Skip to content

Latest commit

 

History

History
407 lines (330 loc) · 27.7 KB

File metadata and controls

407 lines (330 loc) · 27.7 KB

Certified Kubernetes Security Specialist - CKSS

This repository is a collection of resources to prepare for the Certified Kubernetes Security Specialist (CKSS) exam.

The given references and links below are just assumptions and ideas around the CKSS curriculum.

CKS Overview

The Kubernetes Security Specialist (CKS) certification ensure that the holder has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.

The certification is generally available to take from here as anounced during the KubeCon NA20

CKS Outline

The CKS test will be online, proctored and performance-based with 15-20 hands-on performance based tasks, and candidates have 2 hours to complete the exam tasks.

From the CKS Exam Curriculum repository, The exam will test domains and competencies including:

  1. Cluster Setup (10%): Best practice configuration to control the environment's access, rights and platform conformity.
  2. Cluster Hardening (15%): Protecting K8s API and utilize RBAC.
  3. System Hardening (15%): Improve the security of OS & Network; restrict access through IAM
  4. Minimize Microservice Vulnerabilities (20%): Utilizing on K8s various mechanisms to isolate, protect and control workload.
  5. Supply Chain Security (20%): Container oriented security, trusted resources, optimized container images, CVE scanning.
  6. Monitoring, Logging, and Runtime Security (20%): Analyse and detect threads.

CKS Exam Preparation

In order to take the CKS exam, you must have Valid CKA certification prior to attempting the CKS exam to demonstrate you possess sufficient Kubernetes expertise. A first good starting point for securing Kubernetes is the Task section Securing a Cluster of the official K8s documentation. The exam will be based on Kubernetes v1.19 documentation as of November general availability announcement.

Allowed resources to access during my CKS exam:

According to the LF docs, during the CKS exam the candidates may:

Cluster Setup (10%)

Use Network security policies to restrict cluster level access

Allowed Ressources

3rd Party Ressources

Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)

3rd Party Ressources

Properly set up Ingress objects with security control

Allowed Ressources

Protect node metadata and endpoints

Allowed Ressources

3rd Party Ressources

Minimize use of, and access to, GUI elements

Allowed Ressources

3rd Party Ressources

Verify platform binaries before deploying

Allowed Ressources

Cluster Hardening (15%)

Restrict access to Kubernetes API

Allowed Ressources

3rd Party Ressources

Use Role Based Access Controls to minimize exposure

Allowed Ressources

3rd Party Ressources

Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones

Allowed Ressources

3rd Party Ressources

Update Cluster frequently

Allowed Ressources

System Hardening (15%)

Minimize host OS footprint (reduce attack surface)

Allowed Ressources

3rd Party Ressources

Minimize IAM roles

3rd Party Ressources

Minimize external access to the network

Allowed Ressources

3rd Party Ressources

Appropriately use kernel hardening tools such as AppArmor, seccomp

Allowed Ressources

3rd Party Ressources

Minimize Microservice Vulnerabilities (20%)

Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts

Allowed Ressources

3rd Party Ressources

Manage kubernetes secrets

Allowed Ressources

3rd Party Ressources

Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)

Allowed Ressources

3rd Party Ressources

Implement pod to pod encryption by use of mTLS

Allowed Ressources

3rd Party Ressources

Supply Chain Security (20%)

Minimize base image footprint

3rd Party Ressources

Secure your supply chain: whitelist allowed image registries, sign and validate images

Allowed Ressources

3rd Party Ressources

Use static analysis of user workloads (e.g. kubernetes resources, docker files)

Allowed Ressources

3rd Party Ressources

Scan images for known vulnerabilities

3rd Party Ressources

Monitoring, Logging and Runtime Security (20%)

Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities

Allowed Ressources

3rd Party Ressources

Detect threats within physical infrastructure, apps, networks, data, users and workloads

3rd Party Ressources

Detect all phases of attack regardless where it occurs and how it spreads

3rd Party Ressources

Perform deep analytical investigation and identification of bad actors within environment

3rd Party Ressources

Ensure immutability of containers at runtime

Allowed Ressources

3rd Party Ressources

Use Audit Logs to monitor access

Allowed Ressources

3rd Party Ressources

Related Kubernetes security resources

White Papers

Keep Updating

  • LIVING DOCUMENT - I WILL UPDATE IT FREQUENTLY WHEN I HAVE NEW INFORMATIONS
  • PRs are always welcome so star, fork and contribute
    • please make a pull request if you would like to add or update

Ibrahim Jelliti © 2020