Skip to content

This repository contains useful resources for preparing and obtaining the CCSE (Certified Container Security Expert) certification of practical devsecops organizations.

License

Notifications You must be signed in to change notification settings

Code-Triarii/ccse-ccsne-cks-cka-road-to-container-expert-trainings-security

Repository files navigation

📝 Road To Container - Security - Expert - CCSE - CCSNE - CKS

Docker Badge Kubernetes Badge Ansible Badge Python Badge

The main purpose of this repository is to be guiding for anyone interested in becoming a CONTAINER SECURITY EXPERT while learning all the bases from the container management perspective.

This project serves as a preparation for the CCSE (Certified Container Security Expert) and CCSNE from Practical DevSecOps and CKS (Certified Kubernetes Security) from Linux foundation and overall to get a good understanding of container management principles, security risks and hardening techniques.

What will you find here?: Comprehensive coverage of container management and security strategies for container environments. For sure including sample environment preparations, sample exercises, explanations, tips and more 💪

If you are learning about container security and willing the mentioned certifications, this is your place 🫶.

📚 Table of contents

🏗️ Project structure

A quick tour on how the project is organized here:

  • docs: contains the main .md files for documenting the project as well as the images used in the markdown for renderization.

  • environment: this folder includes the different automatic resources for setting up the environment required for the different exercises.

    • Docker: gitlab CE - Ansible playbook for setting up gitlab (including automatic registration of the runner) for docker (using docker-compose). Useful for pipeline exercises.
    • Kubernetes:Kind - For quick testing and exercises in local machine only requiring docker.
    • Kubernetes: Single Node Kubeadm - If you have a VM, just create a single node cluster for testing. Prepared for ubuntu 22.04. Other systems require minor tweaking (e.g. changing sources references.)

Important

For kubernetes exercises, if own an aws account, you can leverage my own repository Creation of aws cluster with Docker-Ansible. This will spin for you the required infrastructure for having a kubeadm cluster from scratch in aws environment, creating all the associated infrastructure and configuring the nodes. You will need only Docker and valid aws credentials to execute it! It is prepared for several regions covering including all eu-west, eu-south-2, eu-central-1. The playbook has a simple entrypoint in Docker linked to two ansible playbooks. After deployment, you can comment the first one and use the second one to "reset" to default state the cluster as many times as you want - Feel free to 'break' without consequences.

  • modules: this folder contains the different exercises created for preparation of certs as well as specific topis developed in depth.

    • 00_set_docker_v2_registry: This module provides instructions to set up a Docker Registry V2 securely using self-signed certificates and configure the Docker daemon to trust this registry.
    • 01_docker_python_sdk: This module provides a Python script for Docker management, allowing listing all Docker images and containers, and running a new container with specific configurations using the Docker SDK for Python.
    • 02_interacting_with_API_server: This module provides exercises to interact with the API server, enhancing your understanding of API operations in a containerized environment.
    • 03_analyze_docker_sock: This module provides a deep dive into Docker socket analysis, helping you understand potential security risks and how to mitigate them.
    • 04_expose_docker_api_https: This module guides you through the process of exposing the Docker API over HTTPS, ensuring secure communication with the Docker daemon.
    • 06_deploy_and_configure_harbor: This module provides detailed instructions for deploying and configuring Harbor, a secure container image registry.
    • 07_sign_image_cosign: This module provides detailed instructions for implementing code-signing for Docker images using Cosign, enhancing the security of your container images.
    • 08_docker_image_encryption: This module provides a guide to encrypt Docker images, adding an extra layer of security to your containerized applications.
    • 09_static_analysis_of_images: This module provides instructions for conducting static analysis of Docker images using tools like Grype, Trivy, and Clair, helping you identify and mitigate vulnerabilities.
    • 10_checking_compliance_cis: This module provides a guide to audit Docker configurations to ensure compliance with the Center for Internet Security (CIS) Docker Benchmark using Docker-Bench.
    • 11_discovery_techniques: This module provides techniques to discover the attack surface of a container environment to identify possible breaches and act upon to secure it.
    • 12_container_hacking_techniques: This module provides techniques to attack and exploit security missconfigurations in containerized environments.
  • theorical concepts: including important theory that supports the foundations understanding and good comprehension of the practical exercises:

📍 Roadmap

  • Create automatic deployment of scenarios.
  • Include theory and useful tips.
  • Create comprehensive guide with security measures for holistic container protection.
  • Complete the full CCSE path with scenarios and exercises including documentation for each of them.
    • Set docker registry V2 securely.
    • Interact with docker API server using python Docker SDK
    • Samples of interaction with Docker daemon through API rest.
    • How to configure Docker Daemon over HTTPS.
    • How to create a container from scratch.
    • Holistic container analysis.
  • Include Kubernetes theory.

See the open issues for a full list of proposed features (and known issues).

🔝 Back to top

📎 Contributing

Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated 💹.

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement".

  1. Fork the Project

  2. Create your Feature Branch

    git checkout -b feature/AmazingFeature
  3. Commit your Changes

    git commit -m 'Add some AmazingFeature
  4. Push to the Branch

    git push origin feature/AmazingFeature
  5. Open a Pull Request

🔝 Back to top

📃 License

Distributed under the Apache 2.0 License. See LICENSE for more information.

🔝 Back to top

👥 Contact

X TikTok Medium YouTube Instagram

As we always state, our main purpose is keep learning, contributing to the community and finding ways to collaborate in interesting initiatives. Do not hesitate to contact us at codetriariism@gmail.com

If you are interested in our content creation, also check our social media accounts. We have all sorts of training resources, blogs, hackathons, write-ups and more! Do not skip it, you will like it 😏 😏 😏 👍

Don't forget to give the project a star if you liked it! Thanks again! 🌟 💛

🔝 Back to top

🔍 Acknowledgments

💯 💯 💯 For those that are curious about some of the resources or utilities and for sure thanking and giving credit to authors, we provide you a list of the most interesting ones (in our understanding) 💯 💯 💯

🔝 Back to top