Online curated resources that will help you prepare for taking the Kubernetes Certified Kubernetes Security Specialist CKS Certification exam.

• Please raise an issue, or make a pull request for fixes, new additions, or updates.

I will try to restrict the cross references of resources primarly to kubernetes.io as CNCF/Linux Foundation exam rules allows you search kubernetes.io/{docs|blog} and kubernetes github repo only. Youtube videos and other third party resources e.g. blogs will be provided as an optional complimentary material and any 3rd party material not allowed in the exam will be designated with 🚩 in the curriculum sections below.

Ensure you have the right version of Kubernetes documentation selected (e.g. v1.19 as of 17th Nov GA announcement) especially for API objects and annotations, however for third party tools, you might find that you can still find references for them in old releases and blogs e.g. Falco install.

• Icons/emoji legend
  • 📋 Expand to see more content
  • 😕 Verify, not best resource yet
  • 🔵 Good overall refence, can be used in the exam
  • 🚩 External third-party resource, can not be used during exam
  • 📝 ToDo, item that needs further checking(todo list for future research/commits)

Offical exam objectives you review and understand in order to pass the test.

• CNCF Exam Curriculum repository

• Duration : two (2) hours

• Number of questions: 15-20 hands-on performance based tasks

• Passing score: 67%

• Certification validity: two (2) years

• Prerequisite: valid CKA

• Cost: $300 USD, One (1) year exam eligibility, with a free retake within the year.

  Linux Foundation offer several discounts around the year e.g. CyberMonday, Kubecon attendees among other special holidays/events

• URLs allowed in the extra single tab:

  • From Chrome or Chromium browser to open one additional tab in order to access Kubernetes Documentation:
    • https://kubernetes.io/docs/ and their subdomains
    • https://github.com/kubernetes/ and their subdomains
    • https://kubernetes.io/blog/ and their subdomains

  This includes all available language translations of these pages (e.g. https://kubernetes.io/zh/docs/)

  • Tools:
    • Trivy documentation https://github.com/aquasecurity/trivy
    • Sysdig documentation https://docs.sysdig.com/
    • Falco documentation https://falco.org/docs/
    • App Armor: Documentation https://gitlab.com/apparmor/apparmor/-/wikis/Documentation

• Cluster Setup - 10%
• Cluster Hardening - 15%
• System Hardening - 15%
• Minimize Microservice Vulnerabilities - 20%
• Supply Chain Security - 20%
• Monitoring, Logging and Runtime Security - 20%

• Slack
• Books
• Youtube Videos
• Webinars
• Containers and Kubernetes Security Training
• Extra Kubernetes security resources

🔵 Securing a Cluster

1. Use Network security policies to restrict cluster level access

2. 🚩 Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)

3. Properly set up Ingress objects with security control

4. Protect node metadata and endpoints

5. Minimize use of, and access to, GUI elements

6. Verify platform binaries before deploying

   📋 Kubernetes binaries can be verified by their digest **sha512 hash**

   • checking the Kubernetes release page for the specific release
     • checking the change log for the images and their digests

1. Restrict access to Kubernetes API

2. Use Role-Based Access Controls to minimize exposure

   • 🚩 handy site collects together articles, tools and the official documentation all in one place

3. Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones

   📋 opt out of automounting API credentials for a service account

   service account scope

   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: build-robot
   automountServiceAccountToken: false

   pod scope

   apiVersion: v1
   kind: Pod
   metadata:
     name: cks-pod
   spec:
     serviceAccountName: default
     automountServiceAccountToken: false

4. Update Kubernetes frequently

1. Minimize host OS footprint (reduce attack surface)

   📋 😕 Reduce host attack surface

   • seccomp which stands for secure computing was originally intended as a means of safely running untrusted compute-bound programs
   • AppArmor can be configured for any application to reduce its potential host attack surface and provide greater in-depth defense.
   • PSP pod security policy enforces
   • apply host updates
   • Install minimal required OS fingerprint
   • Protect access to data with permissions
     • Restirct allowed hostpaths

2. Minimize IAM roles

   • 😕 Access authentication and authorization

3. Minimize external access to the network

   📋 😕 if it means deny external traffic to outside the cluster?!!

   • not tested, however, the thinking is that all pods can talk to all pods in all name spaces but not to the outside of the cluster!!!

   apiVersion: networking.k8s.io/v1
   kind: NetworkPolicy
   metadata:
     name: deny-external-egress
   spec:
     podSelector: {}
     policyTypes:
     - Egress
     egress:
       to:
       - namespaceSelector: {}

4. Appropriately use kernel hardening tools such as AppArmor, seccomp

   • AppArmor
   • Seccomp

1. Setup appropriate OS-level security domains e.g. using PSP, OPA, security contexts
   • Pod Security Policies
   • Open Policy Agent
   • Security Contexts
2. Manage kubernetes secrets
3. Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
4. Implement pod to pod encryption by use of mTLS

• 📝 check if service mesh is part of the CKS exam

1. Minimize base image footprint

   📋 minimize base Image

   • Use distroless, UBI minimal, Alpine, or relavent to your app nodejs, python but the minimal build.
   • Do not include uncessary software not required for container during runtime
     • e.g build tools and utilities, troubleshooting and debug binaries.
       • 🚩 Learnk8s smaller docker images blog
       • 🚩 GKE 7 best practices for building containers

2. Secure your supply chain: whitelist allowed image registries, sign and validate images

3. Use static analysis of user workloads (e.g. kubernetes resources, docker files)

4. Scan images for known vulnerabilities

   • Aqua security Trivy
   • 🚩 Anchore command line scans

1. Perform behavioural analytics of syscall process and file activities at the host and container level to detect malicious activities

   • Falco installation guide
   • 🚩 Falco Helm Chart
   • 🚩 Falco Kubernetes manifests
   • 🚩 Detect CVE-2020-8557 using Falco

2. Detect threats within a physical infrastructure, apps, networks, data, users and workloads

3. Detect all phases of attack regardless where it occurs and how it spreads

   📋 Attack Phases

   • 🚩Kubernetes attack martix Microsoft blog
   • 🚩 MITRE attack framwork using Falco
   • 🚩 Lightboard video: Kubernetes attack matrix - 3 steps to mitigating the MITRE ATT&CK Techniques
   • 🚩 CNCF Webinar: Mitigating Kubernetes attacks

4. Perform deep analytical investigation and identification of bad actors within the environment

   • Sysdig documentation
   • Monitoring Kubernetes with sysdig
   • 🚩CNCF Webinar: Getting started with container runtime security using Falco

5. Ensure immutability of containers at runtime

6. Use Audit Logs to monitor access

1. Kubernetes Community - #cks-exam-prep
2. Kubernauts Community - #cks

1. Aqua Security Liz Rice:Free Container Security Book
2. Learn Kubernetes security: Securely orchestrate, scale, and manage your microservices in Kubernetes deployments

1. Google/Ian Lewis: Kubernetes security best practices
2. Code in Action for the book Learn Kubernetes Security playlist
3. Kubernetes security concepts and demos

1. Killer.sh CKS practice exam ⟹ use code walidshaari for 20% discount
2. Udemy Kubernetes CKS 2020 Complete Course and killer.sh Simulator - Special discount code CKS-KILLER-SHELL valid till 3rd Dec 2020
3. Linux Foundation Kubernetes Security essentials LFS 260 - available January 8, 2021.
4. Linux Academy/ACloudGuru Kubernetes security
5. Cloud native security defending containers and kubernetes
6. Tutorial: Getting Started With Cloud-Native Security - Liz Rice, Aqua Security & Michael Hausenblas
   • hands-on tutorial
7. K21 academy CKS step by step activity hands-on-lab activity guide
8. Andrew Martin Control Plane Security training

1. Stackrox CKS study guide - Brief and informative study guide from Stackrox @mfosterrox
2. Abdennour - CKS repository
3. Ibrahim Jelliti - CKS repository
4. Viktor Vedmich - CKS repository