Mastering Container Security

May 12, 13th


Containers and container orchestration platforms such as Kubernetes are on the rise throughout the IT world, but how do they really work and how can you attack or secure them?

The first take will look at key security concerns for Docker and other systems which make use of containerization.

We’ll also be covering fundamental Linux security concepts such as namespaces, cgroups, capabilities and seccomp, along with showing how to secure (or break into) container-based applications.

The course will then move on to the world of container orchestration and clustering, looking at how Kubernetes works and the security pitfalls that can leave the clusters and cloud-based environments which use containers exposed to attack.

The course has core modules which we’ll cover as well as an array of bonus content which will be covered if there is time. The bonus modules focus on areas like Docker and Kubernetes security tooling, the details of prominent container security vulnerabilities and exploits and also look at the world of Windows containers.

At the end of the two days we’ll have a range of systems to practice some of the skills learned during the course.

Course Syllabus

Day 1 - Docker & Kubernetes Basics

  • Docker Basics - Review of basic Docker commands and how Docker handles networking.
  • Creating Docker Images – Covering how to create Docker images with examples around security tool creation.
  • Container Fundamentals – This delves into Linux container primitives, such as namespaces, cgroups, capabilities and seccomp filtering, essentially showing how container security is applied.
  • Docker Security – This looks at primary security concerns around the use of Docker Engine, including common pitfalls and how to attack or mitigate them.
  • Introduction to Kubernetes – Here we’ll cover the Kubernetes container orchestration platform and look at how it’s architected and composed. The goal is to familiarise students with how the platform operates so they can understand key areas of security concern/points of attack.

Day 2 – Container Orchestration

  • Kubernetes Networking - The way that Kubernetes handles networking is an important concept to fully understand when looking at securing and attacking clusters. This module will look at some the main ways this is approached and the underlying technologies used (e.g. iptables, eBPF)
  • Kubernetes Basic Security – This module looks at three major threat models for Kubernetes clusters (external attackers, compromised containers, and malicious users) and walks through the likely attack paths that each would take, showing practical approaches to exploiting Kubernetes security weaknesses.
  • Kubernetes Authentication & Authorization - This module looks at how Kubernetes handles Authentication and Authorization, focusing on some of the weak points and common pitfalls which could allow attackers to compromise a cluster.
  • Kubernetes Policy Security - This will focuse on some of the key policies which need to be implemented to have a secure cluster, covering Network Policies and Pod Security Policies. It will also look at some alternatives to the native Kubernetes options which are growing in popularity, such as OPA and k-rail.
  • Kubernetes Ecosystem - There are a number of products which are very commonly deployed alongside Kubernetes (e.g. Helm, Prometheus, FluentD). This module will look at common security weaknesses in these products and how to address them. This module will also touch on some of the ways that service meshes like LinkerD and Istio are being used to secure Kubernetes deployments.
  • Extras – Depending on how fast the students have been working through the day’s content, some extras can be covered, such as looking at the wider Docker ecosystem, alternative container runtimes Windows containers, common Kubernetes security tools, Kubernetes vulnerabilities and Kubernetes vulnerabilities.
  • CTF - At the end of the day’s materials a number of clusters with security vulnerabilities will be available for students to practice the attacks described during the course.

Class Requirements

Students should have a laptop with an SSH client installed. The laptop should not have any corporate security software which restricts Internet access or forces use of a corporate proxy server for browsing.

Recommended setups are:

  • Linux
  • MacOS
  • Windows with WSL or MobaXTerm (Putty is possible but requires extra setup)


Rory McCune Principal Security Consultant, NCC Group

Rory has worked in the Information and IT Security arena for the last 19 years in a variety of roles. These days he spends most of his work time on container, cloud and application security. He's an active member of the UK information security community having delivered presentations at a variety of IT and Information security conferences. He has also presented at major containerization conferences and is an author of the CIS Benchmarks for Docker and Kubernetes and main author of NCC's Mastering Container Security training.

Return to training sessions