These are notes from the Certified Kubernetes Security Specialist (CKS) hosted on KodeKloud.
-
03-Cluster-Setup-and-Hardening
- 01-Section-Introduction
- 02-What-are-CIS-Benchmarks
- 03-Lab-Run-CIS-Benchmark-Assessment-tool-on-Ubuntu
- 04-CIS-benchmark-for-Kubernetes
- 05-Kube-bench
- 06-Lab-Kube-bench
- 07-Kubernetes-Security-Primitives
- 08-Authentication
- 09-Service-Accounts
- 10-Lab-Service-Accounts
- 11-TLS-Introduction
- 12-TLS-Basics
- 13-TLS-in-Kubernetes
- 14-TLS-in-Kubernetes-Certificate-Creation
- 15-View-Certificate-Details
- 16-Labs-View-Certificates
- 17-Certificates-API
- 18-Labs-Certificates-API
- 19-KubeConfig
- 20-Labs-KubeConfig
- 21-API-Groups
- 22-Authorization
- 23-RBAC
- 24-Labs-RBAC
- 25-Cluster-Roles-and-Role-Bindings
- 26-Labs-Cluster-Roles-and-Role-Bindings
- 27-Kubelet-Security
- 28-Labs-Kubelet-Security
- 29-Kubectl-Proxy-Port-Forward
- 30-Labs-Kubectl-Proxy-Port-Forward
- 31-Kubernetes-Dashboard
- 32-Securing-Kubernetes-Dashboard
- 33-Labs-Securing-Kubernetes-Dashboard
- 34-Verify-platform-binaries-before-deploying
- 35-Labs-Verify-platform-binaries-before-deploying
- 36-Kubernetes-Software-Versions
- 37-Cluster-Upgrade-Process
- 38-Demo-Cluster-Upgrade-Process
- 39-Labs-Cluster-Upgrade-Process
- 40-Network-Policy
- 41-Developing-Network-Policies
- 42-Labs-Developing-Network-Policies
- 43-Ingress
- 44-Labs-Ingress-1
- 45-Ingress-Annotations-and-rewrite-target
- 46-Labs-Ingress-2
- 47-Docker-Service-Configuration
- 48-Docker-Securing-the-Daemon
-
- 01-Section-Introduction
- 02-Least-Privilege-Principle
- 03-Minimize-host-OS-footprint-Intro
- 04-Limit-Node-Access
- 05-lab-Limit-Node-Access
- 06-SSH-Hardening
- 07-Privilege-Escalation-in-Linux
- 08-Lab-SSH-Hardening-and-sudo
- 09-Remove-Obsolete-Packages-and-Services
- 10-Restrict-Kernel-Modules
- 11-Identify-and-Disable-Open-Ports
- 12-Lab-Identify-open-ports,-remove-packages-services
- 13-Minimize-IAM-roles
- 14-Minimize-external-access-to-the-network
- 15-UFW-Firewall-Basics
- 16-Lab-UFW-Firewall-Basics
- 17-Linux-Syscalls
- 18-AquaSecTracee
- 19-Restrict-syscalls-using-seccomp
- 20-Implement-Seccomp-in-Kubernetes
- 21-Lab-Seccomp
- 22-AppArmor
- 23-Creating-AppArmor-Profiles
- 24-AppArmor-in-Kubernetes
- 25-Linux-Capabilities
- 26-Lab-AppArmor
-
05-Minimize-Microservice-Vulnerabilities
- 01-Section-Introduction
- 02-Security-Contexts
- 03-Labs-Security-Contexts
- 04-Admission-Controllers
- 05-Labs-Admission-Controllers
- 06-Validating-and-Mutating-Admission-Controllers
- 07-Labs-Validating-and-Mutating-Admission-Controllers
- 08-Pod-Security-Policies
- 09-Labs-PSP
- 10-Open-Policy-Agent-(OPA)
- 11-Labs-OPA
- 12-OPA-in-Kubernetes
- 13-Labs-OPA-in-Kubernetes
- 14-OPA-Gatekeeper-in-Kubernetes
- 15-Manage-Kubernetes-secrets
- 16-Lab-Manage-Kubernetes-secrets
- 17-Container-Sandboxing
- 18-gVisor
- 19-kata-Containers
- 20-Runtime-Classes
- 21-Using-Runtimes-in-Kubernetes
- 22-Lab-Using-Runtimes-in-Kubernetes
- 23-One-way-SSL-vs-Mutual-SSL
- 24-Implement-pod-to-pod-encryption-by-use-of-mTLS
- 25-Labs-mTLS-with-Istio
-
- 01-Section-Introduction
- 02-Minimize-base-image-footprint
- 03-Image-Security
- 04-Labs-Image-Security
- 05-Whitelist-Allowed-Registries-Image-Policy-Webhook
- 06-Labs-Whitelist-Allowed-Registries-ImagePolicyWebhook
- 07-Use-static-analysis-of-user-workloads
- 08-Labs-kubesec
- 09-Scan-images-for-known-vulnerabilities-(Trivy)
- 10-Labs-Trivy
-
07-Monitoring,-Logging-and-Runtime-Security
- 01-Section-Introduction
- 02-Perform-behavioral-analytics-of-syscall-process
- 03-Falco-Overview-and-Installation
- 04-Use-Falco-to-Detect-Threats
- 05-Falco-Configuration-Files
- 06-Labs-Use-Falco-to-detect-threats
- 07-Mutable-vs-Immutable-Infrastructure-Mutable-vs-Immutable-Infrastructure
- 08-Ensure-Immutability-of-Containers-at-Runtime
- 09-Lab-Ensure-Immutability-of-Containers-at-Runtime
- 10-Use-Audit-Logs-to-monitor-access
- 11-Labs-Use-Audit-Logs-to-monitor-access