Overview
Security and platform engineers work through progressive hardening stories: tightening RBAC, enforcing Pod Security contexts, and interpreting Falco-style signals without vendor lock-in. Each story ends with evidence you could attach to a change ticket.
What you work through
- OPA Gatekeeper-style constraints with human-readable violations
- AppArmor and seccomp profiles applied incrementally
- Immutable workload patterns with justification notes
- Network segmentation exercises with east-west traffic cases
- Image signing verification using Sigstore concepts
- Kubernetes audit log triage with redacted samples
- Incident tabletop tied to CKS-style prompts
Outcomes
- Draft a hardening change with rollback and blast-radius notes
- Interpret an admission webhook denial without vendor docs
- Produce audit snippets suitable for compliance review
Facilitator
Ren Ishikawa
Certification Coach with prior security architecture roles in cloud-native retail.
Participant notes
Admission webhook lab mirrored how our platform team reviews PRs. The audit snippet homework was surprisingly practical.
Course questions
No, but you should be comfortable with Linux permissions and TLS basics. We include refreshers yet move quickly.
Yes, each learner receives scoped credentials. Some cooperative drills use read-only shared telemetry only.
Commercial security scanners, CKS exam fees, and customer-specific compliance templates.