workloads while they are running in a live cluster.

Upgrading Kubernetes Components


Lesson Description:

Thsi lesson covers using an installer to upgrade the Kubernetes Control Plane and Worker Node Components.

Node Recycling


Lesson Description:

This lesson introduces the concept of node recycling. By using the kubectl drain command, the administrator may cordon a node, evict its running pods, and thus disconnect it from the cluster. This allows for patching of the operating system and other server-level configuration. Once the maintenance is complete, the server may be reconnected with the uncordon command.


Summation and Next Steps


Lesson Description:

This lesson is a quick summary of the course, and lists some third-party resources that students may find useful.