From Zero to Hero: Pentesting and Securing Docker, Swarm & Kubernetes



Containerisation and orchestration have changed the way in which technologies

are deployed and managed today. Attack techniques and securitization

processes need to be reinvented, we are forced to learn new ways to audit and

protect this kind of environments.

This training is designed for RedTeam and BlueTeam professionals who are

looking for practical applied security knowledge on containerisation and

orchestration from an offensive and defensive point of view. Black Box, Grey Box

and White Box analysis are covered on Docker, Docker Swarm and Kubernetes.

From the offensive side, attack techniques related to containers/pods

compromising, exploitation, networking abuses, privileges escalation, persistence,  lateral movement and node takeover among others will be explained.

On the defensive side, common security issues and a secure way of building

docker images and YML deployment files for Swarm and Kubernetes will be

analyzed, the right implementation of RBAC access management will be

explained, and vulnerability scanners on files and CI/CD pipelines will be

presented with many other best practices.

Below the content that will be explained along the three-days training:

Course outline

DAY 1:

Docker & Swarm:


1.1. Containers vs Traditional Virtualization

1.2. Docker Engine Set-up

1.3. Docker Client

Containers Management:

2.1. Running Multiple Containers

2.2. Statuses

2.3. Interactive Shell

2.4. Port publishing

2.5. Communication Between Containers


3.1. DockerFile Format & Commands

3.2. DockerFile builds

3.3. Docker Registry

3.4. Image Labeling and History


4.1. Docker Swarm & Services Concepts

4.2. Swarm Cluster Deployment


5.1. Isolation, Host & Bridge

5.2. Overlay Driver

5.3. Ingress Network

Data Storage

6.1. Peristent Volumes

6.2. Bind Mounts

6.3. Storage Drivers


Architecture & Core Components:

7.1. K8s Cluster Infrastructure

7.2. ETCD

7.3. Kube-API

7.4. Kube Controller

7.5. Kube Scheduler

7.6. Kubelet

7.7. Kube Proxy


8.1. Local installation

8.1.a. Minikube

8.1.b. Alternatives

8.2. Cluster installation

8.2.a. Manual Components Deployment

8.2.b. Kubeadm

8.2.c. High Availability

Pods Management:

9.1. Simple Pods

9.2. Multi-Containers Pods

9.3. Deployments

9.3.a. Scheduling

9.3.b. ReplicaSets

9.3.c. Rollouts

9.3.d. Rollbacks

9.4. Namespaces


10.1. CoreDNS

10.2. Network Namespaces

10.3. Services Configuration

10.3.a. NodePort

10.3.b. ClusterIP

10.3.c. LoadBalancer

10.4. Routing & Ingress Networking

Data Storage:

11.1. ConfigMaps

11.2. Secrets

11.3. Volumes

DAY 2:

Docker Black Box Analysis:

12.1. Are we inside a container? Recognizing container environments

12.2. Container introspection: named/bind volumes, sensitive data, network

configuration and more

12.3. Do we have container neighbors? Scanning docker networks

12.4. Abusing docker networks defaults

12.5. Pivoting: compromising the whole docker environment

12.6. Sorting shell limitations

12.7. Abusing docker.sock exposure

12.7.a. Inspecting the cluster

12.7.b. Getting a shell inside other containers

12.7.c. Host takeover

12.7.d. Remote exploitation via HTTP

12.8. Persistence techniques

Docker White Box Analysis:

13.1. Inspecting Docker Images

13.1.a. Dockerfile format & commands

13.1.b. Common security issues in Dockerfile

13.1.c. Building secure images

13.1.d. Multi-stage builds

13.1.e. Distroless images

13.2. Inspecting multi-container deployment files

13.2.a. Docker Compose file structure

13.2.b. Common security issues in deployment files

Docker Containers & Daemon Defense:

14.1. Namespaces y Cgroups

14.2. User-namespace remapping

14.3. Rootless

14.4. Other protections

Swarm Black Box Analysis:

15.1. Differences between Docker and Docker Swarm environments from an

attacker viewpoint

15.2. Swarm secrets not too secret

15.3. Abusing Swarm networks features

15.3.a. Overlay driver and Ingress network

15.4. Pivoting across containers in multi-services & escalated environments

15.5. Pivoting across different Swarm networks: from frontend to backend

15.6. Persistence: Creating backdoored services

Swarm White Box Analysis:

16.1. Inspecting Stack deployment files

16.1.a. Stack files structure

16.1.b. Common security issues in Stack deployment files

Swarm Protections:

17.1. Raft-logs key encryption

17.2. Swarm communications encryption

17.3. UCP Security

17.4. Other protections

DAY 3:

Kubernetes Black Box Analysis:

18.1. Detecting K8s orchestration from inside containers

18.2. Container introspection: Persistent volumes, secrets, configmaps and


18.3. Discovering & Scanning pods along the entire cluster

18.4. Pivoting across pods and network namespaces

18.5. Abusing service account token

18.5.a. Privilege escalation: compromising the whole K8s cluster

18.6. Persistence techniques

Kubernetes Grey Box Analysis:

19.1. RBAC audit

19.2. Abusing misconfigurations

19.2.a. Information disclosure

19.2.b. Anonymous authentication

19.2.c. Secrets listing

19.2.d. Users impersonation

19.2.e Remote Code Execution

19.3. K8s nodes takeover

19.4. Vulnerability scanners (red-team oriented)

Kubernetes White Box Analysis:

20.1. Inspecting K8s YAML files

20.1.a. Configuration YAML structure

20.1.b. Common security issues in YAML files

20.1.c. RBAC YAML inspection

Kubernetes Defense:

21.1. Pods Security Policy

21.2. Network Security Policy

21.3. Access Management and Control Policy

21.4. Communication Encryption

Other Defense Measures:

22.1. Containers/Images vulnerability scanners

22.2. On-deploy vulnerability scanners

Why should people attend our course?

The evolution of our technological world developed the urgent need to deliver fast  and flexible changes over every existent application. Containerisation and

orchestration play a main character role over the technologies needed to keep up  product impact one step ahead competitors.

RedTeam and BlueTeam people need to learn and be up to date on the

techniques to test the security of Docker Swarm and Kubernetes environments, as  well as know the resources to keep them as safe as possible. The lack of  information towards the security of these topics represent a big threat over  nowadays infrastructure, it’s time to start discussing, evaluating and implementing  security techniques for this kind of environments.

3 takeaways students will learn:

• Understanding of how Docker, Swarm and Kubernetes work from local to

productive environments.

• Black, grey and white box analysis of Docker, Swarm and Kubernetes with

applied offensive techniques.

• Docker Swarm and Kubernetes securitization.

Lecture vs hands-on:

The time will be distributed on 20% lecture vs 80% hands-on. The focus of the

course will be mostly dedicated to the hands-on laboratories. The theory lessons  will be used to explain necessary concepts that will boost the practical exercises.

Hands-on labs

1. Docker Installation: ~30 minutes.

2. Docker Containers & Images: 1 hour.

3. Docker Swarm, Networking & Storage: 1hour.

4. Kubernetes Installation: ~30 minutes.

5. Kubernetes Pods Management: ~1 hour.

6. Kubernetes networking and data storage: ~1 hour.

7. Docker Black Box Analysis: ~ 2 hours.

8. Docker White Box Analysis: ~ 1 hour.

9. Swarm Black Box Analysis: ~ 2 hours.

10. Swarm White Box Analysis: ~ 1 hour.

11. Docker/Swarm Defense: ~1 hour.

12. Kubernetes Black Box Analysis: ~ 2 hours.

13. Kubernetes Grey Box Analysis: ~ 2 hours.

14. Kubernetes White Box Analysis: ~ 1 hour.

15. Kubernetes Defense: ~ 2 hour.

Keywords: Pentesting, Container Security, Orchestration Security, Docker,

Swarm, Kubernetes.

Who should take this course?

• Offensive security professionals

• Cloud security professionals

• Systems Architects

• Security Analysts

• Anyone interested in learning more about common issues over

containerisation, containers orchestrators and their security concerns

Student Requirements:

• Linux basics (including bash and filesystems)

• Networking basics

• Pentesting experience (wished, but not required)

What students should bring:

• Laptop with at least 8GB RAM and 40GB free disk space

• Admin/Root access on your laptop

• VirtualBox installed

What students will be provided by:

• Slides/lectures of the training

• YML files of all the exercises

• VM with test environment ready to deploy the exercises and make the


• 1 month of support from the trainers to complete all the exercises


Twitter handlers:

• Trainer 1: @UnaPibaGeek

• Trainer 2: @encodedwitch

• Company: @DreamlabGlobal


3 days

20, 21, 22 Sep

Buenos Aires


Early bird (Until March 31st)

USD 2500


Para realizar consultas sobre el training o alguno de sus beneficios, contacta a


Sheila A. Berta is an offensive security specialist who started at 12 years-old by

learning on her own. At the age of 15, she wrote her first book about Web Hacking,

published in several countries. Over the years, Sheila has discovered

vulnerabilities in popular web applications and software, as well as given courses

at universities and private institutes in Argentina. She specializes in offensive

techniques, reverse engineering and exploit writing and is also a developer in ASM

(MCU and MPU x86/x64), C/C++, Python and Golang. As an international speaker,

she has spoken at important security conferences such as Black Hat Briefings, DEF

CON, HITB, Ekoparty, IEEE ArgenCon and others. Sheila currently works as Head

of Research at Dreamlab Technologies.


Sol Ozzan has been a Developer, Software Architect, Security Analyst and

DevOps technologist for the past four years. She works as a Backend Developer

and Security Researcher at Dreamlab Technologies, her previous role was at one

of the biggest e-commerce in Latin America. Her technical background includes

development in Go, Python, Java, Ruby and Javascript. She has worked with

advanced CI/CD pipeline technologies including Jenkins, Docker, Kubernetes,

Ansible, AWS CodeDeploy and Terraform among others. Sol is a specialist in

container-based development and deployment, and has dealt with productive

environments that handle +30k distributed VMs with ~150k containers that host +2k

distributed services that are deployed +3k per day. When she’s not working she’s

volunteering organizing free security events and trainings for beginners, playing

Overwatch or listening to vinyl records.