Module 3: Containers & Workload Security Slides
Slide walkthrough for Module 3 of Cloud Native Security Engineering: Securing Kubernetes, Workloads, APIs & Zero Trust Systems: Hardening containers from...
This slide page is the visual review companion for the full course module. Use it to recap the architecture, examples, exercises, production warnings, and takeaways after reading the lesson.
Slide Outline
- Containers & Workload Security - Hardening containers from image build to runtime with Pod Security Standards, seccomp, and distroless images
- Learning Objectives - 4 outcomes for this module
- Why This Module Matters - Container escapes are the most impactful Kubernetes attacks — breaking out of a container gives the attacker access to t
- Linux Container Isolation Primitives - Lesson section from the full module
- Secure Container Image Patterns - Lesson section from the full module
- Pod Security Standards - Lesson section from the full module
- Real-World Use Cases - Hardening container images for production, Implementing Pod Security Standards cluster-wide
- Common Mistakes to Avoid - 5 mistakes covered
- Production Notes - 2 practical notes
- Security Risks to Watch - 3 risks covered
- Hands-On Labs - 3 hands-on labs
- Key Takeaways - 5 points to remember
Learning Objectives
- Understand Linux container isolation primitives (namespaces, cgroups)
- Build secure container images with distroless and rootless patterns
- Configure Pod Security Standards for cluster-wide enforcement
- Implement seccomp and capabilities restrictions
Why This Module Matters
Container escapes are the most impactful Kubernetes attacks — breaking out of a container gives the attacker access to the node and potentially the entire cluster. Proper container hardening is the first line of defense and the most frequently misconfigured.
Production Notes
- Use distroless or scratch base images for all production workloads. A container with no shell cannot be used for interactive exploitation.
- Apply the restricted Pod Security Standard to all production namespaces. Use warn mode first to identify non-compliant workloads before enforcing.
Common Mistakes
- Running containers as root (the default in most base images)
- Using ubuntu or alpine base images that include shells and package managers
- Not dropping ALL capabilities and adding back only what is needed
- Setting privileged: true "just to make it work" and never removing it
- Not enforcing Pod Security Standards on production namespaces
Key Takeaways
- Containers share the host kernel — isolation depends on namespaces, cgroups, seccomp
- Distroless images eliminate shells and tools, drastically reducing attack surface
- Pod Security Standards enforce container hardening at the namespace level
- Never run containers as root or with privileged: true in production
- Seccomp profiles block dangerous syscalls — always enable the default profile
Hands-On Labs
-
Harden an Insecure Container
Transform an insecure Dockerfile into a hardened production image.
30 min - Beginner
- Start with a vulnerable Dockerfile (root, full OS, unnecessary tools)
- Rebuild with distroless base image
- Add non-root user and read-only filesystem
- Compare image sizes and attack surfaces
-
Configure Pod Security Standards
Enforce container hardening at the namespace level.
25 min - Beginner
- Label a namespace with restricted Pod Security Standard
- Deploy a compliant pod (succeeds)
- Deploy a non-compliant pod with hostPID (rejected)
- Review audit logs for policy violations
-
Container Escape Demonstration
Understand how misconfigurations enable container escape.
30 min - Intermediate
- Deploy a privileged container with hostPID
- Access host processes from inside the container
- Read host filesystem via /proc/1/root
- Fix the configuration and verify isolation is restored