1. Introduction to CKS
2. Understanding the K8S attack surface
3. K8S Cluster setup & hardening
3.1 Benchmarking
3.2.1 CIS Benchmarks
3.2.2 OSCAP
3.2.3 Kube-bench
3.3. Kubernetes Security Authentication
3.3.1.1. User accounts
3.3.1.2. Service account
3.4. TLS
3.4.1. Intro to TLS in general
3.4.2. TLS in K8S
3.4.3. Managing certs in K8S
3.4.3.1. Creating certs
3.4.3.2. Viewing certs
3.5. Working with the Certs API
3.6. Managing Kubeconfig
3.7. API groups
3.8. Authorization
3.8.1. RBAC
3.8.2. Roles
3.8.3. ClusterRoles
3.8.4. Rolebindings
3.8.5. ClusterRoleBindings
3.9. Security Aspects for Kubelet
3.10. Security Aspects for Kube-proxy
3.11. Security aspects K8S container images and binaries
3.12. K8S versions
3.13. Cluster Upgrades
3.14. Securing CRE
3.14.1. Docker
3.14.2. Containerd
3.14.3. Crio-d
4. K8S Networking & Security
4.1. K8S networking revisited
4.2. K8S CNIs
4.3. K8S Default Network Policies
4.3.1. Network policies on L3
4.3.2. Network policies on L3
4.4. Cilium CNU Network Policies
4.4.1. Network policies on L3
4.4.2. Network policies on L4
4.4.3. Network policies on L7
4.5. Enhanced Network Policies on Calico
4.6. Network encryption.
4.6.1. Network encryption with Calico
4.6.2. Network encryption with Cilium
4.7. K8S Ingress
4.7.1. Ingresses revisited
4.7.2. Nginx-ingress and annotations
4.7.3. Nginx-ingress and TLS
4.7.4. Nginx-ingress and Cert-manager
4.8. Traefik
4.9. Cilium Ingress
5. Hardening the OS of the nodes
5.1. K8S nodes and security aspects.
5.2. Limiting node access
5.3. Hardening SSH
5.4. Privilege escalation in Linux
5.5. Node hardening tasks
5.5.1. Keeping the attack surface small
5.5.2. Restricting use of kernel modules
5.5.3. Firewalling on Linux
5.5.4. Minimize IAM roles
5.5.5. Minimize external access to the network
5.5.6. Syscalls in Linux
5.5.7. Tracee
5.5.8. Seccomp
5.5.9. Apparmor
5.5.10. Selinux
5.5.11. Linux Capabilities
6. Minimize Micoroservice Vulernabilities
6.1. Working with Security Contexts
6.2. Admission Controllers
6.3. Pod Security Policies (PSP)
6.4. OPA - Open Policy Agent
6.5. OPA Gatekeeper
6.6. Managing K8S secrets
6.7. External secrets
6.8. K8S Container Sandboxing
6.8.1. g-Visor
6.8.2. Kata containers
6.8.3. Runtime classes in K8S
6.9. About SSL and Mutual SSL
6.10. MTLS and POD-2-POD encryption
7. Supply Chain Security
7.1. Best practices in crafting and forging containers
7.2. Container image security
7.3. (External) registry control
7.4. Static analys/scanning of container images
7.4.1. Trivy
7.4.2. CLair
7.4.3. Grype
7.4.4. Kubesec
8. Monitoring, logging and runtime security
8.1. Introduction
8.2. Analysis of syscall usage
8.3. Falco
8.4. Mutable or immutable container
8.5. Ensuring Runtime immutability of containers
8.6. K8S auditing