Kubernetes security & hardening
01Security domains & threat modelThe six domains and what an attacker does with a foothold.12 min02Network policies & default-denySegment the cluster without breaking DNS.14 min03CIS benchmarks with kube-benchScore a node against the benchmark, then remediate.12 min04Ingress with TLSTerminate HTTPS and force redirect at the edge.12 min05Protect node metadata & verify binariesBlock the cloud metadata endpoint; checksum platform binaries.10 min
01Hardening the API server & kubeletanonymous-auth, authorization-mode, kubelet webhook.14 min02RBAC minimizationLeast privilege and the grants that are really escalation.14 min03Service accounts & tokensDisable automount; scope and bind narrowly.12 min04Restrict API access & upgrade oftenNodeRestriction, version currency, exposure.10 min
01Security contextsrunAsNonRoot, drop capabilities, no privilege escalation.12 min02Pod Security Standards & admissionBaseline, restricted, and OPA/Gatekeeper.14 min03Secrets & encryption at restEncrypt etcd; pull from external stores.14 min04mTLS & pod-to-pod encryptionIdentity and encryption between services.10 min05Sandboxed runtimes: gVisor & KataA kernel boundary for untrusted workloads.10 min
01Minimize the base imageDistroless, multi-stage, and footprint.10 min02Static analysis with KubesecScore manifests for risk before they ship.10 min03Scan images with TrivyReport everything, fail only on criticals.12 min04Sign, verify & allow registriesKeyless signing and verification at admission.14 min
Final exam
Test yourself on everything
61 questions drawn from all 6 sections — every answer explained as you pick.