From Zero to Hero: Pentesting and Securing Docker, Swarm & Kubernetes
Containerisation and orchestration have changed the way in which technologies
are deployed and managed today. Attack techniques and securitization
processes need to be reinvented, we are forced to learn new ways to audit and
protect this kind of environments.
This training is designed for RedTeam and BlueTeam professionals who are
looking for practical applied security knowledge on containerisation and
orchestration from an offensive and defensive point of view. Black Box, Grey Box
and White Box analysis are covered on Docker, Docker Swarm and Kubernetes.
From the offensive side, attack techniques related to containers/pods
compromising, exploitation, networking abuses, privileges escalation, persistence, lateral movement and node takeover among others will be explained.
On the defensive side, common security issues and a secure way of building
docker images and YML deployment files for Swarm and Kubernetes will be
analyzed, the right implementation of RBAC access management will be
explained, and vulnerability scanners on files and CI/CD pipelines will be
presented with many other best practices.
Below the content that will be explained along the three-days training:
Docker & Swarm:
1.1. Containers vs Traditional Virtualization
1.2. Docker Engine Set-up
1.3. Docker Client
2.1. Running Multiple Containers
2.3. Interactive Shell
2.4. Port publishing
2.5. Communication Between Containers
3.1. DockerFile Format & Commands
3.2. DockerFile builds
3.3. Docker Registry
3.4. Image Labeling and History
4.1. Docker Swarm & Services Concepts
4.2. Swarm Cluster Deployment
5.1. Isolation, Host & Bridge
5.2. Overlay Driver
5.3. Ingress Network
6.1. Peristent Volumes
6.2. Bind Mounts
6.3. Storage Drivers
Architecture & Core Components:
7.1. K8s Cluster Infrastructure
7.4. Kube Controller
7.5. Kube Scheduler
7.7. Kube Proxy
8.1. Local installation
8.2. Cluster installation
8.2.a. Manual Components Deployment
8.2.c. High Availability
9.1. Simple Pods
9.2. Multi-Containers Pods
10.2. Network Namespaces
10.3. Services Configuration
10.4. Routing & Ingress Networking
Docker Black Box Analysis:
12.1. Are we inside a container? Recognizing container environments
12.2. Container introspection: named/bind volumes, sensitive data, network
configuration and more
12.3. Do we have container neighbors? Scanning docker networks
12.4. Abusing docker networks defaults
12.5. Pivoting: compromising the whole docker environment
12.6. Sorting shell limitations
12.7. Abusing docker.sock exposure
12.7.a. Inspecting the cluster
12.7.b. Getting a shell inside other containers
12.7.c. Host takeover
12.7.d. Remote exploitation via HTTP
12.8. Persistence techniques
Docker White Box Analysis:
13.1. Inspecting Docker Images
13.1.a. Dockerfile format & commands
13.1.b. Common security issues in Dockerfile
13.1.c. Building secure images
13.1.d. Multi-stage builds
13.1.e. Distroless images
13.2. Inspecting multi-container deployment files
13.2.a. Docker Compose file structure
13.2.b. Common security issues in deployment files
Docker Containers & Daemon Defense:
14.1. Namespaces y Cgroups
14.2. User-namespace remapping
14.4. Other protections
Swarm Black Box Analysis:
15.1. Differences between Docker and Docker Swarm environments from an
15.2. Swarm secrets not too secret
15.3. Abusing Swarm networks features
15.3.a. Overlay driver and Ingress network
15.4. Pivoting across containers in multi-services & escalated environments
15.5. Pivoting across different Swarm networks: from frontend to backend
15.6. Persistence: Creating backdoored services
Swarm White Box Analysis:
16.1. Inspecting Stack deployment files
16.1.a. Stack files structure
16.1.b. Common security issues in Stack deployment files
17.1. Raft-logs key encryption
17.2. Swarm communications encryption
17.3. UCP Security
17.4. Other protections
Kubernetes Black Box Analysis:
18.1. Detecting K8s orchestration from inside containers
18.2. Container introspection: Persistent volumes, secrets, configmaps and
18.3. Discovering & Scanning pods along the entire cluster
18.4. Pivoting across pods and network namespaces
18.5. Abusing service account token
18.5.a. Privilege escalation: compromising the whole K8s cluster
18.6. Persistence techniques
Kubernetes Grey Box Analysis:
19.1. RBAC audit
19.2. Abusing misconfigurations
19.2.a. Information disclosure
19.2.b. Anonymous authentication
19.2.c. Secrets listing
19.2.d. Users impersonation
19.2.e Remote Code Execution
19.3. K8s nodes takeover
19.4. Vulnerability scanners (red-team oriented)
Kubernetes White Box Analysis:
20.1. Inspecting K8s YAML files
20.1.a. Configuration YAML structure
20.1.b. Common security issues in YAML files
20.1.c. RBAC YAML inspection
21.1. Pods Security Policy
21.2. Network Security Policy
21.3. Access Management and Control Policy
21.4. Communication Encryption
Other Defense Measures:
22.1. Containers/Images vulnerability scanners
22.2. On-deploy vulnerability scanners
Why should people attend our course?
The evolution of our technological world developed the urgent need to deliver fast and flexible changes over every existent application. Containerisation and
orchestration play a main character role over the technologies needed to keep up product impact one step ahead competitors.
RedTeam and BlueTeam people need to learn and be up to date on the
techniques to test the security of Docker Swarm and Kubernetes environments, as
well as know the resources to keep them as safe as possible. The lack of
information towards the security of these topics represent a big threat over
nowadays infrastructure, it’s time to start discussing, evaluating and implementing
security techniques for this kind of environments.
3 takeaways students will learn:
• Understanding of how Docker, Swarm and Kubernetes work from local to
• Black, grey and white box analysis of Docker, Swarm and Kubernetes with
applied offensive techniques.
• Docker Swarm and Kubernetes securitization.
Lecture vs hands-on:
The time will be distributed on 20% lecture vs 80% hands-on. The focus of the
course will be mostly dedicated to the hands-on laboratories. The theory lessons
will be used to explain necessary concepts that will boost the practical exercises.
1. Docker Installation: ~30 minutes.
2. Docker Containers & Images: 1 hour.
3. Docker Swarm, Networking & Storage: 1hour.
4. Kubernetes Installation: ~30 minutes.
5. Kubernetes Pods Management: ~1 hour.
6. Kubernetes networking and data storage: ~1 hour.
7. Docker Black Box Analysis: ~ 2 hours.
8. Docker White Box Analysis: ~ 1 hour.
9. Swarm Black Box Analysis: ~ 2 hours.
10. Swarm White Box Analysis: ~ 1 hour.
11. Docker/Swarm Defense: ~1 hour.
12. Kubernetes Black Box Analysis: ~ 2 hours.
13. Kubernetes Grey Box Analysis: ~ 2 hours.
14. Kubernetes White Box Analysis: ~ 1 hour.
15. Kubernetes Defense: ~ 2 hour.
Keywords: Pentesting, Container Security, Orchestration Security, Docker,
Who should take this course?
• Offensive security professionals
• Cloud security professionals
• Systems Architects
• Security Analysts
• Anyone interested in learning more about common issues over
containerisation, containers orchestrators and their security concerns
• Linux basics (including bash and filesystems)
• Networking basics
• Pentesting experience (wished, but not required)
What students should bring:
• Laptop with at least 8GB RAM and 40GB free disk space
• Admin/Root access on your laptop
• VirtualBox installed
What students will be provided by:
• Slides/lectures of the training
• YML files of all the exercises
• VM with test environment ready to deploy the exercises and make the
• 1 month of support from the trainers to complete all the exercises
• Trainer 1: @UnaPibaGeek
• Trainer 2: @encodedwitch
• Company: @DreamlabGlobal
Sheila A. Berta is an offensive security specialist who started at 12 years-old by
learning on her own. At the age of 15, she wrote her first book about Web Hacking,
published in several countries. Over the years, Sheila has discovered
vulnerabilities in popular web applications and software, as well as given courses
at universities and private institutes in Argentina. She specializes in offensive
techniques, reverse engineering and exploit writing and is also a developer in ASM
(MCU and MPU x86/x64), C/C++, Python and Golang. As an international speaker,
she has spoken at important security conferences such as Black Hat Briefings, DEF
CON, HITB, Ekoparty, IEEE ArgenCon and others. Sheila currently works as Head
of Research at Dreamlab Technologies.
Sol Ozzan has been a Developer, Software Architect, Security Analyst and
DevOps technologist for the past four years. She works as a Backend Developer
and Security Researcher at Dreamlab Technologies, her previous role was at one
of the biggest e-commerce in Latin America. Her technical background includes
advanced CI/CD pipeline technologies including Jenkins, Docker, Kubernetes,
Ansible, AWS CodeDeploy and Terraform among others. Sol is a specialist in
container-based development and deployment, and has dealt with productive
environments that handle +30k distributed VMs with ~150k containers that host +2k
distributed services that are deployed +3k per day. When she’s not working she’s
volunteering organizing free security events and trainings for beginners, playing
Overwatch or listening to vinyl records.