Awesome

Certified Kubernetes Security Specialist - CKSS

This repository is a collection of resources to prepare for the Certified Kubernetes Security Specialist (CKSS) exam.

The given references and links below are just assumptions and ideas around the CKSS curriculum.

CKS Overview

The Kubernetes Security Specialist (CKS) certification ensure that the holder has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.

The certification is generally available to take from here as anounced during the KubeCon NA20

CKS Outline

The CKS test will be online, proctored and performance-based with 15-20 hands-on performance based tasks, and candidates have 2 hours to complete the exam tasks.

From the CKS Exam Curriculum repository, The exam will test domains and competencies including:

1. Cluster Setup (10%): Best practice configuration to control the environment's access, rights and platform conformity.
2. Cluster Hardening (15%): Protecting K8s API and utilize RBAC.
3. System Hardening (15%): Improve the security of OS & Network; restrict access through IAM
4. Minimize Microservice Vulnerabilities (20%): Utilizing on K8s various mechanisms to isolate, protect and control workload.
5. Supply Chain Security (20%): Container oriented security, trusted resources, optimized container images, CVE scanning.
6. Monitoring, Logging, and Runtime Security (20%): Analyse and detect threads.

CKS Exam Preparation

In order to take the CKS exam, you must have Valid CKA certification prior to attempting the CKS exam to demonstrate you possess sufficient Kubernetes expertise. A first good starting point for securing Kubernetes is the Task section Securing a Cluster of the official K8s documentation. The exam will be based on Kubernetes v1.19 documentation as of November general availability announcement.

Allowed resources to access during my CKS exam:

According to the LF docs, during the CKS exam the candidates may:

• review the Exam content instructions that are presented in the command line terminal.
• review Documents installed by the distribution (i.e. /usr/share and its subdirectories)
• use their Chrome or Chromium browser to open one additional tab in order to access
  • Kubernetes Documentation:
    • https://kubernetes.io/docs/ and their subdomains
    • https://github.com/kubernetes/ and their subdomains
    • https://kubernetes.io/blog/ and their subdomains
    This includes all available language translations of these pages (e.g. https://kubernetes.io/zh/docs/)
  • Tools:
    • Trivy documentation https://github.com/aquasecurity/trivy
    • Sysdig documentation https://docs.sysdig.com/
    • Falco documentation https://falco.org/docs/
  • App Armor:
    • Documentation https://gitlab.com/apparmor/apparmor/-/wikis/Documentation
  The allowed sites above may contain links that point to external sites. It is the responsibility of the candidate not to click any links to navigate to a domain that is not allowed

Cluster Setup (10%)

Allowed Ressources

• Network Policies
• Securing a Cluster
• Declare Network Policy
• Enforcing Network Policies in Kubernetes

3rd Party Ressources

• Get started with Kubernetes network policy
• kubernetes-network-policy-recipes
• Kubernetes Network Policies Best Practices
• Exploring Network Policies in Kubernetes

3rd Party Ressources

• CIS benchmark for Kubernetes
  • The benchmark is not yet available for Kubernetes 1.19, but it gives great understanding.
• What is Center for Internet Security (CIS) Benchmarks
• Kube-bench: A tool for running Kubernetes CIS Benchmark tests
• GKE: CIS Benchmarks for etcd & kubelet

Allowed Ressources

• Ingress
• Ingress Controllers
• Set up Ingress on Minikube with the NGINX Ingress Controller
• secure an Ingress by specifying a Secret that contains a TLS private key and certificate
• How to deploy NGINX Ingress Controller
• TLS/HTTPS

Allowed Ressources

• Restricting cloud metadata API access
• Kubelet authentication/authorization

3rd Party Ressources

• Kubelet API
• Setting up secure endpoints in Kubernetes
• GKE Protecting cluster metadata
• Retrieving EC2 instance metadata
• EC2 Instance user data

Allowed Ressources

• Web-based Kubernetes User Interface
• Dashboard Access control
• Dashboard Auth

3rd Party Ressources

• On Securing the Kubernetes Dashboard

Allowed Ressources

• Kubernetes platform binaries

Cluster Hardening (15%)

Allowed Ressources

• Controlling Access to the Kubernetes API
• Certificate Signing Requests: Create Normal User
• Generate cluster certificates (easyrsa, openssl or cfssl)

3rd Party Ressources

• GKE: Hardening your cluster's security
• Kubernetes RBAC and TLS certificates – Kubernetes security guide
• Securing Your Kubernetes API Server

Allowed Ressources

• Using RBAC Authorization
• Authorization modes for Kubernetes API server

3rd Party Ressources

• Site for Kubernetes RBAC
• Understand Role-Based Access Control in Kubernetes
• RBAC Study Guide

Allowed Ressources

• Managing Service Accounts
• Default roles and role bindings
• Authorization Modes
• Configure Service Accounts for Pods
• Kubernetes should not mount default service account credentials by default

3rd Party Ressources

• Kubernetes: Creating Service Accounts and Kubeconfigs
• Kubernetes Access Control: Exploring Service Accounts
• Disable default service account by deployments in Kubernetes
• Securing Kubernetes Clusters by Eliminating Risky Permissions
• Understand Role Based Access Control in Kubernetes

Allowed Ressources

• Update Kubernetes frequently

System Hardening (15%)

Allowed Ressources

• Preventing containers from loading unwanted kernel modules

3rd Party Ressources

• Reduce Kubernetes Attack Surfaces
• distribution independent linux
• CIS Benchmark Ubuntu Linux
• CIS Benchmark RedHat
• CIS Benchmark Debian
• CIS Benchmark Centos
• CIS Benchmark SUSE
• CIS Benchmark Oracle

3rd Party Ressources

• What is the Principle of Least Privilege (POLP)?
• IAM Grant least privilege

Allowed Ressources

• K8s quotas (services.loadbalancers)
• Restrict Access For LoadBalancer Service
• Admission control plugin: ResourceQuota

3rd Party Ressources

• Secure hosts with OS-level firewall (ufw)
• Configure firewall with ufw
• Use security groups to secure network (Azure)
• Amazon EKS security group considerations
• Amazon EC2 security groups for Linux instances

Allowed Ressources

• Restrict a Container's Access to Resources with AppArmor
• Restrict a Container's Syscalls with Seccomp

3rd Party Ressources

• Kubernetes Hardening Best Practices
• Container Security: Fundamental Technology Concepts that Protect Containerized Application by Liz Rice

Minimize Microservice Vulnerabilities (20%)

Allowed Ressources

• Pod Security Policies
• Configure a Security Context for a Pod or Container
• OPA Gatekeeper: Policy and Governance for Kubernetes
• Kubernetes security context, security policy, and network policy – Kubernetes security guide (part 2)

3rd Party Ressources

• Open Policy Agent Introduction
• Enforce policies on Kubernetes objects with OPA
• Pod Security Policy

Allowed Ressources

• Kubernetes Secrets
• Encrypting Secret Data at Rest
• Using a KMS provider for data encryption

3rd Party Ressources

• katacoda lab around Secrets
• Managing Secrets in Kubernetes
• Secrets Store CSI driver
• How to Manage Secrets in Kubernetes

Allowed Ressources

• container runtime
• container runtime sandboxes examples
• Enforce tenant isolation (Limit Ranges, Quotas, PSPs) with Policies
• Affinity and anti-affinity

3rd Party Ressources

• What is gVisor?
• Cluster multi-tenancy
• Use gVisor to run Kubernetes pods
• Implementing secure Containers using Google’s gVisor
• Kata containers and Kubernetes: How they fit together?
• How to use Kata Containers with Kubernetes?

Allowed Ressources

• Manage TLS Certificates in a Cluster

3rd Party Ressources

• Secure communication between services in Istio with mutual TLS
• Mutual TLS Authentication (mTLS) De-Mystified
• Traffic encryption using mTLS
• Using Istio to improve end-to-end security
• Linerd: automatic mtls

Supply Chain Security (20%)

3rd Party Ressources

• Why build small container images in Kubernetes
• Use the smallest base image possible
• 7 best practices for building containers
• distroless containers
• Docker multi-stage builds
• Tips to Reduce Docker Image Sizes
• 3 simple tricks for smaller Docker images

Allowed Ressources

• Using Admission Controllers
• Dynamic Admission Control
• A Guide to Kubernetes Admission Controllers
• Ensure images only from approved sources are run

3rd Party Ressources

• Content trust in Docker
• How to reject docker registries in Kubernetes?
• Restrict pulling images from Registry
• Container image signatures in Kubernetes

Allowed Ressources

• 11 Ways (Not) to Get Hacked: statically-analyse-yaml

3rd Party Ressources

• Trivy
• Static analysis with Clair
• Static analysis with Kube-score
• kubehunter
• kubesec
• Kubernetes static code analysis with Checkov

3rd Party Ressources

• Trivy

Monitoring, Logging and Runtime Security (20%)

Allowed Ressources

• Restrict a Container's Syscalls with Seccomp
• Auditing with Falco (Obsoledted)
• How to detect a Kubernetes vulnerability using Falco

3rd Party Ressources

• Kubernetes Security monitoring at scale

3rd Party Ressources

• Common Kubernetes config security threats
• A guidance on Kubernetes threat modeling
• Threat matrix for Kubernetes

3rd Party Ressources

• Investigating Kubernetes attack scenarios in Threat Stack
• Anatomy of a Kubernetes attack – How untrusted Docker images fails us
• Investigating Kubernetes Attack Scenarios in Threat Stack (part 1)
• The seven phases of a cyber attack
• Threat matrix for Kubernetes
• MITRE ATT&CK framework for container runtime security with Falco
• Mitigating Kubernetes attacks

3rd Party Ressources

• Kubernetes security 101: Risks and Best practices

Allowed Ressources

• "ReadOnlyRootFilesystem" (securityContext, PSP)
• "readOnly" volume mount
• Principles of Container-based Application Design

3rd Party Ressources

• Leverage Kubernetes to ensure that containers are immutable
• Why I think we should all use immutable Docker images
• With immutable infrastructure, your systems can rise from the dead

Allowed Ressources

• Kubernetes Audit
• Kubernetes Audit logging

3rd Party Ressources

• How to monitor Kubernetes audit logs?
• Kubernetes Audit: Making Log Auditing a Viable Practice Again

Related Kubernetes security resources

• Kubernetes Security Essentials (LFS260)
• Cloud Native Security Tutorial
• Killer Shell CKS Simulator
• Sysdig Kubernetes Security Guide
• Kubernetes Security Best Practices - Ian Lewis, Google
• Kubernetes security concepts and demos
• Tutorial: Getting Started With Cloud Native Security - Liz Rice, Aqua Security & Michael Hausenblas
• 11 Ways (Not) to Get Hacked
• Kubernetes Goat
• Kubernetes CTF on vagrant environment
• Udemy Kubernetes CKS 2020 Complete Course and killer.sh Simulator
• NSA/CISA Kubernetes Hardening Guidance 08/2021

White Papers

• CNCF cloud-native security white paper Nov 2020

Keep Updating

• LIVING DOCUMENT - I WILL UPDATE IT FREQUENTLY WHEN I HAVE NEW INFORMATIONS
• PRs are always welcome so star, fork and contribute
  • please make a pull request if you would like to add or update

Ibrahim Jelliti © 2020