| Follow @lancinimarco | Subscribe to CloudSecList

Kubernetes Primer for Security Professionals

A collection of resources and tutorials for security professionals who want to approach the Kubernetes ecosystem.

This is the high-level outline of the different sections:

An attempt to demystify the perception by which Kubernetes is believed to be too hard to even get started, by walking through the journey I undertook to get the basics first, and later to focus on the security aspects.

    • Why What You Think You Know is Probably Wrong
    • Start From Here
    • If You Want to be Production Ready
    • What About Security?
      1. Container Security
      2. Threat Modelling Orchestrator Systems
      3. Kubernetes Security

A curated list of (security) tools tailored for cloud native technologies.

    • Docker
    • Kubernetes
    • AWS
    • GCP
    • GIT

This post covers multiple deployment options for a Kubernetes lab suitable for security research.

    • Option 1 - Run Kubernetes Locally
      1. Minikube vs Docker for Mac
      2. Setup Minikube
      3. Hello World with Minikube
    • Option 2 - Deploy a Deliberately Vulnerable Cluster
      1. Run Kubernetes on a Vagrant VM
      2. Run Insecure Configurations with Kind
    • Option 3 - Deploy a Multi-Node Production Ready Kubernetes Cluster
      1. Setup Kubespray
      2. Interact with the Cluster
      3. Hello World with Kubespray
    • Option 4 - Deploy to Cloud
    • Option 5 - Deploy on Baremetal

Blog post summarising the outcome produced by three main initiatives which took upon the challenge of threat modelling a Kubernetes clusters, so that anyone can use them as a starting point for their own (custom) threat modelling exercise.

    • NCC
      1. External Attackers
      2. Malicious Containers
      3. Malicious/Compromised Users
    • CNCF
      1. Main Attack Vectors
      2. Attack Trees
    • Kubernetes Security Audit Working Group
      1. Scope
      2. Methodology

An attempt to try help security professionals approach Kafka, by walking through the journey I undertook to get the basics first, and later to focus on the security aspects of it.

    • What is Kafka
      1. A Special Mention to Zookeeper
      2. Getting Some Hands-On Experience
    • What About Security?
      1. Transport Layer Encryption
      2. Authentication
      3. Authorization
        1. Authorization via ACLs
        2. Authorization via OPA

My personal approach to deploy my own Kubernetes Lab on baremetal, and on an Intel NUC in particular.

    • The Hardware
    • Install CoreOS
      1. Prepare a Bootable USB
      2. Prepare an Ignition Config
      3. Install from Live USB
    • Install Kubernetes
      1. Install Dependencies
      2. Install the Cluster
      3. Network Setup
    • Ingress Controllers and LoadBalancing on Baremetal
      1. Install NGINX Controller
      2. Install MetalLB
      3. Install HAProxy
      4. Testing
    • Volumes and Stateful Deployments
    • Automate the Setup

How to use Cloudflare Tunnel to connect my Intel NUC to the Cloudflare network, and Auditable Terminal to connect to it using nothing more than a browser.

    • The Environment: Kubernetes Lab on Baremetal
    • Access the Host
      1. Create a Cloudflare Tunnel
      2. Create a Zero Trust Policy
      3. Configure Short-Lived Certificates
      4. Run cloudflared as a Service
    • Access Kubernetes Services
    • Automate with Terraform