CKS Exam Preparation

Intro

In order to take the CKS exam, you must have Valid CKA certification to demonstrate you possess sufficient Kubernetes expertise. If you do not have passed CKA exam, here you find my learn path for that: CKALearn As firt to understand are you for that exam or not plese try to do that tas: Securing a Cluster of the official K8s documentation.

Usefull courses

General security-related docs

Cirriclium Topics

Cluster Setup – 10%

Use Network security policies to restrict cluster level access

3rd Party:
  • Notes:

    podSelector: This selects particular Pods in the same namespace as the NetworkPolicy which should be allowed as ingress sources or egress destinations.

Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)

3rd Party:

Properly set up Ingress objects with security control

Protect node metadata and endpoints

  3rd Party:
  • Notes:

    egress:
    - to:
      - ipBlock:
          cidr: 0.0.0.0/0
          except:
          - 169.254.169.254/32

Minimize use of, and access to, GUI elements

  3rd Party:

Verify platform binaries before deploying

  3rd Party:

Cluster Hardening – 15%

Main doc (and beyond): https://kubernetes.io/docs/reference/access-authn-authz/

  3rd Party:

Restrict access to Kubernetes API

  3rd Party:

Use Role Based Access Controls to minimize exposure

  3rd Party:

Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones

  3rd Party:

Update Kubernetes frequently

System Hardening – 15%

Minimize host OS footprint (reduce attack surface)

  3rd Party:

Minimize IAM roles

  3rd Party:

Minimize external access to the network

  3rd Party:

Appropriately use kernel hardening tools such as AppArmor, seccomp

Minimize Microservice Vulnerabilities – 20%

Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts

  3rd Party:

Manage Kubernetes secrets

  3rd Party:

Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)

  3rd Party:

Implement pod to pod encryption by use of mTLS

  3rd Party:

Supply Chain Security – 20%

Minimize base image footprint

  3rd Party:

Secure your supply chain: whitelist allowed registries, sign and validate images

  3rd Party:

Use static analysis of user workloads (e.g.Kubernetes resources, Docker files)

  3rd Party:

Scan images for known vulnerabilities

  3rd Party:

Monitoring, Logging and Runtime Security – 20%

Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities

  3rd Party:

Detect threats within physical infrastructure, apps, networks, data, users and workloads

  3rd Party:

Detect all phases of attack regardless where it occurs and how it spreads

  3rd Party:

Perform deep analytical investigation and identification of bad actors within environment

  3rd Party:

Ensure immutability of containers at runtime

  3rd Party:

Use Audit Logs to monitor access

  3rd Party:

Uncategorized and questions

Related links