Kubernetes Primer for Security Professionals
This is the high-level outline of the different sections:
An attempt to demystify the perception by which Kubernetes is believed to be too hard to even get started, by walking through the journey I undertook to get the basics first, and later to focus on the security aspects.
- Why What You Think You Know is Probably Wrong
- Start From Here
- If You Want to be Production Ready
- What About Security?
- Container Security
- Threat Modelling Orchestrator Systems
- Kubernetes Security
A curated list of (security) tools tailored for cloud native technologies.
- Docker
- Kubernetes
- AWS
- GCP
- GIT
This post covers multiple deployment options for a Kubernetes lab suitable for security research.
- Option 1 - Run Kubernetes Locally
- Minikube vs Docker for Mac
- Setup Minikube
- Hello World with Minikube
- Option 2 - Deploy a Deliberately Vulnerable Cluster
- Run Kubernetes on a Vagrant VM
- Run Insecure Configurations with Kind
- Option 3 - Deploy a Multi-Node Production Ready Kubernetes Cluster
- Setup Kubespray
- Interact with the Cluster
- Hello World with Kubespray
- Option 4 - Deploy to Cloud
- Option 5 - Deploy on Baremetal
Blog post summarising the outcome produced by three main initiatives which took upon the challenge of threat modelling a Kubernetes clusters, so that anyone can use them as a starting point for their own (custom) threat modelling exercise.
- NCC
- External Attackers
- Malicious Containers
- Malicious/Compromised Users
- CNCF
- Main Attack Vectors
- Attack Trees
- Kubernetes Security Audit Working Group
- Scope
- Methodology
An attempt to try help security professionals approach Kafka, by walking through the journey I undertook to get the basics first, and later to focus on the security aspects of it.
- What is Kafka
- A Special Mention to Zookeeper
- Getting Some Hands-On Experience
- What About Security?
- Transport Layer Encryption
- Authentication
- Authorization
- Authorization via ACLs
- Authorization via OPA
My personal approach to deploy my own Kubernetes Lab on baremetal, and on an Intel NUC in particular.
- The Hardware
- Install CoreOS
- Prepare a Bootable USB
- Prepare an Ignition Config
- Install from Live USB
- Install Kubernetes
- Install Dependencies
- Install the Cluster
- Network Setup
- Ingress Controllers and LoadBalancing on Baremetal
- Install NGINX Controller
- Install MetalLB
- Install HAProxy
- Testing
- Volumes and Stateful Deployments
- Automate the Setup
How to use Cloudflare Tunnel to connect my Intel NUC to the Cloudflare network, and Auditable Terminal to connect to it using nothing more than a browser.
- The Environment: Kubernetes Lab on Baremetal
- Access the Host
- Create a Cloudflare Tunnel
- Create a Zero Trust Policy
- Configure Short-Lived Certificates
- Run cloudflared as a Service
- Access Kubernetes Services
- Automate with Terraform