Merge branch 'master' of https://github.com/k8s-sec/cloud-native-security-tutorial

Author: lizrice

docs/conclusions.md

@@ -1,11 +1,21 @@
 # Conclusions
 
-We hope this tutorial has introduced you to some practical steps you can take to make your Kubernetes deployments more secure. Thank you for your time!
+We hope this tutorial has introduced you to some practical steps you can take
+to make your Kubernetes deployments more secure. Thank you for your time!
 
 ## Further reading
 
-You'll find more details and further resources about Kubernetes Security [here](https://kubernetes-security.info) including a link to download an electronic copy of our book [here](https://info.aquasec.com/kubernetes-security).
+You'll find more details and further resources about Kubernetes Security at
+[kubernetes-security.info](https://kubernetes-security.info) including a link 
+to download an electronic copy of our book [here](https://info.aquasec.com/kubernetes-security):
 
 ![Kubernetes Security book](https://kubernetes-security.info/assets/img/cover.png)
 
-If you'd like to dive into more technical details, you might also like to check out Liz's book on [Container Security](https://container-security.tech).
+If you'd like to dive into more technical details, you might also like to 
+check out Liz's book on [Container Security](https://container-security.tech).
+
+## Related resources
+
+- [KubeCon NA 2019 CTF](https://securekubernetes.com/)
+- [rbac.dev](https://rbac.dev/) has RBAC tools and recipes
+- [Amazon EKS Best Practices Guide for Security](https://aws.github.io/aws-eks-best-practices/)

docs/gitops.md

@@ -1,7 +1,39 @@
 # GitOps
 
-## Concept
+We wrap up this tutorial with a special topic insofar that it doesn't
+demonstrate an attack of shows a control in action but rather discusses a
+good practice. [GitOps](https://www.gitops.tech/) is a continuous or sometimes
+called progressive deployment method. The source of truth for the state of the
+deployments is Git and the way how a deployment is done is as follows:
 
-## Using Flux
+1. As a developer or release engineer, you commit a change (for example, via
+   a pull request in GitHub. 
+1. A combination of bots and human reviewers comment on the commit, request
+   changes and/or merge it, eventually.
+1. In the Kubernetes cluster runs an agent that watches the Git repo and on
+   changes, kicks off a new deployment.
 
-## Using ArgoCD
+In this setup, other than for read-only or potentially troubleshooting access
+(with tight RBAC settings) the end-user does not have access to the Kubernetes
+cluster. In other words, a `kubectl apply -f ...` is not possible, every change
+of the application configuration is reviewed and part of an immutable log, the
+Git repo's commit log. This allows at any point in time to reset the state to
+a well-defined and good, previous state. Further, since it's formally and 
+automatically on record who requested and who approved a change, auditing is
+straightforward.
+
+There are a number of tools available for applying GitOps in your team, for 
+example:
+
+- CNCF [Flux](https://docs.fluxcd.io)
+- CNCF [ArgoCD](https://argoproj.github.io/argo-cd/)
+
+
+To see GitOps in action, head over to the GitOps Toolkit and do go through
+the [Get Started](https://toolkit.fluxcd.io/get-started/) guide.
+
+Learn more about GitOps via:
+
+- [Adopting GitOps for Kubernetes on AWS](https://acloudguru.com/blog/engineering/adopting-gitops-for-kubernetes-on-aws)
+- Introduction To GitOps Toolkit: [video](https://www.youtube.com/watch?v=qQBtSkgl7tI) 
+  and [slide deck](https://www.slideshare.net/weaveworks/gitops-toolkit-cloud-native-nordics-tech-talk).

mkdocs.yml

@@ -4,18 +4,25 @@ site_author: 'Liz Rice and Michael Hausenblas'
 repo_name: 'k8s-sec/cloud-native-security-tutorial'
 repo_url: 'https://github.com/k8s-sec/cloud-native-security-tutorial'
 copyright: 'Copyright © Liz Rice and Michael Hausenblas'
+docs_dir: 'docs'
 nav:
-    - Overview: index.md
-    - Introduction: introduction.md
-    - Preparation: preparation.md
-    - Compromise a pod!: compromise.md
-    - Scanning: scanning.md
-    - Policies: policies.md
-    - Secure settings: settings.md
-    - GitOps: gitops.md
-    - Conclusion: conclusions.md
+    - Home:
+      - Overview: index.md
+      - Introduction: introduction.md
+      - Preparation: preparation.md
+    - Exercises:
+      - Compromised pod: compromise.md
+      - Scanning: scanning.md
+      - Policies: policies.md
+      - Secure settings: settings.md
+      - GitOps: gitops.md
+    - Conclusion:
+      - conclusions.md
 theme:
     name: 'material'
+    features:
+    - 'tabs'
+    - 'instant'
     icon:
         logo: 'material/lock'
     font:
@@ -35,5 +42,4 @@ markdown_extensions:
     - admonition
     - codehilite:
         linenums: true
-    - pymdownx.details
-    - pymdownx.superfences
+