Secure containers end to end: the isolation model and its attack surface, hardening images (minimal base, non-root, no secrets), scanning them, constraining containers at runtime, then locking down the cluster with RBAC, Pod Security, NetworkPolicy, admission control, and runtime detection with Falco.
Before you start
Take the Docker and Kubernetes courses first — this course secures what those teach you to build and run.
The Container Threat Model
A container is a process, not a VM — it shares the host kernel. Understand what isolates a container, what does not, and where the attack surface really is before you try to secure it.
Harden the Image
The most secure code is the code that is not in your image. Build minimal, non-root images with multi-stage builds and distroless bases, keep secrets out of layers, and pin your inputs.
Scan Images for Vulnerabilities
A hardened image still inherits CVEs from its base and dependencies. Scan images with Trivy in the build, fail on fixable criticals, and re-scan what you already shipped as new CVEs are disclosed.
Constrain the Running Container
Even a clean image is dangerous if it runs as root with a writable filesystem and every Linux capability. Lock down the runtime with a securityContext: non-root, no privilege escalation, dropped capabilities, read-only root, seccomp.
Secure the Cluster: RBAC & Network
A hardened pod in a wide-open cluster is still exposed. Apply least-privilege RBAC, scope ServiceAccounts, enforce Pod Security Standards, and cut lateral movement with default-deny NetworkPolicy.
Admission Control & Runtime Defense
Enforce your rules automatically at the gate and watch for what gets past it. Block non-conforming or unsigned pods with Kyverno/OPA admission policies, and detect malicious behavior in running containers with Falco.