Why this skill matters for Platform Engineers
Security Platform skills let you build paved, secure roads for developers: identity and access controls, safe secrets, segmented networks, signed software, enforced policies, and auditable activity. Mastering this means fewer incidents, faster releases, and higher trust in your platform.
Who this is for
- Platform Engineers who manage Kubernetes, CI/CD, and cloud infrastructure.
- Backend Engineers stepping into platform operations with a security focus.
- Security-minded SREs enabling guardrails without slowing teams.
Prerequisites
- Comfort with Linux, containers, and Git.
- Basic Kubernetes and/or cloud IAM familiarity.
- YAML/JSON editing and reading logs.
Learning path
- Start with IAM and least privilege: make access explicit, scoped, and auditable.
- Add secrets management and rotation: no long-lived static credentials.
- Enforce network segmentation and Zero Trust defaults.
- Secure the supply chain: image signing, SBOM, and scanning.
- Apply policy-as-code for compliance and safe defaults.
- Enable audit logging and schedule access reviews.
Roadmap: 4-week plan
Week 1 — Identity, access, and secrets
- Map identities: humans, services, robots (CI), and machines (nodes).
- Apply least privilege in cloud IAM and Kubernetes RBAC.
- Introduce a central secrets store and rotate one production credential.
What good looks like
Short-lived credentials, role-based access, and no plaintext secrets in repos or CI variables. Every access is logged.
Week 2 — Network and Zero Trust
- Default-deny network policies between namespaces.
- Egress controls for outbound traffic to known destinations.
- Mutual TLS between services where possible.
What good looks like
Only intended communications are possible; new services cannot talk to everything by default.
Week 3 — Supply chain hardening
- Generate SBOMs for all images.
- Scan images in CI; fail on high severity with fixes available.
- Sign images and verify signatures at admission.
What good looks like
Only signed, scanned images run; provenance is tracked to a commit and CI run.
Week 4 — Policy, audit, and guardrails
- Adopt policy-as-code for Kubernetes and CI.
- Enable audit logging and route to a centralized store.
- Schedule quarterly access reviews with automated diff reports.
What good looks like
Policies enforce secure defaults; exceptions are tracked; every sensitive action is auditable.
Worked examples
1) Kubernetes default-deny with targeted allow (NetworkPolicy)
# Namespace: payments
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: payments
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-api-from-gateway
namespace: payments
spec:
podSelector:
matchLabels:
app: payments-api
ingress:
- from:
- namespaceSelector:
matchLabels:
name: gateway
podSelector:
matchLabels:
app: ingress-gateway
ports:
- protocol: TCP
port: 8080
egress:
- to:
- namespaceSelector:
matchLabels:
name: db
ports:
- protocol: TCP
port: 5432This creates a default-deny posture and then allows only the gateway to reach the API and only the DB egress.
2) Block privileged pods using policy-as-code (Gatekeeper/OPA)
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: disallow-privileged
spec:
match:
kinds:
- apiGroups: ['']
kinds: ['Pod']
namespaces: ["prod", "staging"]Ensure admission denies any Pod requesting privileged containers in sensitive namespaces.
3) Rotate a database password with a central vault
# Pseudo-steps (tool-agnostic):
# 1) Create DB role with limited grants and rotation procedure.
# 2) Vault side: configure dynamic credentials for the DB role.
# 3) Application: use a short-lived token to fetch creds at startup.
# 4) Rotation: trigger via API or schedule; update leases.
# 5) Observe: applications reconnect using new creds without redeploy.
# Example shell snippet to fetch a secret (generic pattern):
TOKEN=$(cat /var/run/secrets/platform/token)
DB_CREDS=$(curl -s -H "X-Auth-Token: $TOKEN" https://vault.internal/v1/db/creds/payments-role)
export DB_USER=$(echo "$DB_CREDS" | jq -r .data.username)
export DB_PASS=$(echo "$DB_CREDS" | jq -r .data.password)Applications fetch credentials just-in-time; rotation does not require code changes.
4) Generate SBOM, scan image, and sign it in CI
# Build image
docker build -t registry.internal/app:1.2.3 .
# Generate SBOM (example with a generic sbom tool)
sbom generate --image registry.internal/app:1.2.3 --output sbom.json
# Scan for vulnerabilities
scanner image scan registry.internal/app:1.2.3 --fail-on high
# Sign the image
cosign sign --key cosign.key registry.internal/app:1.2.3
# Admission will later verify signature before allowing the image to run.Only signed and scanned images are eligible to run. SBOMs enable quick impact analysis for new CVEs.
5) Enable Kubernetes API audit logging with a basic policy
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
verbs: ["get", "list", "watch"]
- level: RequestResponse
resources:
- group: ""
resources: ["secrets"]
- group: "rbac.authorization.k8s.io"
resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
- level: Request
userGroups: ["system:authenticated"]
namespaces: ["prod"]Ship the resulting audit log files to your centralized log store and enable immutability (append-only) for retention.
Drills and exercises
- List all identities with cluster-admin or Administrator access and remove one unnecessary grant.
- Create a default-deny network policy in one namespace and explicitly allow only the needed flows.
- Rotate one production secret and verify applications recover without manual restarts.
- Add an SBOM to a service build and record where it is stored.
- Write one policy-as-code rule that blocks images without a signature.
- Enable audit logging for secret reads and confirm events land in your log store.
Common mistakes and debugging tips
Mistake: Granting wildcard admin access
Fix: Create role-per-function (read, write, admin), bind roles to groups, and set time-bound elevated access via approval.
Mistake: Static secrets in CI variables
Fix: Replace with short-lived tokens from a vault. Scan repos and pipelines for accidental secrets exposure.
Mistake: Allow-all network policies
Fix: Start with default-deny and add explicit, minimal rules. Use labels consistently to target pods.
Mistake: Scans that don’t break the build
Fix: Set severity thresholds with clear exceptions and deadlines; fail builds for exploitable highs.
Debugging tip: Admission blocked my deploy
Read the admission webhook error; compare against policy reference. Test locally with a dry-run and show the diff of denied fields.
Practical projects
- Harden a namespace: apply default-deny, apply non-privileged policy, and deploy only signed images.
- CI security stage: generate SBOM, run image scan, sign artifacts, and publish provenance metadata.
- Access review bot: script that compares current RBAC/IAM against a baseline and opens a ticket for drift.
Mini project: Secure a microservice platform in a day
- Pick one service. Add SBOM creation, image scanning, and signing to its CI pipeline.
- Deploy admission policy that only allows signed images in staging.
- Enable default-deny network policy and allow only required ingress/egress.
- Store the service's database credentials in a vault and rotate them.
- Enable audit logs for secret reads and RBAC changes; verify events arrive in your log store.
Success criteria checklist
- Unsigned images are blocked in staging.
- Service works after secret rotation without redeploy.
- Only intended network paths are open.
- Audit shows who changed roles and who accessed sensitive secrets.
Subskills
- IAM And Least Privilege — Design roles and access scopes that minimize blast radius and enable time-bound elevation.
- Secrets Rotation And Vault Concepts — Centralize secrets, use short-lived credentials, and automate rotation.
- Network Segmentation And Zero Trust Basics — Default-deny everywhere; allow only necessary, authenticated flows.
- Supply Chain Security Basics — Lock down build pipelines and verify artifact provenance.
- Image Scanning And SBOM Basics — Know what’s inside your images and block known-vulnerable builds.
- Policy Enforcement And Compliance — Express rules as code and enforce them consistently at admission and CI.
- Audit Logging And Access Reviews — Capture sensitive actions and remove stale privileges proactively.
- Secure Defaults And Guardrails — Make the safest path the easiest path for developers.
Next steps
- Pick one high-impact area (admission control or secrets rotation) and ship it for a single service first.
- Codify policies and store them versioned with tests.
- Automate quarterly access reviews and track exceptions with time limits.
Take the Skill Exam
Test your understanding of Security Platform fundamentals. Anyone can take the exam for free; logged-in users get their progress saved.