This repository contains a pragmatic container security framework mapped onto a memorable "Guardians of the Galaxy" crew metaphor. Each character archetype represents a critical defensive layer—supply chain integrity, runtime behavioral detection, zero‑trust networking, and observability—to help teams remember and implement comprehensive container security practices.
Slides can be found at chris-ayers.com/container-security
All six demos run on a single local Kubernetes cluster. For NetworkPolicy
enforcement (demo 5) use kind + Calico via
scripts/setup-kind-cluster.sh (or
scripts/setup-kind-cluster.ps1 on Windows),
and tear everything down with
scripts/teardown-kind-cluster.sh (or
.ps1) when finished. See docs/CLUSTER-SETUP.md for
the lifecycle, prerequisites, the "which cluster should I use?" decision guide,
and the quickstart.
Hands-on walkthroughs live under demos/ for each Guardian archetype:
- demos/1-policy-guardrails/ – Star-Lord: Kyverno admission policy guardrails (non-root + simulated signed-image validation)
- demos/2-supply-chain-trust/ – Gamora: SBOM, scanning, signing pipeline
- demos/3-image-hardening/ – Rocket: Dockerfile before/after with Trivy diff
- demos/4-runtime-detection/ – Drax: Falco custom rule + controlled trigger
- demos/5-zero-trust-networking/ – Groot: Deny-by-default NetworkPolicies
- demos/6-observability-signals/ – Mantis: OTEL telemetry + Falco alert correlation
- Falco
- Trivy
- Cosign
- Syft
- Grype
- Calico
- Cilium
- Kyverno
- OPA Gatekeeper
- CNCF Cloud Native Security Whitepaper
Feel free to connect with Chris Ayers on social media and visit his blog for more insights on DevOps, Azure, and container security.
- Mastodon: @Chrisayers@hachyderm.io
- LinkedIn: chris-l-ayers
- Blog: chris-ayers.com
- GitHub: Codebytes
This project is licensed under the MIT License. See the LICENSE file for details.
"We are Groot." – In security terms: we are stronger as interlocked layers, not isolated tools.