The course will start by looking at Docker and how Linux containers work, covering the basics of using Docker and good security practices around creating Docker images.
We’ll also be covering fundamental Linux security concepts such as namespaces, cgroups, capabilities and seccomp, along with showing how to secure (or break into) container-based applications.
The course will then move on to the world of container orchestration and clustering, looking at how Kubernetes works and the security pitfalls that can leave the clusters and cloud-based environments which use containers exposed to attack.
The course has core modules which we’ll cover as well as an array of bonus content which will be covered if there is time. The bonus modules focus on areas like Docker and Kubernetes security tooling, the details of prominent container security vulnerabilities and exploits and also look at the world of Windows containers.
At the end of the two days we’ll have a range of systems to practice some of the skills learned during the course.
- Docker Basics – Review of basic Docker commands and how Docker handles networking.
- Creating Docker Images – Covering how to create Docker images with examples around security tool creation.
- Container Fundamentals – This delves into Linux container primitives, such as namespaces, cgroups, capabilities and seccomp filtering, essentially showing how container security is applied.
- Docker Security – This looks at primary security concerns around the use of Docker Engine, including common pitfalls and how to attack or mitigate them.
- Introduction to Kubernetes – Here we’ll cover the Kubernetes container orchestration platform and look at how it’s architected and composed. The goal is to familiarise students with how the platform operates so they can understand key areas of security concern/points of attack.
- Kubernetes Networking – The way that Kubernetes handles networking is an important concept to fully understand when looking at securing and attacking clusters. This module will look at some the main ways this is approached and the underlying technologies used (e.g. iptables, eBPF)
- Kubernetes Basic Security – This module looks at three major threat models for Kubernetes clusters (external attackers, compromised containers, and malicious users) and walks through the likely attack paths that each would take, showing practical approaches to exploiting Kubernetes security weaknesses.
- Kubernetes Authentication & Authorization – This module looks at how Kubernetes handles Authentication and Authorization, focusing on some of the weak points and common pitfalls which could allow attackers to compromise a cluster.
- Kubernetes Policy Security – This will focuse on some of the key policies which need to be implemented to have a secure cluster, covering Network Policies and Pod Security Policies. It will also look at some alternatives to the native Kubernetes options which are growing in popularity, such as OPA and k-rail.
- Kubernetes Ecosystem – There are a number of products which are very commonly deployed alongside Kubernetes (e.g. Helm, Prometheus). This module will look at common security weaknesses in these products and how to address them.
- Extras – Depending on how fast the students have been working through the day’s content, some extras can be covered, such as looking at the wider Docker ecosystem, alternative container runtimes Windows containers, common Kubernetes security tools, Kubernetes vulnerabilities and Kubernetes vulnerabilities.
- CTF – At the end of the day’s materials a number of clusters with security vulnerabilities will be available for students to practice the attacks described during the course.
What You’ll Learn
This course is intended to help security practictioners and IT professionals get up to speed with containerization and to get hands-on experience of how to setup, defend and attack containerized environments.
However it’s not just focused on the tools, it looks to break down containers into their component elements and actually look at their underpinnings to help people understand how they operate which should then help them secure them.
The course is designed to provide a logical progression from the basics of containerization and build up towards understanding how container orchestration systems work and where their security weaknesses and strengths lie.
Who Should Take This Course
This course is suitable for either offensive or defensive security professionals and can also work well for general IT professionals concerned about container security. The material focuses slightly more on the offensive side than defensive, but does cover key security concerns for securely operating containerized systems.
The course is quite hands-on so likely best suits attendees who will be directly using or attacking container based systems.
What Students Should Bring
- A laptop with an SSH client installed on it. If students are using Windows, WSL or MobaXterm are easier to setup, but we can work with putty.
- Awareness of how to use an SSH key for logging in to a remote host (we’ll provide the key during the course, but knowing how to configure the SSH client is useful)
- Ideally the laptop should have unrestricted Internet access without mandatory proxy servers or firewalls which restrict outbound access. We’ll be connecting to SSH hosts and some high ports on some machines hosted in AWS. If there is a mandatory proxy, we can probably work round it by adding the proxy external IP addresses to our white-list but it’s easier if it can go direct.
- Knowledge of basic Linux command line utilities is useful, knowing the basic shortcuts in a linux editor (e.g. nano or vi) is handy, (just things like save and exit)
What Students Will Be Provided With
Copies of all the course slides and handouts.
About The Trainer
Rory has worked in the Information and IT Security arena for the last 19 years in a variety of roles. These days he spends most of his work time on container, cloud and application security. He’s an active member of the UK information security community having delivered presentations at a variety of IT and Information security conferences. He has also presented at major containerization conferences and is an author of the CIS Benchmarks for Docker and Kubernetes and main author of NCC’s Mastering Container Security training.