Chapter 32 Further Reading: Container and Kubernetes Security

Essential Standards and Frameworks

CIS Kubernetes Benchmark

Center for Internet Security https://www.cisecurity.org/benchmark/kubernetes

The authoritative benchmark for Kubernetes security configuration. Provides specific, actionable checks for control plane components, worker nodes, policies, and managed services. Every Kubernetes penetration test report should reference CIS controls. Updated regularly to reflect new Kubernetes versions.

NIST SP 800-190: Application Container Security Guide

National Institute of Standards and Technology, 2017 https://csrc.nist.gov/publications/detail/sp/800-190/final

The foundational NIST publication on container security. Covers image risks, registry risks, orchestrator risks, container risks, and host OS risks. While published in 2017, the core threat model remains highly relevant. Useful for framing findings in compliance-oriented engagements.

NSA/CISA Kubernetes Hardening Guide

National Security Agency and Cybersecurity & Infrastructure Security Agency, 2022 https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF

Joint guidance from NSA and CISA covering threat model, Kubernetes cluster hardening, authentication and authorization, network security, audit logging, and upgrade practices. Particularly useful for government and defense-sector engagements.

OWASP Kubernetes Security Cheat Sheet

OWASP Foundation https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html

A concise, practical reference for Kubernetes security best practices. Covers RBAC, network policies, secrets management, pod security, and more. Ideal as a quick reference during assessments.

Books

Container Security by Liz Rice

O'Reilly Media, 2020 ISBN: 978-1492056706

The definitive book on container security fundamentals. Liz Rice explains Linux primitives (namespaces, cgroups, capabilities) that underpin container isolation, making this essential reading for understanding why and how container escapes work. Accessible to both offensive and defensive practitioners.

Hacking Kubernetes by Andrew Martin and Michael Hausenblas

O'Reilly Media, 2021 ISBN: 978-1492081739

Focused on offensive Kubernetes security with practical attack scenarios. Covers threat modeling, pod security, network security, supply chain, and runtime security. Includes hands-on examples that align well with penetration testing methodology.

Kubernetes Security and Observability by Brendan Creane and Amit Gupta

O'Reilly Media, 2021 ISBN: 978-1098107109

Emphasizes the defensive perspective with deep coverage of network security, workload security, and observability. Particularly strong on Calico network policies and runtime monitoring. Useful for understanding the defensive tools you may encounter during assessments.

Cloud Native Security by Chris Binnie and Rory McCune

Wiley, 2021 ISBN: 978-1119782236

Broader cloud-native security coverage including containers, Kubernetes, serverless, and CI/CD pipeline security. Provides good context for understanding how container security fits into the larger cloud security landscape.

Tools and Practical Resources

Kubernetes Goat

Madhu Akula https://madhuakula.com/kubernetes-goat/

An intentionally vulnerable Kubernetes cluster with guided scenarios covering common misconfigurations and attack techniques. The best hands-on learning resource for Kubernetes penetration testing. Scenarios include SSRF, container escape, Docker-in-Docker exploitation, and more.

kube-hunter

Aqua Security https://github.com/aquasecurity/kube-hunter

An open-source Kubernetes penetration testing tool that hunts for security weaknesses. Supports remote scanning, internal scanning from within the cluster, and active exploitation mode. Essential in every container penetration tester's toolkit.

CDK (Container Exploitation Toolkit)

CDK Team https://github.com/cdk-team/CDK

An automated container penetration toolkit that detects container environments, evaluates escape vectors, and provides exploitation capabilities. Useful for rapid container security assessment.

Trivy

Aqua Security https://github.com/aquasecurity/trivy

A comprehensive vulnerability scanner for container images, filesystems, Git repositories, and Kubernetes clusters. Scans for CVEs, misconfigurations, secrets, and license issues. Fast, accurate, and widely adopted.

Falco

The Falco Project (CNCF) https://falco.org/

A cloud-native runtime security project that detects anomalous behavior in containers and Kubernetes. Understanding Falco rules helps penetration testers anticipate what defenders may detect and tailor their techniques accordingly.

Research and Threat Intelligence

MITRE ATT&CK for Containers

MITRE Corporation https://attack.mitre.org/matrices/enterprise/containers/

The MITRE ATT&CK framework's container-specific techniques. Maps real-world attacks to tactics and techniques, providing a structured approach to container threat modeling and assessment scoping.

Microsoft Threat Matrix for Kubernetes

Microsoft https://microsoft.github.io/Threat-Matrix-for-Kubernetes/

A comprehensive mapping of Kubernetes-specific attack techniques organized by MITRE ATT&CK tactics. Covers initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, and impact.

Palo Alto Unit 42 Container Threat Reports

Palo Alto Networks https://unit42.paloaltonetworks.com/

Regular research publications on container and cloud security incidents, vulnerability analyses, and threat trends. Their Azurescape research and container security reports are particularly relevant.

Sysdig Container Security and Usage Report

Sysdig (Annual) https://sysdig.com/

Annual reports on container security trends with data from millions of containers. Provides useful statistics on misconfiguration prevalence, vulnerability distribution, and security tool adoption for benchmarking assessment findings.

Online Training and Labs

Kubernetes Security (KS) Certification — Linux Foundation

https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/

The CKS certification validates knowledge of Kubernetes security across cluster setup, hardening, system hardening, minimizing microservice vulnerabilities, supply chain security, monitoring, and runtime security.

Attacking and Defending Kubernetes — SANS SEC540

https://www.sans.org/cyber-security-courses/cloud-security-and-devops-automation/

SANS course covering cloud security and DevSecOps with significant Kubernetes security content. Includes hands-on labs and aligns with the GIAC Cloud Security Automation (GCSA) certification.

Docker and Kubernetes Security — PentesterLab

https://pentesterlab.com/

PentesterLab offers progressive exercises on container security topics including Docker exploitation, Kubernetes misconfigurations, and cloud pivoting techniques.

Conferences and Community

KubeCon + CloudNativeCon

The primary conference for the cloud-native community. Security tracks cover new research, tools, and real-world incident analysis. Recordings are freely available on YouTube.

ContainerDays

European conference focused on container technologies with dedicated security tracks.

Cloud Native Security Conference (CloudNativeSecurityCon)

CNCF's dedicated security conference covering container and Kubernetes security research, tools, and practices.