Certified Kubernetes Security Specialist Study Guide

CKS Overview

The CKS is the third Kubernetes based certification backed by the Cloud Native Computing Foundation (CNCF). CKS will join the existing Certified Kubernetes Administrator (CKA) and Certified Kubernetes Application Developer (CKAD) programs. All three certifications are online, proctored, performance-based exams that will require solving multiple Kubernetes security tasks from the command line. With the massive investment into Kubernetes over the last five years, these certifications continue to be highly sought after by many seeking out technical knowledge about Kubernetes.

This repository contains resources to build a Kubernetes cluster, and example questions and answers based on the Certified Kubernetes Security Specialist (CKS) exam curriculum.

Repository Structure

study_guide/
└ cluster_setup/
  └ Makefile
  └ gcp   -> Create a 1.19 cluster in GCP with RKE.
  └ aws   (coming soon)
  └ azure (coming soon)
└ img/
  └ all_images_used
└ walkthrough/
  └ p0_intro/
  └ p1_cluster_setup /
  └ p2_cluster_hardening/
  └ p3_system_hardening/
  └ p4_minimizing_vulnerabilities/
  └ p5_supply_chain_security/
  └ p6_monitoring_logging_runtime_security/
└ LICENSE
└ README.md

Outline

The CKS test will be online, proctored and performance-based, and candidates have 2 hours to complete the exam tasks. This information is currently based on the Linux Foundations release of the CKS outline.

From the CKS Exam Curriculum repository, The exam will test domains and competencies including:

Exam News and Overview

-> CNCF CKS Overview

KubeCon Announcement and Preparation Tips

-> KubeCon Announcement and Linux Foundation Update

Curriculum

Below is the CKS curriculum broken down by its six sections. Each section has its own folder in the repository, where you can walk through individual questions relating to their respective topic. Each section in the curriculum overview also contains external resources that you may find useful in your studying journey,

Cluster Setup - 10%

Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
Verify platform binaries before deploying
Protect node metadata and endpoints
Use Network security policies to restrict cluster level access
Properly set up Ingress objects with security control
Minimize use of, and access to, GUI elements

Cluster Hardening - 15%

Restrict access to Kubernetes API
Use Role Based Access Controls to minimize exposure
Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones

System Hardening - 15%

Minimize host OS footprint (reduce attack surface)
Minimize IAM roles
Minimize external access to the network
Appropriately use kernel hardening tools such as AppArmor, seccomp

Minimize Microservice Vulnerabilities - 20%

Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts
Manage Kubernetes secrets
Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
Implement pod to pod encryption by use of mTLS

Supply Chain Security - 20%

Minimize base image footprint
Secure your supply chain: whitelist allowed image registries, sign and validate images
Use static analysis of user workloads (e.g. kubernetes resources, docker files)
Scan images for known vulnerabilities

Monitoring, Logging and Runtime Security - 20%

Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
Detect threats within physical infrastructure, apps, networks, data, users and workloads
Detect all phases of attack regardless where it occurs and how it spreads
Perform deep analytical investigation and identification of bad actors within environment
Ensure immutability of containers at runtime
Use Audit Logs to monitor access

Extra Resources