book

Certified Kubernetes Security Specialist (CKS) Study Guide

Name: Certified Kubernetes Security Specialist (CKS) Study Guide
Author: Benjamin Muschko
ISBN: 9781098132972

by Benjamin Muschko

June 2023

Intermediate to advanced

211 pages

5h 8m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Who This Book Is ForWhat You Will LearnStructure of This BookConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
1. Exam Details and Resources
Kubernetes Certification Learning PathKubernetes and Cloud Native Associate (KCNA)Kubernetes and Cloud Native Security Associate (KCSA)Certified Kubernetes Application Developer (CKAD)Certified Kubernetes Administrator (CKA)Certified Kubernetes Security Specialist (CKS)Exam ObjectivesCurriculumCluster SetupCluster HardeningSystem HardeningMinimize Microservice VulnerabilitiesSupply Chain SecurityMonitoring, Logging, and Runtime SecurityInvolved Kubernetes PrimitivesInvolved External ToolsDocumentationCandidate SkillsPracticing and Practice ExamsSummary
2. Cluster Setup
Using Network Policies to Restrict Pod-to-Pod CommunicationScenario: Attacker Gains Access to a PodObserving the Default BehaviorDenying Directional Network TrafficAllowing Fine-Grained Incoming TrafficApplying Kubernetes Component Security Best PracticesUsing kube-benchThe kube-bench Verification ResultFixing Detected Security IssuesCreating an Ingress with TLS TerminationSetting Up the Ingress BackendCreating the TLS Certificate and KeyCreating the TLS-Typed SecretCreating the IngressCalling the IngressProtecting Node Metadata and EndpointsScenario: A Compromised Pod Can Access the Metadata ServerProtecting Metadata Server Access with Network PoliciesProtecting GUI ElementsScenario: An Attacker Gains Access to the Dashboard FunctionalityInstalling the Kubernetes DashboardAccessing the Kubernetes DashboardCreating a User with Administration PrivilegesCreating a User with Restricted PrivilegesAvoiding Insecure Configuration ArgumentsVerifying Kubernetes Platform BinariesScenario: An Attacker Injected Malicious Code into BinaryVerifying a Binary Against HashSummaryExam EssentialsSample Exercises
3. Cluster Hardening
Interacting with the Kubernetes APIProcessing a RequestConnecting to the API ServerRestricting Access to the API ServerScenario: An Attacker Can Call the API Server from the InternetRestricting User PermissionsScenario: An Attacker Can Call the API Server from a Service AccountMinimizing Permissions for a Service AccountUpdating Kubernetes FrequentlyVersioning SchemeRelease CadencePerforming the Upgrade ProcessSummaryExam EssentialsSample Exercises
4. System Hardening
Minimizing the Host OS FootprintScenario: An Attacker Exploits a Package VulnerabilityDisabling ServicesRemoving Unwanted PackagesMinimizing IAM RolesScenario: An Attacker Uses Credentials to Gain File AccessUnderstanding User ManagementUnderstanding Group ManagementUnderstanding File Permissions and OwnershipMinimizing External Access to the NetworkIdentifying and Disabling Open PortsSetting Up Firewall RulesUsing Kernel Hardening ToolsUsing AppArmorUsing seccompSummaryExam EssentialsSample Exercises
5. Minimizing Microservice Vulnerabilities
Setting Appropriate OS-Level Security DomainsScenario: An Attacker Misuses root User Container AccessUnderstanding Security ContextsEnforcing the Usage of a Non-Root UserSetting a Specific User and Group IDAvoiding Privileged ContainersScenario: A Developer Doesn’t Follow Pod Security Best PracticesUnderstanding Pod Security Admission (PSA)Enforcing Pod Security Standards for a NamespaceUnderstanding Open Policy Agent (OPA) and GatekeeperInstalling GatekeeperImplementing an OPA PolicyManaging SecretsScenario: An Attacker Gains Access to the Node Running etcdAccessing etcd DataEncrypting etcd DataUnderstanding Container Runtime SandboxesScenario: An Attacker Gains Access to Another ContainerAvailable Container Runtime Sandbox ImplementationsInstalling and Configuring gVisorCreating and Using a Runtime ClassUnderstanding Pod-to-Pod Encryption with mTLSScenario: An Attacker Listens to the Communication Between Two PodsAdopting mTLS in KubernetesSummaryExam EssentialsSample Exercises
6. Supply Chain Security
Minimizing the Base Image FootprintScenario: An Attacker Exploits Container VulnerabilitiesPicking a Base Image Small in SizeUsing a Multi-Stage Approach for Building Container ImagesReducing the Number of LayersUsing Container Image Optimization ToolsSecuring the Supply ChainSigning Container ImagesScenario: An Attacker Injects Malicious Code into a Container ImageValidating Container ImagesUsing Public Image RegistriesScenario: An Attacker Uploads a Malicious Container ImageWhitelisting Allowed Image Registries with OPA GateKeeperWhitelisting Allowed Image Registries with the ImagePolicyWebhook Admission Controller PluginImplementing the Backend ApplicationConfiguring the ImagePolicyWebhook Admission Controller PluginStatic Analysis of WorkloadUsing Hadolint for Analyzing DockerfilesUsing Kubesec for Analyzing Kubernetes ManifestsScanning Images for Known VulnerabilitiesSummaryExam EssentialsSample Exercises
7. Monitoring, Logging, and Runtime Security
Performing Behavior AnalyticsScenario: A Kubernetes Administrator Can Observe Actions Taken by an AttackerUnderstanding FalcoInstalling FalcoConfiguring FalcoGenerating Events and Inspecting Falco LogsUnderstanding Falco Rule File BasicsOverriding Existing RulesEnsuring Container ImmutabilityScenario: An Attacker Installs Malicious SoftwareUsing a Distroless Container ImageConfiguring a Container with a ConfigMap or SecretConfiguring a Read-Only Container Root FilesystemUsing Audit Logs to Monitor AccessScenario: An Administrator Can Monitor Malicious Events in Real TimeUnderstanding Audit LogsCreating the Audit Policy FileConfiguring a Log BackendConfiguring a Webhook BackendSummaryExam EssentialsSample Exercises
Appendix. Answers to Review Questions
Chapter 2, “Cluster Setup”Chapter 3, “Cluster Hardening”Chapter 4, “System Hardening”Chapter 5, “Minimize Microservice Vulnerabilities”Chapter 6, “Supply Chain Security”Chapter 7, “Monitoring, Logging, and Runtime Security”
Index

About the Author

Overview

Exclusively on O'Reilly: Get more hands-on training and test your CKS exam readiness by working through the Certified Kubernetes Security Specialist (CKS) Exam Prep Labs playlist. This collection of interactive labs provides hands-on training that enhances the exam prep provided by this study guide.

Vulnerabilities in software and IT infrastructure pose a major threat to organizations. In response, the Cloud Native Computing Foundation (CNCF) developed the Certified Kubernetes Security Specialist (CKS) certification to verify an administrator's proficiency to protect Kubernetes clusters and the cloud native software they contain. This practical book helps you fully prepare for the certification exam by walking you through all of the topics covered.

Different from typical multiple-choice formats used by other certifications, this performance-based exam requires deep knowledge of the tasks it covers under intense time pressure. If you want to pass the CKS exam on the first go, author Benjamin Muschko shares his personal experience to help you learn the objectives, abilities, and tips and tricks you need to pass on the first attempt.

Identify, mitigate, and/or minimize threats to cloud native applications and Kubernetes clusters
Learn the ins and outs of Kubernetes's security features, and external tools for security detection and mitigation purposes
Demonstrate competency to perform the responsibilities of a Kubernetes administrator or application developer with a security viewpoint
Solve real-world Kubernetes problems in a hands-on, command-line environment
Effectively navigate and solve questions during the CKS exam

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Certified Kubernetes Security Specialist (CKS) Course

Publisher Resources

ISBN: 9781098132965Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills