| Follow @lancinimarco | Subscribe to CloudSecList

Kubernetes Primer for Security Professionals

A collection of resources and tutorials for security professionals who want to approach the Kubernetes ecosystem.

This is the high-level outline of the different sections:

An attempt to demystify the perception by which Kubernetes is believed to be too hard to even get started, by walking through the journey I undertook to get the basics first, and later to focus on the security aspects.

    • Why What You Think You Know is Probably Wrong
    • Start From Here
    • If You Want to be Production Ready
    • What About Security?
      • Container Security
      • Threat Modelling Orchestrator Systems
      • Kubernetes Security

A curated list of (security) tools tailored for cloud native technologies.

    • Docker
    • Kubernetes
    • AWS
    • GCP
    • GIT

This post covers multiple deployment options for a Kubernetes lab suitable for security research.

    • Option 1 - Run Kubernetes Locally
      • Minikube vs Docker for Mac
      • Setup Minikube
      • Hello World with Minikube
    • Option 2 - Deploy a Deliberately Vulnerable Cluster
      • Run Kubernetes on a Vagrant VM
      • Run Insecure Configurations with Kind
    • Option 3 - Deploy a Multi-Node Production Ready Kubernetes Cluster
      • Setup Kubespray
      • Interact with the Cluster
      • Hello World with Kubespray
    • Option 4 - Deploy to Cloud
    • Option 5 - Deploy on Baremetal

Blog post summarising the outcome produced by three main initiatives which took upon the challenge of threat modelling a Kubernetes clusters, so that anyone can use them as a starting point for their own (custom) threat modelling exercise.

    • NCC
      • External Attackers
      • Malicious Containers
      • Malicious/Compromised Users
    • CNCF
      • Main Attack Vectors
      • Attack Trees
    • Kubernetes Security Audit Working Group
      • Scope
      • Methodology

An attempt to try help security professionals approach Kafka, by walking through the journey I undertook to get the basics first, and later to focus on the security aspects of it.

    • What is Kafka
      • A Special Mention to Zookeeper
      • Getting Some Hands-On Experience
    • What About Security?
      • Transport Layer Encryption
      • Authentication
      • Authorization
        • Authorization via ACLs
        • Authorization via OPA

My personal approach to deploy my own Kubernetes Lab on baremetal, and on an Intel NUC in particular.

    • The Hardware
    • Install CoreOS
      • Prepare a Bootable USB
      • Prepare an Ignition Config
      • Install from Live USB
    • Install Kubernetes
      • Install Dependencies
      • Install the Cluster
      • Network Setup
    • Ingress Controllers and LoadBalancing on Baremetal
      • Install NGINX Controller
      • Install MetalLB
      • Install HAProxy
      • Testing
    • Volumes and Stateful Deployments
    • Automate the Setup

How to use Cloudflare Tunnel to connect my Intel NUC to the Cloudflare network, and Auditable Terminal to connect to it using nothing more than a browser.

    • The Environment: Kubernetes Lab on Baremetal
    • Access the Host
      • Create a Cloudflare Tunnel
      • Create a Zero Trust Policy
      • Configure Short-Lived Certificates
      • Run cloudflared as a Service
    • Access Kubernetes Services
    • Automate with Terraform