A curated collections of exercises to help prepare for the Certified Kubernetes Security Specialist. The exercises have been segregated into their respective domains as per the CNCF curriculum for CKS.
- Fork the repo and create your branch from your forked repo
- Please try to stick to the layout we follow in terms of the README markdown
- Issue that PR
- This will be reviewed by the team and merged
- NS = Namespace
- SA = Service account
- Po = Pod
- NetPol = Network policy
- PSP = Pod security policy
- RBAC = Role-based access control
- k = kubectl
- SVC = Service
- Using network policies to restrict cluster level access
- Using CIS benchmark to review security configuration of k8s components (kube-api, kubelet, etcd, kubedns) — Kube-bench
- Properly setting up ingress objects with security controls
- Protecting node metadata and endpoints
- Minimising the use of, and access to, GUI elements
- Verify platform binaries before deployment — binary verification using sha512 hash
- Restricting access to the Kubernetes API
- Using RBAC (role-based access controls) to minimise exposure
- Using service account with minimal permissions and disabling defaults — opting out of automounting credentials for service accounts
- Keeping up to date with the latest Kubernetes versions
- Minimising footprint of host OS to reduce attack surface
- Minimising IAM roles: Principle of least privilege — Authentication and Authorisation
- Minimise external access to the network — denying external access to outside the cluster
- Using kernel hardening tools — such as seccomp and AppArmor correctly
- Setting up appropriate OS level security domains like PSP, OPA and security contexts
- Managing K8s secrets
- Use container runtime sandboxes in multi-tenant environments like gVisor and kata-containers.
- Implementation of pod-to-pod encryption by using mTLS configurations
- Minimise base image footprint — distroless, alpine and an image relevant to your build as well as following best practices when creating containers
- Securing your supply chain by signing and validating images and a whitelist of allowed image registries — ImagePolicyWebhook admission controller.
- Scan images for known vulnerabilities — Aquasec Trivy
- Performing analytics of syscall processes at host and container level to detect malicious activities — Falco
- Detect threats within physical infrastructure, apps, networks, data, users and workloads
- Detect all phase of attack regardless of where it happens and its spread
- Performing deep analytical investigation and identification of bad actors within environment — Sysdig
- Ensuring immutability of containers at runtime
- Audit logs to monitor access
- We have added some practice questions for you guys here
- Keep in mind these are not an exact copy of exam questions rather they are guidance for you to follow based on our K8s learning and experiences.