Skip to main content

Module 16: Production Architecture & Capstone

Build a production-grade cloud-native security platform combining all five pillars

5 hours. 1 hands-on lab. Free course module.

Learning Objectives

  • Design an end-to-end production security architecture
  • Deploy the complete cloud-native security stack
  • Implement all five pillars: identity, zero trust, policy, runtime, supply chain
  • Test with attack simulations and verify containment

Why This Matters

This capstone is your proof of competence. Building a complete security platform end-to-end demonstrates that you can architect, deploy, and operate production security infrastructure — not just follow tutorials. This is what you put on your resume, discuss in interviews, and present to your engineering leadership.

PRODUCTION CLOUD NATIVE SECURITY PLATFORMSPIRE Server (HA) + Controller ManagerKubernetes ClusterFrontend + EnvoymTLS + SVIDAPI + EnvoymTLS + SVIDDatabase + EnvoymTLS + SVIDAI Agent + EnvoymTLS + SVIDOPA GatekeeperFalco + TetragonVault (Secrets)Sigstore (Images)OpenTelemetry Collector + Prometheus + GrafanaSPIRE Agents (DaemonSet) + CSI DriverAll Five Pillars: Identity + Zero Trust + Policy + Runtime + Supply ChainProduction-grade. Battle-tested. Your reference architecture.
Architecture diagram for Module 16: Production Architecture & Capstone.

Lesson Content

This is the capstone. You will build a production-grade cloud-native security platform that combines everything from the previous 15 modules into one integrated architecture. By the end, you will have a complete reference implementation that you can adapt for your organization.

What You Will Build

  1. SPIRE (Identity): HA deployment with auto-registration and federation
  2. Envoy + Istio (Zero Trust): Transparent mTLS for all service communication
  3. OPA Gatekeeper + Kyverno (Policy): Admission control blocking insecure deployments
  4. Falco + Tetragon (Runtime): Real-time threat detection and enforcement
  5. Sigstore + SBOM (Supply Chain): Image signing and vulnerability tracking
  6. Vault (Secrets): Dynamic credentials with SPIFFE authentication
  7. OpenTelemetry + Grafana (Observability): Security dashboards and alerting

Architecture Decisions

Document your choices: trust domain naming schema, SPIFFE ID path convention, SVID TTL, policy enforcement mode, runtime detection rules, image signing workflow, monitoring thresholds, and incident response procedures.

Attack Simulation

After deployment, simulate attacks to verify your security controls work:

  • Deploy a rogue pod — verify it gets no SVID (identity layer)
  • Attempt unauthorized API access — verify OPA denies it (policy layer)
  • Spawn a shell in a container — verify Falco alerts (runtime layer)
  • Deploy an unsigned image — verify Gatekeeper rejects it (supply chain layer)
  • Access a service without mTLS — verify Envoy rejects it (zero trust layer)

What This Proves

When you complete this capstone, you can demonstrate: production-grade Kubernetes security, five-pillar defense in depth, attack simulation and containment, security observability and incident response, and architecture documentation for stakeholder review.

Real-World Use Cases

  • Building production-grade security platforms
  • Architecture design for security compliance
  • Attack simulation and penetration testing
  • Security architecture documentation for stakeholder review

Think Like an Engineer

  • How would you present this architecture to a CISO for approval?
  • What is the total compute overhead of the full security stack?
  • Which pillar would you deploy first for maximum security impact?
  • How would you measure the ROI of this security investment?

Production Story

A startup grew from 10 to 200 microservices in 18 months. At 50 services, they added SPIRE for workload identity. At 100, they added Envoy for mTLS. At 150, they added OPA for authorization. At 200, they added Falco for runtime detection. Each layer was deployed incrementally, validated independently, and integrated progressively. The full stack now catches security issues that no single tool could detect alone — from unauthorized access to runtime exploitation to supply chain compromise.

Career Relevance

Engineers who can architect complete security platforms — not just individual tools — are the most valuable security hires. This capstone proves you can design, deploy, and operate the full stack.

Key Terms

Defense in Depth
Multiple overlapping security layers so failure of one does not compromise the system
Blast Radius
The scope of damage a security incident can cause
Reference Architecture
Documented, tested architecture pattern for organizational adoption
Five Pillars
Identity, Zero Trust, Policy, Runtime, Supply Chain — complete cloud-native security

Hands-On Labs

  1. Capstone: Production Cloud Native Security Platform

    Deploy the complete security stack end-to-end.

    3 hours - Advanced

    • Create a Kind cluster with 3 worker nodes
    • Deploy SPIRE Server (HA) and Agents
    • Deploy application with Envoy sidecars and mTLS
    • Deploy OPA Gatekeeper + Kyverno policies
    • Deploy Falco + Tetragon for runtime detection
    • Configure Vault with SPIFFE authentication
    • Set up image signing with Cosign
    • Deploy OpenTelemetry + Prometheus + Grafana
    • Run attack simulations and verify containment
    • Document architecture decisions

    View lab files on GitHub

Key Takeaways

  • Five pillars working together: identity, zero trust, policy, runtime, supply chain
  • Each pillar catches threats the others miss — defense in depth
  • Attack simulation proves your controls work — do not assume
  • Document architecture decisions — they are your organizational security standard
  • This reference architecture is your template for production deployments