Secure a cluster the way attackers try to break it. Learn the NSA/CISA threat model, control-plane and etcd hardening, authentication and audit, and image supply-chain and runtime defense — and remember it with spaced repetition.
A default Kubernetes cluster is built for convenience, not for defense. The NSA and CISA hardening guidance is blunt about where compromise comes from: the supply chain, malicious threat actors, and insider threats. Beyond stealing data, clusters are prized for their raw compute — cryptojacking and denial of service are common goals — so hardening is about shrinking the attack surface across every layer.
The control plane is the crown jewels. The API server is the single front door to everything, and etcd holds every Secret in the cluster, so securing authentication, authorization and audit logging is where hardening starts. Getting authorization wrong — for example running the API server with --authorization-mode=AlwaysAllow — throws away least privilege entirely.
This track breaks cluster hardening into bite-sized, practical questions across three modules — threat model and control-plane hardening, authentication/authorization/audit, and supply-chain, runtime and lifecycle hardening (Pod Security Standards, non-root vs rootless, image scanning) — and uses spaced repetition so the defenses stick when it matters.
Each module is a set of flashcards — 36 in total. Answer, review, and watch your knowledge grow from seed to full bloom.
NSA threat model, API server and etcd, kubeconfig, worker-node segmentation, cloud metadata
12 cardsUser authentication, anonymous requests, authorization modes, audit policy levels and backends, log resilience
12 cardsPod Security Admission, image scanning, sandboxed runtimes, seccomp, resource limits, TLS, encryption at rest, service mesh, CIS benchmarks
12 cardsA taste of the real flashcards. Pick an answer, then reveal the explanation.
According to NSA/CISA, what are the three most common sources of Kubernetes cluster compromise?
Why is leaving the API server's --authorization-mode=AlwaysAllow dangerous?
Which three policy levels do the Pod Security Standards define?
What is the difference between a non-root container and a rootless container engine?
Each card is one practical concept with multiple options. Pick what you think is right.
See the correct option plus a clear explanation, and a link to deeper docs when one is available.
A spaced-repetition engine (SM-2 or FSRS) resurfaces each card just before you would forget it.
Hardening spans the control plane, identity, workloads and images — knowing the model lets you secure each layer deliberately.
The deck follows the NSA/CISA Kubernetes Hardening Guide, so you learn the threat model practitioners actually design against.
Understanding RBAC, authentication modes and Pod Security Standards is how you stop one mistake from owning the cluster.
Control-plane hardening, audit, supply chain and runtime security map closely to the Certified Kubernetes Security Specialist domains.
Yes — this track assumes you already understand Pods, Deployments, Services and RBAC. If the primitives are new, start with the Kubernetes Fundamentals track, then come here.
Yes. The threat model, control-plane and etcd hardening, and supply-chain and runtime guidance follow the NSA/CISA Kubernetes Hardening Guide and current Pod Security Standards.
Gnoseed is a study companion, not a course or exam dump. These cards map closely to the CKS security domains, so they complement hands-on labs by making the concepts stick in long-term memory.
Yes, completely free. No registration or credit card is required, and all your progress is stored locally in your browser.
Plant your first seed today. Ten minutes a day is all it takes to grow real, lasting cluster-security instincts.