You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When multiple _____ objects select the same Pod, it becomes restricted to what is allowed by the union of those policies' ingress/egress rules.
NetworkPolicy
A public image registry may be compromised, so it is useful to use _____ registries.
dedicated, private
API requests are tied to either a username, a service account, or are treated as _____.
anonymous requests
A request to kube-apiserver must include the _____ of the requester, the requested action, and the object affected by the action.
username
Can admission controllers set complex defaults for fields? _____
Yes
_____ are tied to a set of credentials stored as Secrets, which allow Pods to talk to the Kubernetes API.
ServiceAccounts
ServiceAccounts are tied to a set of credentials stored as _____, which allow Pods to talk to the Kubernetes API.
Secrets
"Requests in Kubernetes come with ""usernames"" for access control decisions and logging. But how does Kubernetes define a ""user""? _____"
It doesn't! No concrete representative human ""user"" object exists in Kubernetes.
The default Pod ServiceAccount can be disabled by setting _____
autonomousServiceAccountToken: false
When a request reaches kube-apiserver, it goes through stages: _____, Authorization, Admission Control
Authentication
Kubernetes authorizes API requests at the _____
kube-apiserver
Can network segmentation improve Kubernetes security? _____
Yes
Does the admission or validation of a request happen first? _____
admission
The default authorization modules that can be used in the API server are _____, RBAC, and Webhook.
ABAC
The Role and _____ Objects contain sets of additive authorization permissions
ClusterRole
Audit policies determine what events are recorded and which _____ persist the records.
backends
Admission Control Modules can modify or _____ requests.
reject
Can _____ help prevent internal denial of service attacks? Yes
ResourceQuotas
A _____ uses labels to specify the groups of pods allowed to communicate with each other, and other network endpoints.
NetworkPolicy
Admission Control Modules can access contents of Kubernetes objects that are being _____ or modified.
created
"Tools like gVisor or _____ can ""sandbox"" Pods on the same host from each other, giving you an extra layer of isolation."
kata containers
Setting securityContext.allowPrivilegeEscalation to _____ makes it harder to escalate privileges inside a Container.
False
Is RBAC enabled for a new cluster by default? _____
No!!!
The _____ audit backend sends events to an external API.
webhook
Pods that do not need to use kube-apiserver should have their _____ disabled.
default ServiceAccount
When _____ starts, it looks for its kubeconfig file and its credentials (normally a TLS key and signed certificate), then retrieves the kube-apiserver URL and attempts to communicate with it.
kubelet
Audit allows cluster administrators to learn about the context of a cluster _____: when it happened, where, who initiated it and what it did.
event
A CertificateSigningRequest's _____ field denotes the recipient that the request is being made to.
spec.signerName
Can attackers remove a NetworkPolicy from within etcd? _____
Yes
Nodes must be provisioned with valid client credentials and a _____ to connect to kube-apiserver.
public root certificate
Authentication protocols (such as LDAP, SAML, Kerberos, etc) can be integrated into Kubernetes by using an _____ or authenticating webhook.
authenticating proxy
A RoleBinding grants a role's permissions to a set of users, _____ or service accounts.
groups
Can service meshes encrypt in-cluster traffic (and automatically rotate certificates)? _____
Yes
Restricting access to _____ prevents an attacker from modifying the desired cluster state.
etcd
Are authentication proxies a valid authentication method? _____
Yes
The default authorization modules that can be used in the API server are ABAC, _____, and Webhook.
RBAC
A NetworkPolicy uses _____ to specify the groups of pods allowed to communicate with each other, and other network endpoints.
labels
"A kubelet's initial bootstrap credentials for TLS can be either authentication file tokens, or _____ tokens."
""bootstrap""
Can normal users be added to a cluster through an API call? _____
No
You should usually use at least two methods of authentication in your cluster: one for _____ and one for service accounts.
human users
Are Client Certificates a valid authentication module? _____
Yes
When kubelet starts, it looks for its kubeconfig file and its credentials (normally a TLS key and signed certificate), then retrieves the _____ URL and attempts to communicate with it.
kube-apiserver
The four audit levels are: None - don't log these events. Metadata - log a request's user, timestamp, resource, verb, etc. Request - log event metadata and request body. _____
RequestResponse - log event metadata, request body and response bodies.
Kubernetes authentication examines the incoming HTTP request's headers and _____.
certificate
Does kube-apiserver verify the kubelet's serving certificate by default? _____
No. The connection is subject to MITM attacks by default.
Can attackers manipulate cluster data in etcd, bypassing kube-apiserver completely? _____
Yes
Does Container/Operating System scanning improve cluster security? _____
Yes
When multiple NetworkPolicy objects select the same _____, it becomes restricted to what is allowed by the union of those policies' ingress/egress rules.
Pod
A kubelet's kubeconfig requires a certificate to communicate with kube-apiserver. This certificate must be signed by a _____ trusted by kube-apiserver.
Certificate Authority
A _____ object can divide your workloads into network tiers, locking them by default, with the ability specifically allow communication between them, or between their namespaces.
NetworkPolicy
A Certificate Authority _____ and certificate are required to sign kubelet certificates.
key
securityContext allows defining privilege and access controls per Pod or per _____.
Container
Authentication protocols (such as LDAP, SAML, Kerberos, etc) can be integrated into Kubernetes by using an authenticating proxy or _____.
authenticating webhook
_____ are usually stored in the /etc/kubernetes/pki directory.
PKI certificates
By default, Pods in a cluster come with a _____ with permissions allowing it to communicate with kube-apiserver. This should be disabled for Pods that are never expected to need to talk to kube-apiserver, as an attacker could otherwise steal the auth token.
service account
With _____ files, you can organize your clusters, users, contexts, and namespaces.
kubeconfig
Do you need to upload AppArmor profiles to ALL of your Nodes? _____
Yes - since you don't know which Node your Pod may be scheduled to.
The default authorization modules that can be used in the API server are ABAC, RBAC, and _____.
Webhook
To specify which AppArmor profile a Container should run with, specify the profile as an _____ in the Pod's metadata.
annotation
Once created, a CertificateSigningRequest must be _____ before it can be signed.
approved
_____ is a file used to configure access to clusters
kubeconfig
A request was authorized by a single Authorization Module. Does it also get evaluated by other available Authorization Modules before being authorized? _____
No
Are plain, bootstrap and JWT tokens a valid Kubernetes authentication module? _____
Yes
A CertificateSigningRequest will initially have Pending status. If it meets specific criteria, it will be promoted by the kube-controller-manager to _____ status.
Approved
Does a user need a Role and RoleBinding to access Kubernetes resources? _____
Yes
A RoleBinding grants a role's permissions to a set of users, groups or _____.
service accounts
Each request on each stage of its execution generates an audit _____, which is then pre-processed according to a certain audit.k8s.io/v1 Policy object and written to a backend.
event
The _____ environment variable holds a list of kubeconfig files
KUBECONFIG
_____ objects require a specific backend running in the cluster that implements them, such as Calico or Flannel.
NetworkPolicy
_____ allows cluster administrators to learn about the context of a cluster event: when it happened, where, who initiated it and what it did.
Audit
A kubelet's kubeconfig file requires a _____ and a cert to connect to kube-apiserver.
key
"The root (""/"") filesystem on containers should be set as read-only via securityContext._____, because an attacker may escalate privileges by editing operating system files."
readOnlyRootFilesystem: true
A RoleBinding grants a role's permissions to a set of _____, groups or service accounts.
users
The _____ and ClusterRole Objects contain sets of additive authorization permissions
Role
Kubernetes requires PKI certificates for _____ over TLS.
authentication
To specify which AppArmor profile a Container should run with, specify the profile as an annotation in the Pod's _____.
metadata
Containers in production should run under a Linux non-root user. This is set in _____ via runAsNonRoot: true
securityContext
A Certificate Authority key and _____ are required to sign kubelet certificates.
certificate
The default _____ that can be used in the API server are ABAC, RBAC, and Webhook.
authorization modules
The four audit levels are: _____ Metadata - log a request's user, timestamp, resource, verb, etc. Request - log event metadata and request body. RequestResponse - log event metadata, request body and response bodies.
None - don't log these events.
ServiceAccounts are tied to a set of credentials stored as Secrets, which allow _____ to talk to the Kubernetes API.
Pods
Once created, a _____ must be approved before it can be signed.
CertificateSigningRequest
You can combine ClusterRoles using an _____
aggregationRule
Audit _____ determine what events are recorded and which backends persist the records.
policies
Is basic auth a valid authentication method? _____
Yes
_____ is a user-space kernel that can intercept and implement syscalls in userspace, effectively sandboxing the Pod to an environment with low capabilities and restricted seccomp filters.
gVisor
You can secure an Ingress by specifying a Secret that contains a TLS _____ and certificate
private key
Do you need to distribute a key and signed certificate for each kubelet? _____
Yes - ideally unique ones.
CertificateSigningRequest objects include a PEM-encoded PKCS#10 signing request in the spec._____ field.
request
A request to kube-apiserver must include the username of the requester, the requested action, and the _____ affected by the action.
object
Your current, in-use cluster context is stored in the _____ file on your local machine.
kubeconfig
Any request that presents a valid _____ signed by the cluster's Certificate Authority is considered authenticated.
certificate
When an attacker has control of a Kubernetes _____, they may be able to access the cloud provider's user and metadata APIs to exfiltrate credentials of your cloud account.
Node
Any request that presents a valid certificate signed by the cluster's _____ is considered authenticated.
Certificate Authority
The _____ resource type allows a client to ask for an X.509 certificate be issued, based on a signing request.
CertificateSigningRequest
PKI certificates are usually stored in the /etc/kubernetes/_____ directory.
pki
_____ (such as LDAP, SAML, Kerberos, etc) can be integrated into Kubernetes by using an authenticating proxy or authenticating webhook.
Authentication protocols
Do AppArmor profiles have to be manually downloaded into the Node before applying the annotation? _____
Yes - except the container runtime's default AppArmor profile.
The kubelet's _____ flag controls its automatic certificate rotation. It can automatically generate a new key and request a new certificate from the Kubernetes API before the current certificate's expiration.
--rotate-certificates
Can Admission controllers act on requests that connect (proxy) to an object? _____
Yes
"A kubelet's initial bootstrap credentials for TLS can be either authentication _____ tokens, or ""bootstrap"" tokens."
file
Each request on each stage of its execution generates an audit event, which is then pre-processed according to a certain audit.k8s.io/v1 Policy object and written to a _____.
backend
Each _____ on each stage of its execution generates an audit event, which is then pre-processed according to a certain audit.k8s.io/v1 Policy object and written to a backend.
request
Can Admission controllers act on requests that delete an object? _____
Yes
A request to kube-apiserver must include the username of the requester, the requested _____, and the object affected by the action.
action
If a request cannot be authenticated, it is _____
rejected with status code 401
_____ objects define rules about what events should be recorded and what data they should include.
audit.k8s.io/v1 kind: Policy
AppArmor profiles are specified per _____
Container
When TLS bootstrapping, the _____ must be able to authenticate as a user with the rights to create and retrieve CertificateSigningRequests
kubelet
etcd should have authentication, be firewalled and _____ at rest.
encrypted
Should you run etcd on dedicated nodes? _____
Yes
A _____ will initially have Pending status. If it meets specific criteria, it will be promoted by the kube-controller-manager to Approved status.
CertificateSigningRequest
After the request is authenticated as coming from a valid user, the request must then be _____ to check if it's allowed.
authorized
_____ allows defining privilege and access controls per Pod or per Container.
securityContext
If a container has network access to a /metrics endpoint, what does that mean for security? _____
Attackers could potentially find almost everything about the cluster from inside the container by reading cAdvisor/Heapster output at the endpoint.
Groups are a set of strings, each of which indicates _____.
a user's membership
Logstash can be used to collect/distribute Kubernetes audit events from the _____
webhook audit backend
Whenever a kubelet retrieves a new signed certificate from the Kubernetes API it will write it to _____
the disk
The KUBECONFIG environment variable holds _____
a list of kubeconfig files
Once an attacker controls a container, there is risk they might obtain control of the _____ it runs on, and then the internal cluster network.
Node
An attacker may download exploits directly into a container if its Pod has free access to _____.
the Internet
A _____ resource is used to request that a certificate be signed by a denoted signer, after which the request may be approved or denied before finally being signed.
CertificateSigningRequest
Admission Control Modules can access contents of Kubernetes objects that are being created or _____.
modified
In order to approve CertificateSigningRequests, you must allow the _____ to approve them.
kube-controller-manager
Audit logging increases the memory consumption of the _____ because some context required for auditing is stored for each request.
kube-api-server
"Kubernetes determines the _____ of an incoming request from the common name field in the subject field of the certificate (e.g., ""/CN=katademy"")"
username
Admission Control Modules can _____ or reject requests.
modify
Kubernetes authentication examines the incoming HTTP request's _____ and certificate.
headers
Audit records begin their lifecycle inside the _____ Kubernetes component.
kube-apiserver
When a request reaches _____, it goes through stages: Authentication, Authorization, Admission Control
kube-apiserver
When a request reaches kube-apiserver, it goes through stages: Authentication, _____, Admission Control
Authorization
The kube-apiserver should have a _____ restricting it to be accessible only by specific IPs.
firewall
Do you need to distribute a CA certificate to each kubelet? _____
No - only the master nodes where kube-apiserver is running.
_____ persist audit events to an external storage.
Audit backends
The _____ group represents authenticated users.
system:authenticated
A service mesh can trace and profile requests happening inside a cluster. You can then find and disable requests that aren't expected to ever happen, for ex. via a _____.
NetworkPolicy
Any request that presents a valid certificate signed by the cluster's Certificate Authority is considered _____.
authenticated
Can using standardized, base images for all of your Containers improve overall workload security? _____
Yes. If the base image is secured by default, child images will inherit these upgrades.
Should you minimise user privilege inside your containers in production? _____
Yes
A _____'s spec.signerName field denotes the recipient that the request is being made to.
CertificateSigningRequest
Attackers can break out of the _____ by epxloiting the container runtime, kernel etc.
Container
_____ audit failures might suggest a misconfigured service account, or the presence of an attacker.
RBAC
A request is authorized if an existing policy declares that the user has permissions to complete the requested _____ on the given object.
action
A _____ grants a role's permissions to a set of users, groups or service accounts.
RoleBinding
When multiple NetworkPolicy objects select the same Pod, it becomes restricted to what is allowed by the _____ of those policies' ingress/egress rules.
union
Are service accounts bound to specific namespaces? _____
Yes
_____ like fluentd can be used to collect/distribute Kubernetes audit events from log files
Log collectors
Can Admission controllers act on requests that read an object? _____
No
When kubelet starts, it looks for its _____ file and its credentials (normally a TLS key and signed certificate), then retrieves the kube-apiserver URL and attempts to communicate with it.
kubeconfig
Audit backends persist audit events to _____.
an external storage
The _____ audit backend writes event to a disk
log
"The root (""/"") filesystem on containers should be set as read-only via securityContext.readOnlyRootFilesystem: true, because _____."
an attacker may escalate privileges by editing operating system files
Does a service mesh make your workloads more isolated by default? _____
Yes
"Kubernetes determines the username of an incoming request from the common name field in the subject field of the certificate (e.g., ""_____"")"
/CN=katademy
To improve security, you could ideally collect logs from all containers - but especially RBAC _____ logs.
access/deny
Your current, in-use cluster namespace is stored in the _____ file on your local machine.
kubeconfig
Each request on each stage of its execution generates an audit event, which is then pre-processed according to a certain _____ object and written to a backend.
audit.k8s.io/v1 Policy
Pods that need to connect to the apiserver can automatically inject the _____ and valid bearer token into themselves via a service account.
public root certificate
Are passwords a valid Kubernetes authentication module? _____
Yes
Restricting access to your cluster nodes (especially _____ nodes) can prevent further privilege escalation to your cloud provider platform.
master
Should you be able to freely send network traffic to etcd from the cluster? _____
No
A _____ object can prevent an attacker inside one Pod from running the services of another Pod
NetworkPolicy
Audit logging increases the memory consumption of the kube-api-server because some context required for auditing is stored for each _____.
request
"Potentially insecure Linux _____ (such as ""all"", ""CHOWN"", ""NET_RAW"", ""SETPCAP"") can be disabled via securityContext."
capabilities
The four audit levels are: None - don't log these events. Metadata - log a request's user, timestamp, resource, verb, etc. _____ RequestResponse - log event metadata, request body and response bodies.
Request - log event metadata and request body.
"Potentially insecure Linux capabilities (such as ""all"", ""CHOWN"", ""NET_RAW"", ""SETPCAP"") can be disabled via _____."
securityContext
After the request is _____ as coming from a valid user, the request must then be authorized to check if it's allowed.
authenticated
The four audit levels are: None - don't log these events. _____ Request - log event metadata and request body. RequestResponse - log event metadata, request body and response bodies.
Metadata - log a request's user, timestamp, resource, verb, etc.
An Admission Controller Module rejects a request. What happens to the request? _____
It is immediately rejected.
Setting securityContext._____ to False makes it harder to escalate privileges inside a Container.
allowPrivilegeEscalation
By default, requests to the kubelet's HTTPS endpoint that are not rejected by other configured authentication methods are treated as _____ requests.
anonymous
_____ objects include a PEM-encoded PKCS#10 signing request in the spec.request field.
CertificateSigningRequest
Are bearer tokens a valid authentication method? _____
Yes
When an event is processed, it's compared against the list of audit.k8s.io/v1/Policy rules in order. The first matching rule sets the _____ of the event.
audit level
A kubelet's kubeconfig file requires a key and a _____ to connect to kube-apiserver.
cert
True or False? Kubernetes automatically its Container Runtime's default seccomp and AppArmor profiles to Pods and Containers. _____
False!!! A Container running on Kubernetes has FEWER restrictions applied to it by default than if it were ran directly on a Container Runtime. Go set them now!
Are client certificates a valid authentication method? _____
Yes
A CertificateSigningRequest will initially have Pending status. If it meets specific criteria, it will be promoted by the _____ to Approved status.
kube-controller-manager
securityContext allows defining privilege and access controls per _____ or per Container.
Pod
Should you enforce image signing in production? _____
Yes
Once a _____ selects a particular Pod, that Pod will reject any connections that are not explicitly allowed by it.
NetworkPolicy
Kubernetes requires _____ certificates for authentication over TLS.
PKI
Log collectors like fluentd can be used to collect/distribute Kubernetes audit events from _____
log files
Once Cluster TLS is established, incoming requests can begin the _____ step when trying to communicate to the cluster.
Authentication
Pods that need to connect to the apiserver can automatically inject the public root certificate and valid _____ into themselves via a service account.
bearer token
A request is authorized if an existing policy declares that the user has permissions to complete the requested action on the given _____.
object
Can Admission controllers act on requests that create an object? _____
Yes
When a request reaches kube-apiserver, it goes through stages: Authentication, Authorization, _____
Admission Control
"Tools like _____ or kata containers can ""sandbox"" Pods on the same host from each other, giving you an extra layer of isolation."
gVisor
The kubelet uses _____ for authenticating to the Kubernetes API.
certificates (with 1 year expiration)
You can secure an Ingress by specifying a Secret that contains a TLS private key and _____
certificate
Is admission control's NodeRestriction enabled by default? _____
No!
You should usually use at least two methods of authentication in your cluster: one for human users and one for _____.
service accounts
Containers in production should run under a Linux non-root user. This is set in securityContext via _____
runAsNonRoot: true
Is Kubelet RBAC enabled by default? _____
No!!!