Intermediate-Advanced|24 hours|40 lessons

Kubernetes Security for DevOps Engineers

A scenario-driven course that teaches Kubernetes security through real attack paths and defense architectures. Covers the Kubernetes API, RBAC, threat modeling with STRIDE, network policies, runtime security, and compliance, all through the lens of real breaches and FAANG-level interview questions.

Text-based, no videos

8 modules, 40 lessons

Lifetime access

What you'll learn

The Kubernetes API end to end: how kubectl translates to API calls, the request lifecycle, and why etcd is the highest-value target

Authentication and authorization deep dive: RBAC patterns, ServiceAccount tokens, OIDC, and the three security gates every request passes through

Threat modeling with STRIDE: spoofing, tampering, repudiation, info disclosure, denial of service, and privilege escalation in K8s context

Pod Security Standards and admission control: from Privileged to Restricted, OPA Gatekeeper, Kyverno, and migrating without breaking production

Network security from L3 to L7: NetworkPolicies, service mesh mTLS, ingress hardening, DNS exfiltration, and egress control

Image supply chain, secrets management, and runtime security: Trivy, cosign, External Secrets, Falco, Tetragon

CI/CD pipeline security: GitOps as a security pattern, OIDC federation, shift-left scanning, change control

Auditing, compliance, incident response: K8s audit policy, CIS benchmarks, SOC 2, and the IR playbook for compromised pods

Zero trust architecture for K8s and the full security-focused system design walkthrough

Curriculum

8 modules · 40 lessons

The Kubernetes API: Understanding the Control Plane

What the API actually is, how requests flow through the security gates, and why etcd is the highest-value target.

5 lessons

Introduction to the Kubernetes API30 minFREE The API Server: Architecture and Security Surface35 minFREE API Groups, CRUD, and Versioning30 minFREE Inspecting and Exploring the API30 minFREE etcd: Where All State Lives35 minFREE

API Security, Authentication, and RBAC

The three security gates (authn, authz, admission), RBAC patterns, ServiceAccount tokens, and multi-tenancy.

6 lessons

API Security Big Picture30 min Authentication: Proving Who You Are40 min Authorization (RBAC) Deep Dive45 min Cluster Users, ServiceAccounts, and Permissions40 min Admission Control: The Policy Gateway40 min Multi-Tenancy Security: Shared Clusters, Isolated Workloads40 min

Threat Modeling Kubernetes: The STRIDE Framework

Spoofing, tampering, repudiation, information disclosure, denial of service, and privilege escalation in Kubernetes context.

8 lessons

Introduction to Threat Modeling35 min Spoofing: Impersonating Identities35 min Tampering: Modifying Resources Maliciously35 min Repudiation: Hiding Your Tracks35 min Information Disclosure: Leaking Sensitive Data35 min Denial-of-Service: Bringing Down the Cluster40 min Elevation of Privilege: Becoming Root45 min Protecting Pods and Pod Security Admission40 min

Network Security: Controlling Traffic Flow

NetworkPolicies, service mesh mTLS, ingress hardening, DNS exfiltration, and egress control.

5 lessons

Network Policies: Default Deny and Beyond45 min Service Mesh Security: mTLS and L7 Policies40 min Ingress Security: The Edge40 min DNS Security: The Overlooked Attack Vector35 min Egress Control: What Leaves the Cluster40 min

Workload and Image Security

Image supply chain, image promotion, workload isolation, secrets management, and runtime threat detection.

5 lessons

Image Security and Supply Chain45 min Moving Images From Non-Production to Production35 min Workload Isolation: Defense in Depth for Running Containers45 min Secrets Management: Beyond Kubernetes Secrets40 min Runtime Security: Detecting Live Threats40 min

CI/CD Pipeline Security

Pipeline credential scoping, GitOps as a security pattern, shift-left scanning, and deployment safety controls.

4 lessons

Securing the CI/CD Pipeline for Kubernetes40 min GitOps as a Security Pattern35 min Pipeline Scanning: Shift Left Security40 min Change Control and Deployment Safety35 min

Auditing, Compliance, and Incident Response

K8s audit policy, security monitoring, CIS / NIST / PCI-DSS compliance, and the IR playbook for compromised pods.

4 lessons

Audit Logging: Who Did What and When40 min Auditing and Security Monitoring40 min Compliance Frameworks: CIS, NIST, PCI-DSS on Kubernetes45 min Incident Response in Kubernetes45 min

Security Architecture and Capstone

Zero trust in Kubernetes, securing managed K8s (EKS, GKE, AKS), and a full security-focused system design walkthrough.

3 lessons

Zero Trust Architecture in Kubernetes45 min Securing Managed Kubernetes (EKS, GKE, AKS)40 min Capstone: Design a Secure Kubernetes Platform60 min

About the Author

Sharon Sahadevan

AI Infrastructure Engineer

Building production GPU clusters on Kubernetes. H100s, large-scale model serving, and end-to-end ML infrastructure across Azure and AWS.

10+ years designing cloud-native platforms with deep expertise in Kubernetes orchestration, GitOps (Argo CD), Terraform, and MLOps pipelines for LLM deployment.

Author of KubeNatives, a weekly newsletter read by 3,000+ DevOps and ML engineers for production insights on K8s internals, GPU scheduling, and model-serving patterns.

Ready to master this topic?

Start with the free preview lesson and see for yourself.