Kubernetes Security Study Plan
This page is updated based on jassics/security-study-plan/kubernetes-security-study-plan
This study plan is based on milestones. Check how much you can cover within the timeline - the more topics you cover, the better a candidate you are for roles requiring solid Kubernetes/orchestration security knowledge. Also, I assume you have already checked and are comfortable with the Common Security Skills study plan.
Kubernetes Security builds on Docker/container security and cloud security. You need to understand how Kubernetes works, how workloads are deployed and exposed, and what controls exist at cluster, namespace, and workload levels.
It leans more toward:
- Securing clusters and control-plane access
- Defining secure defaults for workloads (namespaces, RBAC, network policies)
- Integrating Kubernetes security checks into DevSecOps pipelines
- Working with platform/SRE teams to keep clusters hardened
It usually takes 6-10 weeks to be comfortable with Kubernetes Security fundamentals, assuming you already know basic Docker and some Kubernetes usage.
In Short
- Kubernetes Security is not just enabling a few network policies.
- Think multi-layer defense: cluster, namespace, workload, network, and supply chain.
- You should be comfortable with basic Kubernetes concepts (pods, deployments, services, ingress, configmaps, secrets).
- You should understand how containers/images are built and scanned - see the Docker Security Study Plan.
- You should know how Kubernetes fits into DevSecOps and cloud-native security.
ToC
- Kubernetes Fundamentals for Security - 1-2 weeks
- Cluster Hardening - 1-2 weeks
- Workload Security - 1-2 weeks
- Network Policies and Multi-Tenancy - 1-2 weeks
- Supply Chain and Runtime Security - 1-2 weeks
- Resources
- Interview Questions
Kubernetes Fundamentals for Security
Duration: 1-2 weeks
Be comfortable with how Kubernetes works before securing it. See this site's own Kubernetes guide alongside this section.
Week 1-2: Core Concepts
- Architecture: Control Plane (API Server, etcd, Scheduler, Controller Manager) vs Worker Nodes (Kubelet, kube-proxy, container runtime)
- Objects: Pods, Deployments, Services, ConfigMaps, Secrets, Namespaces
- Networking: CNI basics, pod-to-pod communication, service discovery
- Map where security decisions are made: who can talk to the API server (authN/RBAC), which nodes run which workloads, how traffic flows in/out of the cluster
- Practice: set up a cluster with
kindorminikubeand deploy a simple app
Cluster Hardening
Duration: 1-2 weeks
Securing the infrastructure itself.
Week 3-4: Hardening the Cluster
- CIS Benchmarks: understand and apply the CIS Kubernetes Benchmark
- API Server Security: disable anonymous access, enable audit logging, restrict access to etcd
- RBAC: Roles vs ClusterRoles, Bindings, principle of least privilege
- Node Security: OS hardening, kubelet security configuration
Workload Security
Duration: 1-2 weeks
Securing what runs inside the cluster.
Week 5-6: Securing Pods & Deployments
- Pod Security Standards (PSS): Privileged, Baseline, Restricted profiles
- Security Context:
runAsUser,runAsGroup,readOnlyRootFilesystem,allowPrivilegeEscalation: false - Secrets management: Kubernetes Secrets (encryption at rest), external secret stores (Vault, AWS Secrets Manager)
Network Policies and Multi-Tenancy
Duration: 1-2 weeks
Kubernetes networking is a big part of securing workloads.
- Basic network model: pod-to-pod and pod-to-service communication, ingress controllers and load balancers
- Network Policies: deny-by-default vs allow-by-default; writing simple network policies to restrict traffic
- Multi-tenancy: combining namespaces, network policies, and RBAC for isolation; multi-tenant cluster vs dedicated clusters
Supply Chain and Runtime Security
Duration: 1-2 weeks
Connects Kubernetes Security with Docker Security and DevSecOps.
Week 7-8: Advanced Topics
- Admission controllers: validating and mutating webhooks; policy engines (OPA Gatekeeper, Kyverno)
- Supply chain: image registries and allowed registries, image scanning before deployment, image signing (Cosign)
- Runtime security: detecting anomalies (Falco), sandboxed containers (gVisor, Kata Containers) if needed
- Cross-link to other plans: Docker Security Study Plan, DevSecOps Study Plan, relevant cloud security study plans if running managed Kubernetes (EKS/AKS/GKE)
Resources
Certifications: Kubernetes-related certifications that cover security (CKA/CKS and similar), or cloud security/cloud-native certifications where Kubernetes is a major component.
Interview Questions
Reuse questions from Docker Security, DevSecOps, and cloud security, but focus on Kubernetes specifics:
- How would you secure access to a Kubernetes cluster for multiple teams?
- How would you restrict which services/pods can talk to each other?
- What are the risks of running privileged containers, and how do you prevent it?
- How would you ensure only trusted images are deployed in a cluster?
Practice next: this site's Kubernetes Security guide, and jassics/security-study-plan for the latest updates to this plan.