Everybody wants to learn Kubernetes these days, and the best way to learn is to perform.
The Certified Kubernetes Security Specialist certification is being developed to enable cloud-native professionals to demonstrate their security skills to current and potential employers.
This post covers Hands-On Activity Guides that you must perform in order to learn the Kubernetes Security Specialist and clear the CKS certification exam.
Activity Guide I: Setting Up Kubernetes Cluster Using Kubeadm Tool And Calico CNI
In Kubernetes, nodes pool together their resources to form a more powerful machine. When you deploy programs onto the cluster, it intelligently handles distributing work to the individual nodes for you. If any nodes are added or removed, the cluster will shift around work as necessary.
In this activity guide, we cover Setting Up Kubernetes Cluster, Create Kubernetes Cluster, using kubeadm tool, and calico CNI.
II: Securing The Nodes And Processes With TLS
The TLS module provides an implementation of the Transport Layer Security (TLS) and Secure Socket Layer (SSL) protocols that are built on top of OpenSSL. The TLS/SSL is a public/private key infrastructure (PKI). For most common cases, each client and server must have a private key.
In this activity guide for Certified Kubernetes Security Specialist, we cover Perfect forward secrecy, ALPN, and SNI, Pre-shared keys, Client-initiated renegotiation attack mitigation, Session resumption.
III: Setting Up Kube-bench For Running Kubernetes CIS Benchmark Tests
kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark. Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
In this activity guide, we cover how to Install Kube Bench, Run Kube Bench, Running Kube Bench on Managed Clusters.
Also read: Kubernetes service by Amazon EKS
IV: Protecting Cluster Metadata And Endpoints With Calico
Each host has one or more network interfaces that it uses to communicate externally. You can represent these interfaces in Calico using host endpoints and then use network policy to secure them.
Calico host endpoints can have labels, and they work the same as labels on workload endpoints. The network policy rules can apply to both workload and host endpoints using label selectors.
In this activity guide, we cover how to protect metadata and calico.
Also check: All you need to know on Kubernetes RBAC
V: Securing Kubelet And etcd Key-value Datastore
The etcd distributed key/value store is starting to play a key role in the management of fleets of Kubernetes clusters in the enterprise.
In this activity guide, we cover Use cases, NewSQL (Cloud Spanner, CockroachDB, TiDB), Using etcd for metadata, Using etcd for distributed coordination.
Also read Comparison between Docker vs VM, a difference of both the machines you should know.
VI: Exploring With Service Account And Namespace
Kubernetes has the notion of users and service account to access resources. A user is associated with a key and certificate to authenticate API requests. Any request originated outside of the cluster is authenticated using one of the configured schemes.
In this activity guide, we cover Manually create a service account API token, Add ImagePullSecrets to a service account, Service Account Token Volume Projection, Service Account Issuer Discovery.
Read about: Monolithic vs Microservices – Difference, Advantages & Disadvantages
VII: RBAC Authorization Modes For Kubernetes API Server
Role-based access control (RBAC) is a method of regulating access to a computer or network resources based on the roles of individual users within your organization. In Kubernetes, you must be authenticated (logged in) before your request can be authorized (granted permission to access). Kubernetes expects attributes that are common to REST API requests.
In this activity guide, we cover API objects, Role and ClusterRole, RoleBinding and ClusterRoleBinding, Aggregated ClusterRoles, Default roles and role bindings, Privilege escalation prevention, and bootstrapping.
VIII: Implementing Cluster Roles And Role Binding For Securing Cluster
This guide will cover the basic Kubernetes Role-Based Access Control (RBAC) API Objects, how to implement cluster roles, and role binding for securing clusters. At the end of this guide, you should have enough knowledge to implement RBAC policies in your cluster.
XI: Implementing Network Policies With Calico
Calico network policy provides a richer set of policy capabilities than Kubernetes including policy ordering/priority, deny rules, and more flexible match rules. Calico network policy is a namespaced resource that applies to pods/containers/VMs in that namespace.
In this Activity guide, we cover Installing Calico, Endpoints, kubectl vs calicoctl, Ingress and egress, Setting up Network Policies.
X: Upgrading Kubeadm Clusters
The upgrade workflow at a high level is the following:
- Upgrade the primary control plane node.
- Upgrade additional control plane nodes.
- Upgrade worker nodes.
In this Activity guide, we cover Upgrading control plane nodes, Upgrade kubelet and kubectl, Upgrade worker nodes, Recovering from a failure state.
Also Check: Our previous blog post on Kubernetes Architecture
XI: Using Packer And Ansible For Server Hardening
The ansible Packer provisioner runs Ansible playbooks. It dynamically creates an Ansible inventory file configured to use SSH, runs an SSH server, executes ansible-playbook, and marshals Ansible plays through the SSH server to the machine being provisioned by Packer.
In this Activity guide, we cover Vagrant and Packer Workflow, Using Ansible, Building Immutable Infrastructure with Ansible.
Note: Cluster Hardening has 15% weightage in Certified Kubernetes Security Specialist (CKS) Exam
XII: Implementing The Principle Of Least Privilege (POLP)
The Principle of Least Privilege is the idea that any user, program, or process should have only the bare minimum privileges necessary to perform its function. This works by allowing only enough access to perform the required job.
XIII: Restrict A Container Happens To Resources With AppArmor
AppArmor is a Linux kernel security module that supplements the standard Linux user and group-based permissions to confine programs to a limited set of resources. AppArmor can be configured for any application to reduce its potential attack surface and provide a greater in-depth defense.
In this Activity guide, we cover Securing a Pod, Setting up nodes with profiles, Restricting profiles with the PodSecurityPolicy, Authoring Profiles, PodSecurityPolicy Annotations.
XIV: Restrict A Container’s Symbols With Seccomp
Secure computing mode is a Linux kernel feature. You can use it to restrict the actions available within the container. The system call operates on the second state of the calling process. You can use this feature to restrict your application’s access.
In this Activity guide, we cover Create Seccomp Profiles, Create a Local Kubernetes Cluster with Kind, Create a Pod with a Seccomp profile for syscall auditing, Create Pod with Seccomp Profile that Causes Violation, Create Pod that uses the Container Runtime Default Seccomp Profile.
XV: Configuring Pod Security Policies (PSP)
In Kubernetes, a Pod Security Policy (PSP) is a cluster-level resource that controls security sensitive aspects of the pod specification. PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for related fields.
In this Activity guide, we cover Configure pod security Policies.
XVI: Enforcing Policies On Kubernetes Objects With Open Policy Agent (OPA)
In Kubernetes, Admission Controllers enforce semantic validation of objects during creating, update, and delete operations. With OPA you can enforce custom policies on Kubernetes objects without recompiling or reconfiguring the Kubernetes API server.
XVII: Configure A Security Context For A Pod or Container ^
A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The Pod Security Policy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.
In this Activity guide, we cover What is a Pod Security Policy, Enabling Pod Security Policies, Authorizing Policies.
XVIII: Working With Secrets To Store Sensitive Information
In this guide, we will be covering topics related to protecting a cluster from accidental or malicious access and provides recommendations on overall security.
XIX: Implementing Secure Containers Using Google’s gVisor
gVisor was designed around the premise that any security boundary could potentially be compromised with enough time and resources. We tried to optimize for a solution that was as costly and time-consuming for an attacker as possible, at every layer.
Consequently, gVisor was built through a combination of intentional design principles and specific technology choices that work together to provide the security isolation needed for running hostile containers on a host.
In this Activity guide, we cover Introducing gVisor, How to Implement Sandboxed Containers Using gVisor.
XX: Traffic Encryption Using mTLS
Transport authentication, also known as service-to-service authentication ensures that traffic is encrypted on transit between services.
In this Activity guide, we cover Mutual TLS – Service, Namespace, Mesh, mTLS in practice, Check TLS.
XXI: Building Small Container Images In Kubernetes
The first step to deploying any app to Kubernetes is to bundle the app in a container. There are several officials, and community-backed container images for various languages and distros, and most of these containers can be really large, or sometimes contain overheads your app may never need/use.
In this Activity guide, we cover Building small container images.
XXII: Configuring And Working With Secured Image Registry
The Docker Registry is a service that can talk to the docker daemon in order to upload and download docker images. the docker registry is called Distribution. There are multiple ways to deploy your own private registry. This guide explains how to do this.
In this Activity guide, we cover Configuring the Registry in a safe way, Integrating the Registry with Portus, Configuring the JWT token sent by Portus.
XXIII: Static Analysis With Kube-score
Kube-Score is a tool that does static code analysis of your Kubernetes object definitions. The output is a list of recommendations of what you can improve to make your application more secure and resilient.
In this Activity guide, we cover Installation and analyzing Kube-score.
XXIV: Kubernetes Static Code Analysis With Chekhov
Checkov, our open-source infrastructure-as-code analysis tool, now scans Kubernetes manifests and identifies security and configuration issues in Kubernetes workloads.
In this Activity guide, we cover we’ll walk you through using Checkov to scan sample Kubernetes manifests, Installing Checkov, Scanning for Kubernetes misconfigurations.
XXV: Scan Your Docker Images For Vulnerabilities
Each batch of files added to an image end up creating a layer that is added to the image. Your Docker image is the concatenation of all these layers in the specific order in which they’ve originally been created.
Security vulnerabilities are not viruses. Security vulnerabilities exist in, usually, good-intended source code that has a logical or technical flaw resulting in a system weakness that can be exploited to compromise a system.
In this Activity guide, we cover Security Vulnerabilities, Vulnerability databases, Docker Static Vulnerability Scanning, Anchore Engine.
XXVI: Detecting Kubernetes Vulnerability Using Falco
Falco is the CNCF open-source project for runtime threat detection for containers and Kubernetes. You can use Falco to detect malicious activity both at the host and at the container level.
In this Activity Guide for Certified Kubernetes Security Specialist, we cover how to detect Pods with Vulnerable Volume Types Created.
XXVII: Investigating Kubernetes Security With Open Source Tool
Container environments present some new challenges, so require a few additional security layers. Fortunately, there are a lot of innovations to leverage in the open-source world, including many advances in the Linux kernel that give us tighter control over what activities are permitted at this core level.
In this Activity guide, we cover Infrastructure, Pod security policies, Cilium for network filtering, Build, Anchore for image scanning, Kubernetes Admission controllers. Kubesec.io for deployment checks.
XXVIII: Ensuring Container Immutability
One of the principles of Docker containers is that an image is immutable — once built, it’s unchangeable, and if you want to make changes, you’ll get a new image as a result.
In this Activity guide, we cover Container Immutability, Container Resource Utilization, Container Portability Container Performance, Container Scalability, Container Operating Costs, Containers as a Service.
XXIX: Monitoring Kubernetes Audit Logs
Kubernetes auditing provides a security-relevant chronological set of records documenting the sequence of activities that have affected the system by individual users, administrators, or other components of the system.
In this Activity guide, we cover Audit Policy, Audit backends, Log backend, Webhook backend, Batching, Parameter tuning, Truncate, Setup for multiple API servers.
