The main purpose of this repository is to be guiding for anyone interested in becoming a CONTAINER SECURITY EXPERT while learning all the bases from the container management perspective.
This project serves as a preparation for the CCSE (Certified Container Security Expert) and CCSNE from Practical DevSecOps and CKS (Certified Kubernetes Security) from Linux foundation
and overall to get a good understanding of container management principles, security risks and hardening techniques.
What will you find here?: Comprehensive coverage of container management and security strategies for container environments. For sure including sample environment preparations, sample exercises, explanations, tips and more 💪
If you are learning about container security and willing the mentioned certifications, this is your place 🫶.
A quick tour on how the project is organized here:
-
docs: contains the main .md files for documenting the project as well as the images used in the markdown for renderization. -
environment: this folder includes the different automatic resources for setting up the environment required for the different exercises.Docker: gitlab CE- Ansible playbook for setting up gitlab (including automatic registration of the runner) for docker (using docker-compose). Useful for pipeline exercises.Kubernetes:Kind- For quick testing and exercises in local machine only requiring docker.Kubernetes: Single Node Kubeadm- If you have a VM, just create a single node cluster for testing. Prepared for ubuntu 22.04. Other systems require minor tweaking (e.g. changing sources references.)
Important
For kubernetes exercises, if own an aws account, you can leverage my own repository Creation of aws cluster with Docker-Ansible. This will spin for you the required infrastructure for having a kubeadm cluster from scratch in aws environment, creating all the associated infrastructure and configuring the nodes. You will need only Docker and valid aws credentials to execute it! It is prepared for several regions covering including all eu-west, eu-south-2, eu-central-1. The playbook has a simple entrypoint in Docker linked to two ansible playbooks. After deployment, you can comment the first one and use the second one to "reset" to default state the cluster as many times as you want - Feel free to 'break' without consequences.
-
modules: this folder contains the different exercises created for preparation of certs as well as specific topis developed in depth.00_set_docker_v2_registry: This module provides instructions to set up a Docker Registry V2 securely using self-signed certificates and configure the Docker daemon to trust this registry.01_docker_python_sdk: This module provides a Python script for Docker management, allowing listing all Docker images and containers, and running a new container with specific configurations using the Docker SDK for Python.02_interacting_with_API_server: This module provides exercises to interact with the API server, enhancing your understanding of API operations in a containerized environment.03_analyze_docker_sock: This module provides a deep dive into Docker socket analysis, helping you understand potential security risks and how to mitigate them.04_expose_docker_api_https: This module guides you through the process of exposing the Docker API over HTTPS, ensuring secure communication with the Docker daemon.06_deploy_and_configure_harbor: This module provides detailed instructions for deploying and configuring Harbor, a secure container image registry.07_sign_image_cosign: This module provides detailed instructions for implementing code-signing for Docker images using Cosign, enhancing the security of your container images.08_docker_image_encryption: This module provides a guide to encrypt Docker images, adding an extra layer of security to your containerized applications.09_static_analysis_of_images: This module provides instructions for conducting static analysis of Docker images using tools like Grype, Trivy, and Clair, helping you identify and mitigate vulnerabilities.10_checking_compliance_cis: This module provides a guide to audit Docker configurations to ensure compliance with the Center for Internet Security (CIS) Docker Benchmark using Docker-Bench.11_discovery_techniques: This module provides techniques to discover the attack surface of a container environment to identify possible breaches and act upon to secure it.12_container_hacking_techniques: This module provides techniques to attack and exploit security missconfigurations in containerized environments.
-
theorical concepts: including important theory that supports the foundations understanding and good comprehension of the practical exercises:- Concepts - Explaining architecture, main objects, alternatives, issues, etc.
- Container Security In Depth - Targeting missconfigurations, security issues and how to address those.
- Auxiliary Commands and Tips - Helpers for agility executing tasks in containers environment for
DockerandKubernetes.
- Create automatic deployment of scenarios.
- Include theory and useful tips.
- Create comprehensive guide with security measures for holistic container protection.
- Complete the full CCSE path with scenarios and exercises including documentation for each of them.
- Set docker registry V2 securely.
- Interact with docker API server using python Docker SDK
- Samples of interaction with Docker daemon through API rest.
- How to configure Docker Daemon over HTTPS.
- How to create a container from scratch.
- Holistic container analysis.
- Include Kubernetes theory.
See the open issues for a full list of proposed features (and known issues).
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated 💹.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement".
-
Fork the Project
-
Create your Feature Branch
git checkout -b feature/AmazingFeature
-
Commit your Changes
git commit -m 'Add some AmazingFeature -
Push to the Branch
git push origin feature/AmazingFeature
-
Open a Pull Request
Distributed under the Apache 2.0 License. See LICENSE for more information.
As we always state, our main purpose is keep learning, contributing to the community and finding ways to collaborate in interesting initiatives.
Do not hesitate to contact us at [email protected]
If you are interested in our content creation, also check our social media accounts. We have all sorts of training resources, blogs, hackathons, write-ups and more! Do not skip it, you will like it 😏 😏 😏 👍
Don't forget to give the project a star if you liked it! Thanks again! 🌟 💛
💯 💯 💯 For those that are curious about some of the resources or utilities and for sure thanking and giving credit to authors, we provide you a list of the most interesting ones (in our understanding) 💯 💯 💯
- Practical DevSecOps - to Practical DevSecOps for the amazing learning journey.
- Linux Foundation - for their lovely explanations and content.
- ChatGPT 4 - for acceleratining the creation of scenarios and solutions.
- MITRE container attack matrix - for proving good insights about how to exploit and leverage applications vulnerabilities hosted in containers.
- Excalidraw - for creating amazing diagrams in minutes.
- Kubernetes Cheat Sheet - For quickly launching commands.
- AquaSec Blog
- OWASP Kubernetes Top 10 - for insightful instructions about Kubernetes security missconfigurations.
- Kubernetes the hard way - for the deep level understanding of all components set up and relationships beyond theory!