This repository is a collection of resources to prepare for the Certified Kubernetes Security Specialist (CKSS) exam.
The given references and links below are just assumptions and ideas around the CKSS curriculum.
Earlier this year CNCF announced an upcoming new Certified Kubernetes Security Specialist (CKS) Certification Exam, This new certification is for those who have passed the CKA exam and want third party validation for their working knowledge of container security.
From the announcement of the CNCF the CKS is described as:
CKS is similar in format to CKA and will consist of a performance-based certification exam – testing competence across best practices for securing container-based applications and Kubernetes platforms during build, deployment, and runtime.
The certification is expected to be generally available before the KubeCon + CloudNativeCon North America Virtual event taking place November 17-20.
The CKS test will be online, proctored and performance-based, and candidates have 2 hours to complete the exam tasks.
From the CKS Exam Curriculum repository, The exam will test domains and competencies including:
- Cluster Setup (10%): Best practice configuration to control the environment's access, rights and platform conformity.
- Cluster Hardening (15%): Protecting K8s API and utilize RBAC.
- System Hardening (15%): Improve the security of OS & Network; restrict access through IAM
- Minimize Microservice Vulnerabilities (20%): Utilizing on K8s various mechanisms to isolate, protect and control workload.
- Supply Chain Security (20%): Container oriented security, trusted resources, optimized container images, CVE scanning.
- Monitoring, Logging, and Runtime Security (20%): Analyse and detect threads.
In order to take the CKS exam, you must have Valid CKA certification to demonstrate you possess sufficient Kubernetes expertise. A first good starting point for securing Kubernetes is the Task section Securing a Cluster of the official K8s documentation.
Use Network security policies to restrict cluster level access
Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
- CIS benchmark for Kubernetes
- The benchmark is not yet available for
Kubernetes 1.19, but it gives great understanding.
- The benchmark is not yet available for
- What is Center for Internet Security (CIS) Benchmarks
- Kube-bench: A tool for running Kubernetes CIS Benchmark tests
- GKE: CIS Benchmarks for etcd & kubelet
Properly set up Ingress objects with security control
Protect node metadata and endpoints
Minimize use of, and access to, GUI elements
Verify platform binaries before deploying
Restrict access to Kubernetes API
Use Role Based Access Controls to minimize exposure
Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
- Managing Service Accounts
- Kubernetes: Creating Service Accounts and Kubeconfigs
- Kubernetes Access Control: Exploring Service Accounts
- Disable default service account by deployments in Kubernetes
- Configure Service Accounts for Pods
- Kubernetes should not mount default service account credentials by default
- Securing Kubernetes Clusters by Eliminating Risky Permissions
Minimize host OS footprint (reduce attack surface)
Minimize IAM roles
Minimize external access to the network
Appropriately use kernel hardening tools such as AppArmor, seccomp
Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts
Manage kubernetes secrets
Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
Implement pod to pod encryption by use of mTLS
Minimize base image footprint
Secure your supply chain: whitelist allowed image registries, sign and validate images
Use static analysis of user workloads (e.g. kubernetes resources, docker files)
Scan images for known vulnerabilities
Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
Detect threats within physical infrastructure, apps, networks, data, users and workloads
Detect all phases of attack regardless where it occurs and how it spreads
Perform deep analytical investigation and identification of bad actors within environment
Ensure immutability of containers at runtime
Use Audit Logs to monitor access
- LIVING DOCUMENT - I WILL UPDATE IT FREQUENTLY WHEN I HAVE NEW INFORMATIONS
- PRs are always welcome so star, fork and contribute
- please make a pull request if you would like to add or update
Ibrahim Jelliti © 2020