Logo

Pentesting and Securing Docker, Swarm & Kubernetes Environments

Containerisation and orchestration have dramatically changed the way in which today’s technologies are deployed and managed. Attack and defence techniques require reinvention and security professionals must now acquire the necessary skills to competently protect these environments.

This training is designed for RedTeam and BlueTeam professionals who are looking for practical applied security knowledge on containerisation and orchestration from an offensive and defensive point of view. Black Box, Grey Box and White Box analysis are covered on Docker, Docker Swarm and Kubernetes. 

From the offensive side, attack techniques related to containers/pods compromising, exploitation, networking abuses, privileges escalation, persistence, lateral movement and node takeover among others will be explained. 
On the defensive side, it will be analysed the common security issues and a secure way of building docker images and YAML deployment files for Swarm and Kubernetes, the right implementation of RBAC access management and vulnerability scanners on files and CI/CD pipelines will also be presented with many other best practices.

This training can be extended up to four days to acquire a deeper knowledge of the technologies themselves.

Topics:

Docker and Kubernetes from scratch (optional)

Docker & Swarm:

  • Containers fundamentals
    • Containers vs Traditional Virtualization
    • Docker Engine Set-up for Windows, Linux and Mac OS
    • Docker Client
  • Containers management
    • Running multiple containers
    • Statuses
    • Interactive shell
    • Port publishing
    • DNS system
    • Communication between containers
    • Windows containers
  • Docker images
    • Dcker Hub
    • Dockerfile format & commands
    • Dockerfile builds
    • Docker registry
    • Images management
  • Orchestration
    • Docker Swarm & Services Concepts
    • Swarm Cluster deployment
  • Services management
    • Creation of services
    • From Docker Compose (test) to Swarm Stacks (prod)
    • Scaling out
    • Healthchecks
    • Updates & Rolling back
    • Services Placement
    • Monitoring
  • Networking
    • Docker Isolation, Host & Bridge networks
    • Swarm Overlay driver
    • Swarm Ingress network
    • Advanced Swarm networks management
  • Data storage
    • Named volumes
    • Bind mounts
    • Configs
    • Secrets
  • Docker Enterprise
    • Universal Control Plane (UCP)
    • Docker Trusted Registry (DTR)

Kubernetes:

  • Architecture & core components
  • Installation
    • Local installation
    • Cluster installation
  • Pods management
    • Running Simple Pods
    • Multi-Containers Pods
    • Static Pods
    • InitContainers
    • Deployments
    • ReplicaSets
    • DaemonSets
    • Rollouts
    • Rollbacks
    • Logging and Monitoring
    • Namespaces
  • Scheduling
    • Labels and Selectors
    • Taints and Tolerations
    • Node affinity
    • Resource limits
  • Networking
    • CoreDNS
    • Services configuration
    • Routing & Ingress networking
  • Data storage
    • ConfigMaps
    • Secrets
    • Persistent Volume and Persistent Volume Claims
    • Storage Classes
  • Cluster maintenance
    • Updates
    • Backup and Restoring

Attack and Defence on Docker and Kubernetes

Docker & Swarm attack and defence:

  • Docker black box analysis
    • Recognizing container environments
    • Container introspection: named/bind volumes, sensitive data and more
    • Scanning docker networks
    • Abusing docker networks defaults
    • Pivoting: compromising the whole docker environment
    • Sorting shell limitations
    • Abusing privileged containers
    • Abusing docker.sock exposure
    • Abusing Docker API exposure
    • Abusing Docker Registry API exposure
  • Docker white box analysis
    • Dockerfile inspection
    • Distroless and Multi-stage builds
    • USER command
    • Docker compose files inspection
  • Docker daemon and containers defence
    • Daemon rootless mode
    • Securing docker socket
    • Securing API communication
    • Kernel namespaces
    • Kernel capabilities
    • SystemCall restriction
    • Mandatory Access Control
    • UID & GID management
    • User-namespace remapping
    • Control Groups
  • Swarm black box analysis
    • Differences between Docker and Docker Swarm
    • Dump Swarm Secrets and Configs
    • Abusing Swarm networks features
    • Pivoting across containers in multi-services & escalated environments
    • Pivoting across different Swarm networks: from frontend to backend
    • Persistence: Creating backdoored services
  • Swarm white box analysis
    • Stack files inspection
    • Developing secure stack files
  • Swarm defence
    • Networks isolation
    • Network traffic encryption
    • Swarm secrets
    • Raft-logs key encryption

Kubernetes attack and defence:

  • Kubernetes black box analysis
    • Detecting kubernetes orchestration from inside containers
    • Container introspection: Persistent volumes, secrets, configmaps and more
    • Discovering & Scanning pods along the entire cluster
    • Pivoting across pods and namespaces
    • Abusing Service Account Token
    • Abusing Kube API exposed
    • Abusing Kubelet API exposed
  • Kubernetes grey box analysis
    • Cluster inspection
    • Services scanning
    • RBAC audit
    • Abusing impersonation
    • Token bruteforce
    • Backdoors and node takeover
  • Kubernetes white box analysis
    • YAML inspection
    • Kubernetes Secrets
    • RBAC inspection
  • Kubernetes defence
    • Securing kubernetes' components communication
    • API Authentication
    • API Authorization
    • Security Context and Policies
    • Network Policies
  • Other protection measures
    • Containers/Images vulnerability scanners
    • On-deploy vulnerability scanners
Duration: 2, 3 or 4 days (adaptable)