Core Track Guardrails-first chapter in core learning path.

Estimated Time

  • Reading: 20-25 min
  • Lab: 45-60 min
  • Quiz: 10-15 min

Prerequisites

Source Code References

  • deployment.yaml Members
  • namespaces.yaml Members

Sign in to view source code.

What You Will Produce

A reproducible lab result plus quiz verification and incident-safe operating evidence.

Break/Fix Drill Focus

  1. Intentionally fail: Trigger a permission failure by setting readOnlyRootFilesystem: true on an app that needs to write logs.
  2. Fix securely: Resolve the failure by adding an emptyDir volume instead of setting readOnlyRootFilesystem: false.
  3. Capture evidence: Compare the before and after manifest diff and explain the risk reduction.

Core Exercises (Required)

  1. Check User ID: Exec into a running backend pod and run id. Verify that it is not root.
  2. Verify Read-Only: Try to touch /bin/test inside a running pod. Verify that it fails with Read-only file system.
  3. Inspect Seccomp: Check the seccompProfile of a running pod using kubectl get pod <pod> -o yaml. Verify that it is set to RuntimeDefault.

Challenge Exercise (Optional)

Iterative Hardening From Zero: Start from a fully insecure manifest (root user, writable filesystem, all capabilities, no seccomp) and iteratively harden it to match the golden baseline, documenting each change and its security impact.

Done When

You have completed this chapter when:

  • You can prove both backend and frontend workloads run non-root.
  • You can diagnose and fix permission failures without using root or privileged mode.
  • You can explain why privileged shortcuts are rejected in production.
  • You understand the risk reduction provided by a read-only root filesystem.

Knowledge Check

Before finishing this chapter, complete the Quiz to verify your understanding of the guardrail principles.