Certified Kubernetes Security Specialist (CKS) Cloud Native Crash Course
Published by Pearson
Get the Edge You Need to Crush the CKS Exam
- Review objectives on the CKS exam and learn best practices for applying knowledge to pass the exam
- Learn how to secure Kubernetes infrastructure and workloads
- Use kubectl and other tools to harden, verify, and test Kubernetes security
- Work through live exercises to experience labs similar to what you’ll find on the exam
Get ready for the Certified Kubernetes Security Specialist (CKS) exam! In this all-new live training course, author and trainer Chris Jackson will introduce you to exam concepts and objectives and walk you through key topics so you get the edge you need to successfully study for and pass the test. This 2-day / 8-hour live training follows the Cloud Native question domains and includes demos throughout so you can see how to work through labs in real-time and apply knowledge. These hands-on exercises were built to emphasize skills needed in the actual exam so you can build testing confidence while learning.
Kubernetes has grown exponentially in capabilities as well as scale over the years and securing Kubernetes has never been more important. Luckily the CNCF has created the Certified Kubernetes Security Specialist (CKS) certification – providing structure to what you need to learn and enabling candidates to demonstrate skills and competency. CKS is a performance-based test that requires candidates to solve multiple tasks from a command line running Kubernetes. Chris Jackson has designed this class to walk you through the many topics you will need to know as well as give you guidance on how to build your own Kubernetes lab for further study and hands on practice so you can create a practical and successful path to certification.
What you’ll learn and how you can apply it
- How to get CKS certified, what to study, and techniques for success
- The key concepts of cloud native applications built on a Kubernetes cluster and the various security risks and mitigation techniques that prove effective
- Knowledge of the various tools and techniques admins and developers use to interact with Kubernetes
- How to build your own fully functional Kubernetes study environment using local or cloud infrastructure
And you’ll be able to:
- Work with Docker containers, Kubectl, Git, and other command line tools
- Effectively mitigate common security issues plaguing cloud native applications on Kubernetes
- Demonstrate the needed skills required for CKS certification
- Articulate the various risks inherent in a Kubernetes cluster
This live event is for you because...
- You want to become CKS certified and validate your Kubernetes skills
- You want to gain important insight on securing your applications from security threats
- You need a no-nonsense primer to kick start your knowledge of Kubernetes security
Prerequisites
- Foundational Kubernetes experience through having passed the Certified Kubernetes Administration (CKA) exam or equivalent
- Basic knowledge of security concepts
- Linux experience and Bash shell knowledge
- Access to a Linux environment to run a Kubernetes cluster on (We will use Ubuntu 22.04 LTS in class)
Course Set-up
This course makes extensive use of hands-on labs to enhance your knowledge and confidence. You will need to create your own lab environment following the setup guide. There are many options as to where you set it up, on your own hardware or a cloud provider. It is recommended to use Vagrant with virtual box for maximum compatibility with the exercises provided but any Kubernetes deployment running 1.27.0 or up should work. To get everything up and running in preparation for class you can follow the "Setup Guide" in the course GitHub repository.
Recommended Preparation
- Watch: Getting Started with Kubernetes, 3rd edition by Sander van Vugt:
- Watch: Certified Kubernetes Administrator (CKA), 3rd Edition by Sander van Vugt
- Watch: Linux Fundamentals, 2nd edition by Sander van Vugt
- Watch: Module 1: Security Concepts from The Complete Cybersecurity Bootcamp, 2nd edition by Omar Santos
Recommended Follow-up
- Attend: Hands-On Kubernetes and Docker Security with Omar Santos
Schedule
The time frames are only estimates and may vary according to how the class is progressing.
Day 1
Segment 1 How to Succeed at CKS Certification (30min)
- Exam requirements
- Resources and tools
- Practice strategy
- Timeline and expectations
Segment 2 Building a Home Kubernetes Lab (30min)
- What platforms can you use? Minikube, k3s, Docker workstation
- Hardware or cloud? Choosing the most cost-effective solution.
- Setup your lab through automation
- Maintaining your lab environment
- Demo of lab environment
Segment 3 Cluster Setup the Secure Way (50min) - 10% of Exam
- Use Network security policies to restrict cluster level access
- Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
- Properly set up Ingress objects with security control (Demo)
- Protect node metadata and endpoints (Demo)
- Minimize use of, and access to, GUI elements
- Verify platform binaries before deploying (Demo)
- Break 10 mins
Segment 4 - Cluster Hardening (55 min) - 15% of Exam
- Restrict access to Kubernetes API
- Use Role Based Access Controls to minimize exposure (Demo)
- Exercise caution in using service accounts e.g., disable defaults, minimize permissions on newly created ones
- Update Kubernetes frequently (Demo)
Segment 5 - System Hardening (55 min) - 15% of Exam
- Minimize host OS footprint (reduce attack surface)
- Minimize IAM roles (Demo)
- Minimize external access to the network
- Appropriately use kernel hardening tools such as AppArmor, seccomp (Demo)
- Q&A (10min)
Day 2
Segment 6 - Minimize Microservice Vulnerabilities (50 min) - 20% of Exam
- Set up appropriate OS level security domains
- Manage Kubernetes secrets (Demo)
- Use container runtime sandboxes in multi-tenant environments (e.g., gvisor, kata containers)
- Implement pod to pod encryption by use of mTLS (Demo)
- Break (10)
Segment 7 - Software Supply Chain Security (80min) - 20% of Exam
- Minimize base image footprint (Demo)
- Secure your supply chain: whitelist allowed image registries, sign and validate images (Demo)
- Use static analysis of user workloads (e.g., kubernetes resources, docker files) (Demo)
- Scan images for known vulnerabilities (Demo)
- Break (10)
Segment 8 - Monitoring, Logging, and Runtime Security (80 min) - 20% of Exam
- Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities (Demo)
- Detect threats within physical infrastructure, apps, networks, data, users and workloads
- Detect all phases of attack regardless of where it occurs and how it spreads
- Perform deep analytical investigation and identification of bad actors within environment (Demo)
- Ensure immutability of containers at runtime
- Use Audit Logs to monitor access (Demo)
- Q&A (10min)
Your Instructor
Chris Jackson
Chris Jackson, CCIE No. 6256, is a Distinguished Architect and CTO for Cisco Global Sales Enablement. He is the author of Network Security Auditing (CiscoPress, 2010), CCNA Cloud CLDADM 210-455 Official Cert Guide (CiscoPress, 2016), and Cisco Certified DevNet Associate DEVASC 200-901 Official Cert Guide (CiscoPress, 2020). Chris is focused on digital transformation, DevOps, and helping customers leverage the tremendous business value Cisco technologies can provide. He holds dual CCIEs in security and routing and switching, CISA, CISSP, ITIL v3, seven SANS certifications, and a bachelor's degree in business administration. Residing in Franklin, Tennessee, Chris enjoys tinkering with RC drones, robotics, and anything else that can be programed to do his bidding. In addition, he is a 3rd Degree Black Belt in Taekwondo, rabid Star Wars fan, and has a ridiculous collection of Lego.