Skip to content

Latest commit

 

History

History
83 lines (60 loc) · 4.15 KB

README-cks.md

File metadata and controls

83 lines (60 loc) · 4.15 KB

Certified Kubernetes Security Specialist (CKS)

Coming soon November 2020

Online resources that will help you prepare for taking the Kubernetes Certified Kubernetes Security Specialist Certification exam.

Disclaimer: This is not likely a comprehensive list as the exam is not out yet, most likely will be a moving target with the fast pace of k8s development

  • please make a pull request if there something wrong or that should be added, or updated in here.

I will try to restrict the cross references of resources to kubernetes.io as CNCF/Linux Foundation allows you search k8s.io. Youtube videos and other resources e.g. blogs will be optional. Content is scarse, will get updates by me and other contributors as we prepare for the CKS exam journey.

Ensure you have the right version of Kubernetes documentation selected (e.g. v1.19 as of 15th July announcement) especially for API objects and annotations.

Exam Objectives

These are the exam objectives you review and understand in order to pass the test.

10% - Cluster Setup

  1. Use Network security policies to restrict cluster level access
  2. Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
  3. Properly set up Ingress objects with security control
  4. Protect node metadata and endpoints
  5. Minimize use of, and access to, GUI elements
  6. Verify platform binaries before deploying

15% - Cluster Hardening

  1. Restrict access to Kubernetes API
  2. Use Role Based Access Controls to minimize exposure
  3. Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
  4. Update Kubernetes frequently
  5. Minimize host OS footprint (reduce attack surface)
  6. Minimize IAM roles
  7. Minimize external access to the network
  8. Appropriately use kernel hardening tools such as AppArmor, seccomp

15% System Hardening

  1. Minimize host OS footprint (reduce attack surface)

  2. Minimize IAM roles

  3. Minimize external access to the network

  4. Appropriately use kernel hardening tools such as AppArmor, seccomp

    !? where is selinux? assume exam systems are ubuntu

20% - Minimize Microservice Vulnerabilities

  1. Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts
  2. Manage kubernetes secrets
  3. Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
  4. Implement pod to pod encryption by use of mTLS

20% - Supply Chain Security

  1. Minimize base image footprint
  2. Secure your supply chain: whitelist allowed image registries, sign and validate images
  3. Use static analysis of user workloads (e.g. kubernetes resources, docker files)
  4. Scan images for known vulnerabilities

20% - Monitoring, Logging and Runtime Security

  1. Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
  2. Detect threats within physical infrastructure, apps, networks, data, users and workloads
  3. Detect all phases of attack regardless where it occurs and how it spreads
  4. Perform deep analytical investigation and identification of bad actors within environment
  5. Ensure immutability of containers at runtime
  6. Use Audit Logs to monitor access

Extra Kubernetes security resources

  1. Aquasecurity Blogs
  2. control-plane/Andrew Martin @sublimino: 11 ways not to get hacked
  3. InGuardians/Jay Beale: Kubernetes Practical attacks and defenses
  4. Google/Ian Lewis : Kubernetes security best practices

CVEs

  1. CNCF Kubernetes Security Anatomy and the Recently Disclosed CVEs (CVE-2020-8555, CVE-2020-8552)