About the course
This intensive two-day course is specifically designed for developers who need to build, deploy, and manage applications on Azure Kubernetes Service (AKS) with a "security-first" mindset. While we assume limited prior Kubernetes knowledge, we dive deep into the specific Azure features that turn a standard cluster into an enterprise-grade, secure environment.
The program focuses on the practical implementation of Identity, Secrets Management, and Private Networking. You will move beyond simple deployments to master Entra Workload Identity, secure your images in a Private Azure Container Registry, and integrate Azure Key Vault directly into your AKS pods. By the end of this course, you will understand how to leverage the full Azure security stack to protect your code, your data, and your cluster.
Instructor-led online and in-house face-to-face options are available - as part of a wider customised training programme, or as a standalone workshop, on-site at your offices or at one of many flexible meeting spaces in the UK and around the World.
-
By the end of this course, attendees will be able to:
- Implement Modern Identity: Configure and use Entra Workload Identity to allow pods to access Azure resources without managing secrets.
- Master Secrets Management: Integrate Azure Key Vault with AKS using the Secret Store CSI Driver.
- Understand Private Architecture: Navigate the deployment challenges of Private AKS Clusters and restricted network environments.
- Control Access: Implement granular Authentication and Authorization using Azure RBAC for Kubernetes.
-
This course is ideal for Software Developers, Application Architects, and Junior DevOps Engineers who are moving workloads to AKS and need a practical, hands-on understanding of how to implement security using Azure-native tools.
-
Attendees should have a basic familiarity with the Azure Portal and CLI, as well as a foundational understanding of containerization with Docker and creating and managing Kubernetes clusters.
-
This AKS security course is available for private / custom delivery for your team - as an in-house face-to-face workshop at your location of choice, or as online instructor-led training via MS Teams (or your own preferred platform).
Get in touch to find out how we can deliver tailored training which focuses on your project requirements and learning goals.
-
Foundational AKS Security & Identity
Introduction to the AKS Security Model: Shared responsibility in the cloud and the "Defense in Depth" approach.
AKS Authentication & Authorization:
Integrating Entra ID (formerly Azure AD) for cluster access.
Understanding Kubernetes RBAC vs. Azure RBAC for Kubernetes.
Entra Workload Identity:
Moving away from static service principal keys.
Mapping Kubernetes Service Accounts to Azure Managed Identities.
Hands-on Lab: Configuring a pod to securely access Azure Storage using Workload Identity.
Securing the Image Pipeline & Private Networking
Private Azure Container Registry (ACR) Integration:
Configuring AcrPull permissions and secure authentication.
Utilizing ACR Tasks for secure, automated builds.
The Private AKS Cluster Architecture:
Why use Private Clusters? Understanding the API Server endpoint.
Networking fundamentals: Private endpoints, private DNS-Zones.
Deployment Considerations for Private Resources:
Troubleshooting connectivity from developer machines to private clusters.
Securely connecting to a private AKS cluster using the Azure portal, Azure CLI and other helpful Azure services such as Azure Bastion.
Hands-on Lab: Deploying a private ACR and establishing a secure image-pull relationship with a private AKS cluster.
Advanced Secrets Management & Data Protection
Managing Secrets the Azure Way: Why standard Kubernetes Secrets are often insufficient.
Azure Key Vault Integration:
Setting up the Secrets Store CSI Driver in AKS.
Mirroring Key Vault secrets into Kubernetes environment variables or volumes.
Hands-on Lab: Migrating application configuration from hard-coded secrets to Azure Key Vault.
The Roadmap to Hardened Kubernetes
Introduction to additional Kubernetes features:
Security Context, privileged containers, Trusted and signed images as well as more Azure and Kubernetes configuration such as using the Image Cleaner / disabling SSH access
Azure Policy for Kubernetes:
Enforcing compliance (e.g., "no privileged containers") across the cluster.
Introduction to Defender for Containers:
Vulnerability scanning for images and runtime threat detection.
-
Official Azure Kubernetes Service (AKS) Documentation: The comprehensive and up-to-date source for all AKS features and security best practices.
Azure Security Centre / Defender for Cloud: For broader cloud security posture management and threat protection.
Azure Policy Documentation: Detailed information on defining, assigning, and managing policies.
Azure Key Vault Documentation: For secure secret management.
OWASP Kubernetes Cheat Sheet: Community-driven best practices for securing Kubernetes.
Trusted by
