Week 16: Security & Compliance
Theme: Security scanning, pod security standards, supply chain security, compliance frameworks.
Learning Objectives
- Implement Pod Security Standards (Baseline, Restricted)
- Set up container image signing with Cosign
- Implement admission controllers (OPA Gatekeeper or Kyverno)
- Understand compliance frameworks (PCI-DSS, SOC2, ISO 27001)
Reading Materials
- Pod Security Standards
- Pod Security Admission
- Cosign (Sigstore)
- OPA Gatekeeper
- Kyverno Policies
- SLSA Framework
- Docker Content Trust
Finger Exercises (choose 2)
- Apply a Pod Security Standard of "Restricted" to the prod namespace. Fix the Go app Deployment to comply.
- Sign a container image with Cosign (keyless mode). Verify the signature before deployment in CI.
- Write a Kyverno policy: deny images with
:latesttag. Only allow semver-tagged images.
Project
- Implement supply chain security:
- Sign all container images with Cosign (keyless via GitHub OIDC)
- Verify signatures in the CI pipeline before pushing
- Add SLSA provenance attestation
- Enforce Pod Security Standards:
prodnamespace: Restricted (enforce)stagingnamespace: Baseline (warn)devnamespace: Privileged (permissive)
- Write Kyverno policies:
- disallow-latest-tag: deny
:latestimage tags - require-readiness-probe: all Deployments must have readiness probes
- require-resource-limits: all containers must have CPU/memory limits
- disallow-host-network: deny
hostNetwork: true
- disallow-latest-tag: deny
- Audit compliance:
- Run
kubectl auditor use a compliance tool (e.g., kube-bench) - Generate a compliance report
- Document how the stack would map to PCI-DSS requirements (if needed)
- Run
Time Budget
| Activity | Time |
|---|---|
| Reading | 1.5 hrs |
| Finger exercises | 1.5 hrs |
| Project | 3 hrs |
| Total | 6 hrs |