/Certified-Kubernetes-Security-Specialist

Online resources that will help you prepare for taking the CNCF/Linux Foundation CKS 2020 "Kubernetes Certified Security Specialist" Certification exam. with time, This is not likely the comprehensive up to date list - please make a pull request if there something that should be added here.

Creative Commons Attribution Share Alike 4.0 InternationalCC-BY-SA-4.0

License: CC BY-SA 4.0 PRs Welcome

Certified Kubernetes Security Specialist - CKS

Online curated resources that will help you prepare for taking the Kubernetes Certified Kubernetes Security Specialist CKS Certification exam.

  • Please raise an issue, or make a pull request for fixes, new additions, or updates.

I will try to restrict the cross references of resources primarly to kubernetes.io as CNCF/Linux Foundation exam rules allows you search kubernetes.io/{docs|blog} and kubernetes github repo only. Youtube videos and other third party resources e.g. blogs will be provided as an optional complimentary material and any 3rd party material not allowed in the exam will be designated with 🚩 in the curriculum sections below.

Ensure you have the right version of Kubernetes documentation selected (e.g. v1.19 as of 17th Nov GA announcement) especially for API objects and annotations, however for third party tools, you might find that you can still find references for them in old releases and blogs e.g. falco install.

  • Icons/emoji legend
    • 📋 Expand to see more content
    • 😕 Verify, not best resource yet
    • 🔵 Good overall refence, can be used in the exam
    • 🚩 External third-party resource, can not be used during exam
    • 📝 ToDo, item that needs further checking(todo list for future research/commits)

Exam Objectives

These are the exam objectives you review and understand in order to pass the test.

CKS repo topics overview

Extra helpful material


Cluster Setup - 10%

🔵 Securing a Cluster

  1. Use Network security policies to restrict cluster level access

  2. 🚩 Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)

  3. Properly set up Ingress objects with security control

  4. Protect node metadata and endpoints

  5. Minimize use of, and access to, GUI elements

  6. Verify platform binaries before deploying

    📋 Kubernetes binaries can be verified by their digest **sha512 hash**
    • checking the Kubernetes release page for the specific release

Cluster Hardening - 15%

  1. Restrict access to Kubernetes API

  2. Use Role-Based Access Controls to minimize exposure

  3. Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones

    📋 opt out of automounting API credentials for a service account

    service account scope

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: build-robot
    automountServiceAccountToken: false

    pod scope

    apiVersion: v1
    kind: Pod
    metadata:
      name: cks-pod
    spec:
      serviceAccountName: default
      automountServiceAccountToken: false
  4. Update Kubernetes frequently

System Hardening - 15%

  1. Minimize host OS footprint (reduce attack surface)

    📋 😕 Reduce host attack surface
  2. Minimize IAM roles

  3. Minimize external access to the network

    📋 😕 if it means deny external traffic to outside the cluster?!!
    • not tested, however, the thinking is that all pods can talk to all pods in all name spaces but not to the outside of the cluster!!!
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: deny-external-egress
    spec:
      podSelector: {}
      policyTypes:
      - Egress
      egress:
        to:
        - namespaceSelector: {}
  4. Appropriately use kernel hardening tools such as AppArmor, seccomp

Minimize Microservice Vulnerabilities - 20%

  1. Setup appropriate OS-level security domains e.g. using PSP, OPA, security contexts
  2. Manage kubernetes secrets
  3. Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
  4. Implement pod to pod encryption by use of mTLS
  • 📝 check if service mesh is part of the CKS exam

Supply Chain Security - 20%

  1. Minimize base image footprint

    📋 minimize base Image
  2. Secure your supply chain: whitelist allowed image registries, sign and validate images

  3. Use static analysis of user workloads (e.g. kubernetes resources, docker files)

  4. Scan images for known vulnerabilities

Monitoring, Logging and Runtime Security - 20%

  1. Perform behavioural analytics of syscall process and file activities at the host and container level to detect malicious activities
  1. Detect threats within a physical infrastructure, apps, networks, data, users and workloads

  2. Detect all phases of attack regardless where it occurs and how it spreads

    📋 Attack Phases
  3. Perform deep analytical investigation and identification of bad actors within the environment

  1. Ensure immutability of containers at runtime
  2. Use Audit Logs to monitor access

Extra helpful material

Slack

  1. Kubernetes Community - #cks-exam-prep
  2. Kubernauts Community #cks

Books

  1. Aqua Security Liz Rice:Free Container Security Book
  2. Learn Kubernetes security: Securely orchestrate, scale, and manage your microservices in Kubernetes deployments

Youtube Videos

  1. Google/Ian Lewis: Kubernetes security best practices
  2. Code in Action for the book Learn Kubernetes Security playlist
  3. Kubernetes security concepts and demos
  4. How to Train your Red Team (for Cloud-Native) - Andrew Martin, ControPlane
  5. InGuardians/Jay Beale: Kubernetes Practical attacks and defences\
  • Webinars
    • AquaSec webiners collection - Webinars and videos presented by leading industry experts covering Microservices, Container & Serverless security, Kubernetes, DevSecOps, and everything related to the most disruptive area in IT.

Containers and Kubernetes Security Training

  1. Killer.sh CKS practice exam ⟹ use code walidshaari for 20% discount
  2. Udemy Kubernetes CKS 2020 Complete Course and Simulator
  3. Linux Foundation Kubernetes Security essentials LFS 260
  4. Linux Academy/ACloudGuru Kubernetes security
  5. Cloud native security defending containers and kubernetes
  6. Tutorial: Getting Started With Cloud-Native Security - Liz Rice, Aqua Security & Michael Hausenblas
  7. K21 academy CKS step by step activity hands-on-lab activity guide
  8. Andrew Martin Attacking and Defending Cloud Native Infrastructure
  9. Andrew Martin Control Plane Security training

Extra Kubernetes security resources

  1. Kubernetes-security.info
  2. Aquasecurity Blogs
  3. Control-plane/Andrew Martin @sublimino: 11 ways not to get hacked
  4. Securekubernetes
  5. Simulator: A distributed systems and infrastructure simulator for attacking and debugging Kubernetes

CVEs

  1. CNCF Kubernetes Security Anatomy and the Recently Disclosed CVEs (CVE-2020-8555, CVE-2020-8552)
  2. Kubernetes Vulnerability Puts Clusters at Risk of Takeover (CVE-2020-8558)

Other CKS related repos

  1. Stackrox CKS study guide
  2. Viktor Vedmich - CKS resources
  3. Abdennour - CKS resources
  4. Ibrahim Jelliti - CKS resources
  5. Madhu Akula's Kubernetes Goat - vulnerable cluster environment to learn and practice Kubernetes security.
  6. Kubernetes Capture the Flag vagrant environment - was hosted online on http://k8s-ctf.rocks/