Portal | Level: L2: Operations | Topics: Security Scanning | Domain: Security

Security Skill Check

Rate yourself 0-2 on each item: 0 = never done, 1 = done with help, 2 = confident

Container & Image Security

• Scan a container image with Trivy and interpret the output
• Build a minimal image (distroless or scratch-based) for a Go/Python app
• Pin image digests instead of tags in production manifests
• Sign images with cosign and verify signatures
• Set up admission control to block unsigned or vulnerable images

Pod Security

• Configure runAsNonRoot, readOnlyRootFilesystem, drop ALL capabilities
• Set allowPrivilegeEscalation: false on all containers
• Apply Pod Security Standards (restricted) via namespace labels
• Configure a seccomp profile (RuntimeDefault or custom)
• Audit existing pods for security misconfigurations using kubectl/jq

RBAC

• Create a Role and RoleBinding scoped to a namespace
• Create a ClusterRole for read-only cluster-wide access
• Bind a ServiceAccount to a Role and test with kubectl auth can-i
• Audit over-permissive roles (wildcards in verbs/resources)
• Understand the difference between Role/ClusterRole and aggregated ClusterRoles

Network Security

• Apply a default-deny NetworkPolicy for both ingress and egress
• Write allow rules for specific service-to-service communication
• Allow DNS egress (port 53 UDP) in policies
• Test NetworkPolicy with a debug pod (curl, nc)
• Understand CNI requirements for NetworkPolicy enforcement

Secrets & Credentials

• Encrypt etcd secrets at rest with an EncryptionConfiguration
• Use an external secret store (Vault, AWS Secrets Manager, ESO)
• Rotate a Kubernetes secret and roll pods to pick up the change
• Verify secrets are not logged or exposed via environment variables
• Use short-lived credentials (IRSA, Workload Identity) instead of static keys

Audit & Compliance

• Configure and read Kubernetes audit logs
• Set up audit policy rules for sensitive resources (secrets, RBAC)
• Run CIS Kubernetes Benchmark with kube-bench
• Use Falco or similar runtime security monitoring
• Respond to a CVE: identify affected images, patch, and redeploy

Supply Chain

• Generate an SBOM for container images
• Set up image vulnerability scanning in CI/CD
• Use a private registry with access controls
• Verify image provenance with SLSA or Sigstore
• Ensure no package managers exist in production images

Scoring

Score	Level
0-12	Beginner — start with pod security context basics
13-24	Intermediate — focus on RBAC and NetworkPolicy
25-36	Advanced — implement supply chain security
37+	Expert — lead security reviews and incident response

---

Wiki Navigation

Prerequisites

• Security Basics (Ops-Focused) (Topic Pack, L1)

Related Content

• Interview: CI Vuln Scan Failed (Scenario, L2) — Security Scanning
• Lab: Trivy Scan Remediation (CLI) (Lab, L1) — Security Scanning
• Runbook: CVE Response (Critical Vulnerability) (Runbook, L2) — Security Scanning
• Security Basics (Ops-Focused) (Topic Pack, L1) — Security Scanning
• Security Drills (Drill, L2) — Security Scanning
• Security Flashcards (CLI) (flashcard_deck, L1) — Security Scanning
• Security Scanning (Topic Pack, L1) — Security Scanning

Pages that link here

• Ops-Focused Security Basics - Primer
• Runbook: CVE Response (Critical Vulnerability)
• Security Domain
• Security Drills
• Security Scanning
• Security Scanning - Primer