book

Certified Kubernetes Security Specialist (CKS) Study Guide

by Benjamin Muschko

June 2023

Intermediate to advanced

211 pages

5h 8m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

Who This Book Is ForWhat You Will LearnStructure of This BookConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
Kubernetes Certification Learning PathKubernetes and Cloud Native Associate (KCNA)Kubernetes and Cloud Native Security Associate (KCSA)Certified Kubernetes Application Developer (CKAD)Certified Kubernetes Administrator (CKA)Certified Kubernetes Security Specialist (CKS)Exam ObjectivesCurriculumCluster SetupCluster HardeningSystem HardeningMinimize Microservice VulnerabilitiesSupply Chain SecurityMonitoring, Logging, and Runtime SecurityInvolved Kubernetes PrimitivesInvolved External ToolsDocumentationCandidate SkillsPracticing and Practice ExamsSummary
Using Network Policies to Restrict Pod-to-Pod CommunicationScenario: Attacker Gains Access to a PodObserving the Default BehaviorDenying Directional Network TrafficAllowing Fine-Grained Incoming TrafficApplying Kubernetes Component Security Best PracticesUsing kube-benchThe kube-bench Verification ResultFixing Detected Security IssuesCreating an Ingress with TLS TerminationSetting Up the Ingress BackendCreating the TLS Certificate and KeyCreating the TLS-Typed SecretCreating the IngressCalling the IngressProtecting Node Metadata and EndpointsScenario: A Compromised Pod Can Access the Metadata ServerProtecting Metadata Server Access with Network PoliciesProtecting GUI ElementsScenario: An Attacker Gains Access to the Dashboard FunctionalityInstalling the Kubernetes DashboardAccessing the Kubernetes DashboardCreating a User with Administration PrivilegesCreating a User with Restricted PrivilegesAvoiding Insecure Configuration ArgumentsVerifying Kubernetes Platform BinariesScenario: An Attacker Injected Malicious Code into BinaryVerifying a Binary Against HashSummaryExam EssentialsSample Exercises
Interacting with the Kubernetes APIProcessing a RequestConnecting to the API ServerRestricting Access to the API ServerScenario: An Attacker Can Call the API Server from the InternetRestricting User PermissionsScenario: An Attacker Can Call the API Server from a Service AccountMinimizing Permissions for a Service AccountUpdating Kubernetes FrequentlyVersioning SchemeRelease CadencePerforming the Upgrade ProcessSummaryExam EssentialsSample Exercises
Minimizing the Host OS FootprintScenario: An Attacker Exploits a Package VulnerabilityDisabling ServicesRemoving Unwanted PackagesMinimizing IAM RolesScenario: An Attacker Uses Credentials to Gain File AccessUnderstanding User ManagementUnderstanding Group ManagementUnderstanding File Permissions and OwnershipMinimizing External Access to the NetworkIdentifying and Disabling Open PortsSetting Up Firewall RulesUsing Kernel Hardening ToolsUsing AppArmorUsing seccompSummaryExam EssentialsSample Exercises
Setting Appropriate OS-Level Security DomainsScenario: An Attacker Misuses root User Container AccessUnderstanding Security ContextsEnforcing the Usage of a Non-Root UserSetting a Specific User and Group IDAvoiding Privileged ContainersScenario: A Developer Doesn’t Follow Pod Security Best PracticesUnderstanding Pod Security Admission (PSA)Enforcing Pod Security Standards for a NamespaceUnderstanding Open Policy Agent (OPA) and GatekeeperInstalling GatekeeperImplementing an OPA PolicyManaging SecretsScenario: An Attacker Gains Access to the Node Running etcdAccessing etcd DataEncrypting etcd DataUnderstanding Container Runtime SandboxesScenario: An Attacker Gains Access to Another ContainerAvailable Container Runtime Sandbox ImplementationsInstalling and Configuring gVisorCreating and Using a Runtime ClassUnderstanding Pod-to-Pod Encryption with mTLSScenario: An Attacker Listens to the Communication Between Two PodsAdopting mTLS in KubernetesSummaryExam EssentialsSample Exercises
Minimizing the Base Image FootprintScenario: An Attacker Exploits Container VulnerabilitiesPicking a Base Image Small in SizeUsing a Multi-Stage Approach for Building Container ImagesReducing the Number of LayersUsing Container Image Optimization ToolsSecuring the Supply ChainSigning Container ImagesScenario: An Attacker Injects Malicious Code into a Container ImageValidating Container ImagesUsing Public Image RegistriesScenario: An Attacker Uploads a Malicious Container ImageWhitelisting Allowed Image Registries with OPA GateKeeperWhitelisting Allowed Image Registries with the ImagePolicyWebhook Admission Controller PluginImplementing the Backend ApplicationConfiguring the ImagePolicyWebhook Admission Controller PluginStatic Analysis of WorkloadUsing Hadolint for Analyzing DockerfilesUsing Kubesec for Analyzing Kubernetes ManifestsScanning Images for Known VulnerabilitiesSummaryExam EssentialsSample Exercises
Performing Behavior AnalyticsScenario: A Kubernetes Administrator Can Observe Actions Taken by an AttackerUnderstanding FalcoInstalling FalcoConfiguring FalcoGenerating Events and Inspecting Falco LogsUnderstanding Falco Rule File BasicsOverriding Existing RulesEnsuring Container ImmutabilityScenario: An Attacker Installs Malicious SoftwareUsing a Distroless Container ImageConfiguring a Container with a ConfigMap or SecretConfiguring a Read-Only Container Root FilesystemUsing Audit Logs to Monitor AccessScenario: An Administrator Can Monitor Malicious Events in Real TimeUnderstanding Audit LogsCreating the Audit Policy FileConfiguring a Log BackendConfiguring a Webhook BackendSummaryExam EssentialsSample Exercises
Chapter 2, “Cluster Setup”Chapter 3, “Cluster Hardening”Chapter 4, “System Hardening”Chapter 5, “Minimize Microservice Vulnerabilities”Chapter 6, “Supply Chain Security”Chapter 7, “Monitoring, Logging, and Runtime Security”

Content preview from Certified Kubernetes Security Specialist (CKS) Study Guide

Preface

The Kubernetes certification program has been around since 2018, or five years as of this writing. During this time, security has become more and more important everywhere, including the Kubernetes world. Recently, the role of Certified Kubernetes Security Specialist (CKS) has been added to the certification track to address the need. Security can have different facets, and the way you address those concerns can be very diverse. That’s where the Kubernetes ecosystem comes into play. Apart from Kubernetes built-in security features, many tools have evolved that help with identifying and fixing security risks. As a Kubernetes administrator, you need to be familiar with the wide range of concepts and tools to harden your clusters and applications.

The CKS certification program was created to verify competence on security-based topics, and it requires a successful pass of the Certified Kubernetes Administrator (CKA) exam before you can register. If you are completely new to the Kubernetes certification program, then I would recommend exploring the CKA or Certified Kubernetes Application Developer (CKAD) program first.

In this study guide, I will explore the topics covered in the CKS exam to fully prepare you to pass the certification exam. We’ll look at determining when and how you should apply the core concepts of Kubernetes and external tooling to secure cluster components, cluster configuration, and applications running in a Pod. I will also offer tips to help you better ...