Security Tools Toolkit

Toolkit Track | 6 Modules | ~5 hours total

Overview

The Security Tools Toolkit covers the essential tools for securing Kubernetes clusters and workloads. From secrets management to runtime detection to supply chain integrity—these tools form the defense-in-depth security stack that production clusters require.

This toolkit applies concepts from Security Principles and DevSecOps Discipline.

Prerequisites

Before starting this toolkit:

DevSecOps Discipline — Security concepts and practices
Security Principles Foundations
Kubernetes RBAC basics
Container fundamentals

Modules

#	Module	Complexity	Time
4.1	Vault & External Secrets	`[COMPLEX]`	45-50 min
4.2	OPA & Gatekeeper	`[COMPLEX]`	45-50 min
4.3	Falco	`[COMPLEX]`	45-50 min
4.4	Supply Chain Security	`[COMPLEX]`	45-50 min
4.5	Tetragon	`[MEDIUM]`	90 min
4.6	KubeArmor	`[MEDIUM]`	90 min
4.7	Kyverno	`[MEDIUM]`	35-40 min
4.8	SPIFFE/SPIRE	`[COMPLEX]`	50 min

Learning Outcomes

After completing this toolkit, you will be able to:

Manage secrets securely — Vault + ESO for centralized, audited secrets
Enforce policies at admission — Gatekeeper/OPA for policy-as-code
Detect runtime threats — Falco for syscall-based intrusion detection
Secure the supply chain — Signing, SBOMs, vulnerability scanning
Prevent attacks with Tetragon — eBPF-based kernel-level enforcement
Implement least privilege with KubeArmor — Allow-listing for containers

Tool Selection Guide

WHICH SECURITY TOOL?
─────────────────────────────────────────────────────────────────

"I need to manage secrets across multiple apps"
└──▶ Vault + External Secrets Operator
     • Centralized secrets
     • Automatic rotation
     • Audit trail

"I need to enforce security policies at deploy time"
└──▶ OPA/Gatekeeper (or Kyverno)
     • Block privileged containers
     • Require resource limits
     • Enforce image policies

"I need to detect attacks on running containers"
└──▶ Falco
     • Syscall monitoring
     • Container escape detection
     • Cryptominer detection

"I need to secure my container images"
└──▶ Sigstore + Trivy + Harbor
     • Image signing
     • Vulnerability scanning
     • SBOM generation

SECURITY LAYERS:
─────────────────────────────────────────────────────────────────
                    Build        Deploy       Runtime
─────────────────────────────────────────────────────────────────
Secrets             Vault        ESO          Vault Agent
Policy              n/a          Gatekeeper   n/a
Scanning            Trivy        Admission    Falco
Signing             Cosign       Verify       n/a

The Security Stack

┌─────────────────────────────────────────────────────────────────┐
│                   KUBERNETES SECURITY STACK                      │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  SUPPLY CHAIN SECURITY                                          │
│  ┌───────────────────────────────────────────────────────────┐ │
│  │  Sigstore (Cosign)  │  Trivy  │  Harbor  │  SBOM          │ │
│  │  Image signing       Vuln scan  Registry   Bill of matls  │ │
│  └───────────────────────────────────────────────────────────┘ │
│                              │                                   │
│                              ▼                                   │
│  ADMISSION CONTROL                                              │
│  ┌───────────────────────────────────────────────────────────┐ │
│  │  OPA/Gatekeeper  │  Kyverno  │  Image Policy Webhook      │ │
│  │  Policy-as-code   Alt policy   Signature verification     │ │
│  └───────────────────────────────────────────────────────────┘ │
│                              │                                   │
│                              ▼                                   │
│  SECRETS MANAGEMENT                                             │
│  ┌───────────────────────────────────────────────────────────┐ │
│  │  Vault  │  External Secrets Operator  │  Sealed Secrets   │ │
│  │  Source   K8s sync                      GitOps secrets     │ │
│  └───────────────────────────────────────────────────────────┘ │
│                              │                                   │
│                              ▼                                   │
│  RUNTIME SECURITY                                               │
│  ┌───────────────────────────────────────────────────────────┐ │
│  │  Falco  │  NetworkPolicies  │  Seccomp  │  AppArmor       │ │
│  │  Detection  Network isolation  Syscall     Process restrict │ │
│  └───────────────────────────────────────────────────────────┘ │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

Study Path

Module 4.1: Vault & External Secrets
     │
     │  Secrets foundation—get this right first
     ▼
Module 4.2: OPA & Gatekeeper
     │
     │  Prevent bad configs from deploying
     ▼
Module 4.3: Falco
     │
     │  Detect threats in running workloads
     ▼
Module 4.4: Supply Chain Security
     │
     │  Secure images from build to deploy
     ▼
[Toolkit Complete] → Networking Toolkit

Key Concepts

Defense in Depth

Layer	Tool	What It Prevents
Build	Trivy, Cosign	Vulnerable images, unsigned artifacts
Deploy	Gatekeeper	Misconfigurations, policy violations
Secrets	Vault + ESO	Credential exposure, sprawl
Runtime	Falco	Active attacks, cryptominers, shells

Zero Trust Principles

ZERO TRUST IN KUBERNETES
─────────────────────────────────────────────────────────────────

TRADITIONAL: "Inside the cluster = trusted"
ZERO TRUST:  "Never trust, always verify"

Applied:
┌───────────────────────────────────────────────────────────────┐
│ Workload Identity  │  Don't use shared service accounts      │
│ Secret Access      │  Audit every access, rotate regularly   │
│ Network            │  Default deny, explicit allow           │
│ Images             │  Verify signatures, scan continuously   │
│ API Access         │  RBAC, audit logging, admission control │
└───────────────────────────────────────────────────────────────┘

Tool Ecosystem

Alternatives Considered

This Toolkit	Alternatives	Why We Chose It
Vault	AWS Secrets Manager, GCP Secret Manager	Cloud-agnostic, most features
ESO	Sealed Secrets, SOPS	Multi-provider, active development
Gatekeeper	Kyverno	Mature, OPA ecosystem, library
Falco	Tetragon, Sysdig	CNCF graduated, largest community
Cosign	Notary v2	Simpler, keyless support

Integration Points

HOW THE TOOLS WORK TOGETHER
─────────────────────────────────────────────────────────────────

1. Developer pushes code
        │
        ▼
2. CI builds image, scans with Trivy
        │
        ▼
3. CI signs with Cosign, generates SBOM
        │
        ▼
4. Push to Harbor (scans again)
        │
        ▼
5. Deploy to K8s → Gatekeeper checks:
   • Is image signed?
   • Does it have resource limits?
   • Is it from allowed registry?
        │
        ▼
6. ESO syncs secrets from Vault
        │
        ▼
7. Pod runs → Falco monitors syscalls
        │
        ▼
8. Falcosidekick alerts on suspicious activity

Hands-On Focus

Each module includes practical exercises:

Module	Key Exercise
Vault & ESO	Sync secrets from Vault to Kubernetes
OPA/Gatekeeper	Write policy to block privileged pods
Falco	Detect shell execution in container
Supply Chain	Sign image, generate SBOM, scan vulns

Before: DevSecOps Discipline — Security concepts
Before: Security Principles — Theory
Related: GitOps & Deployments — Secure deployments
Related: IaC Tools — IaC security scanning with Checkov, tfsec
After: Networking Toolkit — Network security

“Security isn’t a feature—it’s a property. These tools make security a property of your platform, not an afterthought.”