Kaiser Permanente SEC584 | October 2021

Online, Virtual Event Mon, Oct 4 - Wed, Oct 6, 2021

Welcome to SEC584: Cloud Native Security: Defending Containers and Kubernetes

Instructor: Andrew Martin | 18 CPEs

SEC584 will perform a deep dive into defending key infrastructure deployment components, focusing on containerization and orchestration exploits. Students will be thrust directly into detailed issues related to misconfiguration and known attack patterns and will learn how to properly harden and protect against these exploits.

What You Will Learn

Deploy Securely At The Speed Of Cloud Native

Cloud native infrastructure and service providers are enabling organizations to build and deliver modern systems faster than ever. The end-to-end toolchain supporting the systems includes managed services to create cloud infrastructure, store source code, build containers, and manage clusters. For information security professionals, the attack surface created by these modern systems can be difficult to defend and monitor. SEC584 explores Docker and Kubernetes, key components of the cloud native infrastructure stack, providing in-depth analysis of the attack surface, misconfigurations, attack patterns, and hardening steps. Students will gain hands-on experience building, exploring, and securing real-world modern systems through an offensive lens.

SEC584 starts by painting a portrait of the modern cloud-native infrastructure hosted in Google Cloud. After deploying cloud resources, students examine methods of compromise, walk through attack scenarios, and then shift their focus to defending and remediating infrastructure services. This includes hardening Kubernetes orchestrator and workload configuration, deploying security testing and monitoring software in pipelines and clusters, cryptographically signing images and build pipelines, and applying AppArmor and Seccomp profiles to containerized workloads.

The course then shifts its focus to defending a live Kubernetes deployment. After students identify several Kubernetes weaknesses, hands-on exercises attacking and remediating security and network policies and admission controllers will help them lock down the lab environment. Attacks and controls are threat-modeled to ensure they are applied correctly, tested out-of-band to ensure their efficacy, and applied at multiple stages throughout the pipeline to enhance engineers' productivity and feedback loops.


  • Understand why many cloud native services have evolved quickly and without security as a top consideration
  • Secure containerized applications and defend orchestration workloads
  • Leverage automated testing tools to perform security testing and harden your deployments


  • Use real-world exploits to target key application deployment components
  • Understand the risks involved in running cloud native infrastructure
  • Explore vulnerabilities to cloud native deployments through authentication, pipeline, and supply chain exploits
  • Exploit and then secure application deployments via Docker and Kubernetes
  • Determine how vulnerabilities are exploited and how defenses are designed

Course Syllabus

SEC584.1: Cloud Native Infrastructure


Section 1 covers the cloud native security model, threat model, and associated infrastructure security practices. This includes deploying and rooting Jenkins to gain remote code execution on a Google Cloud virtual machine to illustrate security considerations of container workloads, introducing and deploying our first Kubernetes cluster, and starting to learn how to defend it by attacking.


Cloud Account Setup

  • Create Google Cloud Platform (GCP) Project
  • Deploy Lab Infrastructure with Terraform

Deploy and Root Jenkins

  • Deploy Jenkins in a GCE Virtual Machine
  • Exploit a Remote Code Execution vulnerability in Jenkins
  • Steal Secrets from Docker
  • Break Out of the Jenkins Container
  • Root the GCE virtual Machine

Kubernetes 101

  • Installing Kubernetes
  • Installing a Sample Application

Attacking Kubernetes

  • Port Scanning and Banner Detection
  • Gaining a foothold
  • Container escapes and Kubernetes pivots
  • etcd Exfiltration

What is Cloud Native Security

  • Introduction to Cloud Native Security
  • The Cloud Native Security Model

Modern Infrastructure Security Practices

  • Pipeline-Driven Security
  • Cloud Native Threat Model

Kubernetes 101

  • Introduction to Kubernetes
  • Kubernetes Attack Surface and Vulnerabilities

Attacking Kubernetes

  • Kubernetes Attack Surface

SEC584.2: Container Security and Exploitation


Section 2 covers concepts related to the containerization of applications, including the risks and benefits of deploying applications in containers. We look at Docker containers, examining how they are created, maintained, and deployed. Then we review the risks associated with deploying applications in Docker containers, and explore ways that Docker containers and CI/CD can be hardened and secured.


Container Security

  • Build Container Images
  • Prioritize Resources with cgroups
  • Isolate Using Namespaces

Container Image Security

  • Configure Docker, Kubernetes, GitHub, and Jenkins
  • Use distro-less Container Base Images
  • Lint Dockerfiles to Enforce Policy

Hardening Kubernetes

  • Admission Control
  • Pod Security Policies
  • Hardening Security Contexts
  • Finding Secrets

Securing the CI Pipeline

  • Securing the CI Server
  • Attacking Image Delivery and Registries

Container Security

  • DevSecOps and Containers
  • Attacking Containerized Workloads

Container Image Security

  • Building Docker Images Safely
  • Base Images and Patching

Hardening Kubernetes

  • Hardening the Orchestrator
  • Admission Control
  • Secure Secrets Management

Securing the CI Pipeline

  • Securing the CI Server
  • Attacking Image Delivery and Registries

SEC584.3: Moving to Kubernetes


Section 3 focuses further on attacking containerized applications, and protecting them with Kubernetes-native solutions. We look at the potential risks and vulnerabilities associated with Kubernetes workloads, as well as how we can secure them through automated scans, proper policy definitions, and continuous intrusion detection.


Defending Containerized Workloads

  • Investigate Filesystem Layers of a Container
  • Harden Applications with AppArmor Profiles
  • Block System Calls with seccomp

Policy and Controls

  • Admission controllers
  • Security Policies, Application Delivery, and Secrets Management
  • Cluster Compliance and CIS Benchmarks

Container Security Testing

  • Base image testing and management
  • Security test harnesses from dev to CI
  • Configuration testing

Attacking Image Delivery and Registries

  • Docker Trust Sandbox
  • Enabling Notary with Docker
  • Harbor and Notary

Attacking Containerized Workloads

  • Attacking Containerized Workloads
  • CVEs and Image Vulnerability Scanning

Policy and Controls

  • Kubernetes security boundaries
  • Security Testing Kubernetes and DevSecOps
  • Network Policy
  • Runtime Security and Intrusion Detection

Container Security Testing

Unit Testing Containers

  • Integration Testing Containers and Pods
  • Network Scanning

Attacking Image Delivery and Registries

  • Container Image Signing
  • Artefact Repository Security Considerations


SEC584 performs a deep dive into defending containerized workloads (Docker) and orchestrators (Kubernetes). Courses or equivalent experiences should include:

  • SEC540 Cloud Security and DevOps Automation (familiarization with DevOps automation, CI/CD tools and processes, and how containers are used to package software)
  • Experience with Linux command shell
  • Experience with Docker and Kubernetes
  • Familiarity with Google Cloud Platform (GCP)

For those looking to prepare ahead of time, check out the following resources:

Docker QuickStart: https://docs.docker.com/get-started/

Kubernetes Basics: https://kubernetes.io/docs/tutorials/kubernetes-basics/

Terraform Getting Started Guide: https://learn.hashicorp.com/terraform/getting-started/install

    Laptop Requirements

    Important! Bring your own system configured according to these instructions!

    A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

    Mandatory: Students must bring their own GCP account to complete the exercises. Please ensure that you have done the following before class starts:

    Google Cloud Platform

    1. Create a Google account.
    2. Sign up for a GCP free trial.


    A properly configured system is required for each student participating in this course. Before starting the course, carefully read and follow these instructions exactly:

    • Download and install VMware Workstation or VMware Fusion on your system prior to the start of the class.
    • If you own a licensed copy of VMware, make sure it is at least VMware Workstation Pro 15+, VMware Fusion 11+.
    • If you do not own a licensed copy of VMware, download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

    Mandatory Host Hardware Requirements

    • CPU: 64-bit 2.5+ GHz multi-core processor or higher
    • BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
    • Hard Disk: Solid-State Drive (SSD) is MANDATORY with 50GB of free disk space minimum
    • Memory: 16GB of RAM or higher is mandatory for this class (IMPORTANT! 16GB of RAM is MANDATORY)
    • Working USB 2.0 or higher port
    • Wireless Ethernet 802.11 B/G/N/AC
    • Local Administrator Access within your host operating system

    Mandatory Host Operating System Requirements

    You must use a 64-bit laptop with one of the following operating systems that have been verified to be compatible with course VMware image:

    • Windows (8 or 10)
    • Mac OS X (Catalina, Mojave) Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

    Mandatory Software Requirements

    Prior to class, ensure that the following software is installed on the host operating system:

    • VMware Workstation Pro 15+, VMware Fusion 11+
    • Zip File Utility (7Zip or the built-in operating system zip utility)

    In summary, before beginning the course you should:

    • Have a laptop with a solid-state drive (SSD), 16GB of RAM, and a 64-bit operating system
    • Install VMware (Workstation or Fusion)
    • Windows Only: Verify that the BIOS settings have the Intel VT virtualization extensions enabled
    • Register a NEW GCP free-tier account prior to the start of class at https://console.cloud.google.com/freetrial

    If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.