Cloud Security: from Docker to Kubernetes

Open Source Systeme und Applikationen

9:00 – 17:00 Uhr
BFH - Berner Fachhochschule
Max. Teilnehmer: 20


Security is hard, everybody knows! It is one of the hardest principle to learn and to be aligned to, especially introducing it in an existing architecture, especially in the cloud!
But respecting best practices, leveraging the right tools and reaching a good level of automation, security becomes our most powerful and reliable fellow.
Join me in a journey inside security. We will learn the basics, deploy some examples on Kubernetes and protect our applications from the most common treats out there.
Let’s stop looking at security as restrictive and blocking, because even an amazing supercar cannot run 400 km/h without good brakes 😉


Introduction to main cloud security areas and concepts:

  • Container
  • Kubernetes
  • Cloud
  • Auditing

Hands-on lab:

  • Spin up a Kubernetes cluster
  • Setup Kubernete authentication
  • Configure RBAC
  • Try some useful RBAC-related tools
  • Build a security compliant container image
  • Scan a container image
  • Configure Kubernetes Pod Security Context
  • Configure Kubernetes Pod Security Standards and Admission
  • Configure Kubernetes Network Policies
  • Deploy and test Falco


Learn basis of cloud security in Dockerfile

  • Base container image
  • Container image digest
  • Run as root
  • Vulnerability scanning

Learn basis of cloud security in Kubernetes

  • Authentication
  • RBAC
  • Security Context
  • Pod Security Policies
  • Pod Security Standards
  • Pod Security Admission
  • Network Policies

Learn basis of auditing

  • Special focus on Sysdig Falco

Learn useful tools

  • RBAC-manager
  • RBAC-lookup
  • Polaris

Learn about further helpful tools

  • Rakkess
  • Starboard
  • Popeye
  • Kyverno


  • Every enthusiast learner
  • Everybody interested in cloud security
  • Cloud Solution Experts/Engineers/Architects
  • Kubernetes Engineers
  • DevOps/Infrastructure Engineers
  • DevOps/Infrastructure enthusiasts


Required software already installed locally:

Minikube alternatives:

  • KinD
  • K3s
  • MicroK8s
  • GCP
  • AWS
  • Azure


Bring with you just a couple of things: your enthusiasm, your curiosity and your Linux or MacOs laptop (Windows not supported).


Matteo Baiguini

I was born in Milan, where I studied Computer Sciences at the University of Milano-Bicocca and started working on Java and the eCommerce field some years ago. I moved to Zurich during 2015, always working on eCommerce but moving steps toward cloud-native architectures. I worked for a couple of years as Freelance Cloud Expert with different customers on innovative cloud-native event-driven projects, both green-field and enterprise. Currently I work in a startup named Swissblock Technologies as Head of DevOps and Security, responsible for infrastructure, security but also development based on agile and DevOps principles.