O'Reilly logo
live online training icon Live Online training

Kubernetes Security: Attacking and Defending Kubernetes

Topic: System Administration
Andrew Martin

Like many complex systems Kubernetes has historically been insecure by default, and contains a number of “footguns” that make secure deployments difficult. Segregation of duty, least privilege, and a rigorous Continuous Security approach are the foundations of any secure system — however these become more difficult to achieve in distributed systems with many moving parts.

But all is not lost! With an understanding of the foundational layers and principles including micro-segmentation, zero trust, and local PKI, Kubernetes can be secured against the most ardent of attackers.

The course guides attendees through an introduction to Linux container security, and progresses to advanced Kubernetes cluster security. It emphasizes pragmatic threat modelling and risk assessment based on an understanding of the tools and primitives available.

What you'll learn-and how you can apply it

By the end of this live, hands-on, online course, you’ll understand:

  • Linux and container security
  • The Kubernetes attack surface
  • Automated container security testing and DevSecOps workflows
  • Open Source security tooling and the vendor landscape

And you’ll be able to:

  • Break out of a container
  • Attack and harden Kubernetes
  • Security test Kubernetes clusters

This training course is for you because...

  • You’re an intermediate to advanced Kubernetes user who wants to strengthen their security understanding
  • You want to become an SRE, DevOps, or DevSecOps engineer


  • Familiarity and comfort with Docker, Kubernetes, and the Linux command line

Recommended preparation:

  • To attend this course please make sure that you have a Linux VM or physical machine with at least 8GB of RAM and 20GB of disk space, as well as a second machine (or VM) with a Linux terminal. You are welcome to follow along within these, but you will need both Linux machine in order to fully participate in the exercises.
  • Read Kubernetes: Up and Running (book)
    • Chapter 1. Introduction
  • Read Kubernetes Security (report)
    • Chapter 1. Approaching Kubernetes Security
    • Chapter 6. Running Containers Securely

Recommended follow-up:

Read Kubernetes Security (report) Read Kubernetes: Up and Running (book)

About your instructor

  • Andrew has a incisive security engineering ethos gained architecting and deploying high-traffic web applications. Proficient in systems development, testing, and operations, he is comfortable profiling and securing every tier of a bare metal or cloud native application, and has battle-hardened experience delivering containerised solutions to enterprise clients. He is a co-founder at https://control-plane.io


The timeframes are only estimates and may vary according to how the class is progressing

Intro to Container Security (65 minutes)

  • Presentation: 30 minutes
    • History of Linux and container security; new opportunities to utilise containers for enhanced security; what security benefits Kubernetes promises; Docker’s security features and the attacks prevented by default
  • Discussion: 10 minutes
  • Exercise: Container Security Primitives (25m)
    • Hacking for Fun and Profit
    • Securing Your Host
    • cgroups and Namespaces
    • Kernel Capabilities
    • User Namespaces
  • Q&A

Attacking Containerised Workloads (70 minutes)

  • Presentation: 30 minutes
    • Container immutability and how its useful; why container image scanning is a good idea; where containers are insecure by design and configuration; attacking systems with container images; minimum viable security for workloads; anatomy of a container breakout
  • Discussion: 10 minutes
  • Exercises (25m)
    • Trojanising
    • AppArmor profiles
    • Seccomp
    • Microscanner
  • Q&A
  • 5 minute break

Attacking Kubernetes (55 minutes)

  • Presentation: 20 minutes
    • Common attacks on Kubernetes; historical Kubernetes breaches and facepalms; the Kubernetes attack surface and how to exploit it; how to root your friendly local container host
  • Discussion: 10 minutes
  • Exercises (20m)
    • Kubernetes Attack Surface
    • Rooting the Kubelet
  • Q&A
  • 5 minute break

Hardening Kubernetes (50 minutes)

  • Presentation: 30 minutes
    • How not to get hacked; traditional network security patterns in the cloud native world; micro-segmentation and zero trust; debugging hardened systems and workloads; Kubernetes policy gates
  • Discussion: 10 minutes
  • Exercises (20m)
    • Pod Security Policy
    • Building and Testing Network Policies
  • Q&A