Home

Awesome

License: CC BY-SA 4.0 PRs Welcome

Certified Kubernetes Security Specialist - CKS

<p align="center"> <img width="360" src="kubernetes-security-specialist-logo-300x285.png"> </p>

Online curated resources that will help you prepare for taking the Kubernetes Certified Kubernetes Security Specialist CKS Certification exam.

Resources are primarly cross referenced back to the allowed CKS sites during the exam as per CNCF/Linux Foundation exam allowed search rules. Videos and other third party resources e.g. blogs will be provided as an optional complimentary material and any 3rd party material not allowed in the exam will be designated with :triangular_flag_on_post: in the curriculum sections below.

Ensure you have the right version of Kubernetes documentation selected (e.g. v1.26 as of January 2023) especially for API objects and annotations, however for third party tools, you might find that you can still find references for them in old releases and blogs e.g. Falco install.

Exam Brief

Offical exam objectives you review and understand in order to pass the test.

URLs to prepare for the exam:

This includes all available language translations of these pages (e.g. https://kubernetes.io/zh/docs)

Exam interface

According to official Linux Foundation documentation and as of June 2022, there was a change in the exam platform. It is just an exam platform, so the exam questions will not change, but there were a few things that seemed to concern you, so I will write them down:

The new ExamUI includes improved features such as:

CKS repo topics overview

Extra helpful material

<hr style="border:3px solid blue"> </hr>

Cluster Setup - 10%

:large_blue_circle: Securing a Cluster

  1. Use Network security policies to restrict cluster level access

  2. :triangular_flag_on_post: Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)

    • :triangular_flag_on_post: Kube-bench - Checks whether Kubernetes is deployed securely by running the checks documented ain the CIS Kubernetes Benchmark.
  3. Properly set up Ingress objects with security control

  4. Protect node metadata and endpoints

    <details><summary> Using Kubernetes network policy to restrict pods access to cloud metadata </summary>
    • This example assumes AWS cloud, and metadata IP address is 169.254.169.254 should be blocked while all other external addresses are not.
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: deny-only-cloud-metadata-access
    spec:
      podSelector: {}
      policyTypes:
      - Egress
      egress:
      - to:
        - ipBlock:
          cidr: 0.0.0.0/0
          except:
          - 169.254.169.254/32
    
    </details>
  5. Minimize use of, and access to, GUI elements

  6. Verify platform binaries before deploying

    <details><summary> :clipboard: Kubernetes binaries can be verified by their digest **sha512 hash** </summary>
    • Checking the Kubernetes release page for the specific release
    • Checking the change log for the images and their digests
    </details>

Cluster Hardening - 15%

  1. Restrict access to Kubernetes API
  1. Use Role-Based Access Controls to minimize exposure

  2. Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones

    <details><summary> :clipboard: Opt out of automounting API credentials for a service account </summary>

    Opt out at service account scope

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: build-robot
    automountServiceAccountToken: false
    

    Opt out at pod scope

    apiVersion: v1
    kind: Pod
    metadata:
      name: cks-pod
    spec:
      serviceAccountName: default
      automountServiceAccountToken: false
    
    </details>
  3. Update Kubernetes frequently

System Hardening - 15%

  1. Minimize host OS footprint (reduce attack surface)

    <details><summary> :clipboard: :confused: Reduce host attack surface </summary> </details>
  2. Minimize IAM roles

  3. Minimize external access to the network

    <details><summary> :clipboard: :confused: if it means deny external traffic to outside the cluster?!! </summary>
    • not tested, however, the thinking is that all pods can talk to all pods in all name spaces but not to the outside of the cluster!!!
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: deny-external-egress
    spec:
      podSelector: {}
      policyTypes:
      - Egress
      egress:
        to:
        - namespaceSelector: {}
    
    </details>
  4. Appropriately use kernel hardening tools such as AppArmor, seccomp

Minimize Microservice Vulnerabilities - 20%

  1. Setup appropriate OS-level security domains e.g. using PSA, OPA, security contexts
  2. Manage kubernetes secrets
  3. Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
  4. Implement pod to pod encryption by use of mTLS

Supply Chain Security - 20%

  1. Minimize base image footprint

    <details><summary> :clipboard: Minimize base Image </summary> </details>
  2. Secure your supply chain: whitelist allowed image registries, sign and validate images

  1. Use static analysis of user workloads (e.g. kubernetes resources, docker files)
  2. Scan images for known vulnerabilities

Monitoring, Logging and Runtime Security - 20%

  1. Perform behavioural analytics of syscall process and file activities at the host and container level to detect malicious activities

  2. Detect threats within a physical infrastructure, apps, networks, data, users and workloads

  3. Detect all phases of attack regardless where it occurs and how it spreads

    <details><summary> :clipboard: Attack Phases </summary> </details>
  4. Perform deep analytical investigation and identification of bad actors within the environment

  5. Ensure immutability of containers at runtime

  6. Use Audit Logs to monitor access

<hr style="border:3px solid blue"> </hr>

Extra helpful material

Slack

  1. Kubernetes Community - #cks-exam-prep
  2. Kubernauts Community - #cks
  3. Saiyam's Pathak OpenSource Discord #CKS channel

Twitch

  1. KubeNativeSecurity twitch stream Talk Shows & Podcasts

Books

  1. Aqua Security Liz Rice:Free Container Security Book
  2. Learn Kubernetes security: Securely orchestrate, scale, and manage your microservices in Kubernetes deployments
  3. Let's Learn CKS Scenarios

Youtube Videos

  1. Killer Shell: Kubernetes CKS Full Course Theory + Practice + Browser Scenarios
  2. Google/Ian Lewis: Kubernetes security best practices
  3. Code in Action for the book Learn Kubernetes Security playlist
  4. Kubernetes security concepts and demos
  5. Webinar | Certified Kubernetes Security Specialist (CKS), January 2022

Containers and Kubernetes Security Training

  1. Killer.sh CKS practice exam - use code walidshaari for 20% discount.
  2. UDEMY Kim Wüstkamp's Kubernetes CKS 2021 Complete Course with killer.sh Simulator (discounted price)
  3. Linux Foundation Kubernetes Security essentials LFS 260
  4. Mumshad's KodeCloud "Certified Kubernetes Security Specialist" CKS and training and labs
  5. Linux Academy/ACloudGuru Kubernetes security
  6. Zeal Vora's Udemy Certified Kubernetes Security Specialist 2021 - Link includes a discount till 28th January 2021
  7. Cloud native security defending containers and kubernetes
  8. Tutorial: Getting Started With Cloud-Native Security - Liz Rice, Aqua Security & Michael Hausenblas
  9. K21 academy CKS step by step activity hands-on-lab activity guide
  10. Andrew Martin Control Plane Security training
  11. Free Exam simulators from killer.sh available with CKS certification from Linux Foundation
  12. Sysdig Falco 101
  13. Killercoda in-browser CKS Playground and Challenges - FREE

Other CKS related repos

  1. Stackrox CKS study guide - Brief and informative study guide from Stackrox @mfosterrox
  2. Kim's CKS Challenge series - also posted on medium @ https://wuestkamp.medium.com/
  3. Abdennour
  4. Ibrahim Jelliti
  5. Viktor Vedmich
  6. Kubernetes Security Checklist and Requirements
  7. CKS Exam series