How to prepare for Certified Kubernetes Security Specialist (CKS)
I finally received my CKS certification though i failed in first attempt. It was a good learning experience for me trying to gain some more understanding about kubernetes underlying components and architecture.
You can verify my certificate here.
If you are interested in watching the video. Here is the YouTube video on the same detailed outlined below.
Here are some of the resources that i followed for this certification that i would like to share.
Books
- Learn Kubernetes Security by Kaizhe Huang and Pranjal Jumde – This is a good old book touching the kubernetes security hardening concepts. Some tools used may have been depreciated but you get to know what you are supposed to achieve and may look out for similar tools available currently.
- Hacking and Securing Docker Containers by Srinivasarao Kotipalli an optional read to get a better understanding about the container technology
Course
- CKS by Kim Wuestkamp available for free now on youtube This one is comprehensive course structured well to align with the CKS certification curriculum
Kubernetes Documentation
Must go through the documentation to know about the changes in latest version of the kubernetes and try to apply them to your cluster. There are few thing like Pod Security Policies that got deprecated and replaced by new Pod Security Standards. Ingress features is being frozen is getting added to Gateway API.
Service Accounts
Service accounts are like system accounts used by the pods. When Pods contact the API server, Pods authenticate as a particular ServiceAccount. Please go through how you configure a pod to use a customized service account which can be further mapped with a paricular role and rolebinding to provide the required level of access to the cluster resources.
Secrets
Secret objects play a very important role in security the confidential data in the kubernetes cluster. A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Be comfortable in securing the confidential data in the form of strings and files and how this secret data objects can be used within the pod to access it. Get a basic understanding about the different types of secrets that can be created and their use cases.
Auditing
Auditing plays a very important role in capturing the events that occur in the kubernetes cluster. You should be comfortable in updating the kubernetes audit policy to filter the events and the level of data that you want to expose in the logs. Have a look at all the options that can be used to configure the kubernetes API server to support audit policy.
Admission Controllers
An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized. Please go through and have a basic idea about how you can enable an admission controller and how does it affect the request object. You may need to update the kubernetes api server configuration to use a particular admission controller.
RBAC Authorization
Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your organization. Roles can be granted to both users and serviceaccounts using rolebindings. You should be comfortable in creating and updating the roles and rolebinding using the imperative commands.
Pod Security Admission
Pod Security admission places requirements on a Pod’s Security Context and other related fields according to the three levels defined by the Pod Security Standards: privileged, baseline, and restricted. Pod security restrictions are applied at the namespace level when pods are created.
Network Policies
Network policies play an important role is restricting or filtering the traffic at the IP address or Port level for TCP, UDP and SCTP protocol. Be comfortable is creating and applying the network policies to the required pods and have a good understanding about what an ingress and egress traffic is all about.
Ingress
Ingress is an API object that manages external access to the services in a cluster, typically HTTP. Try to play with the ingress object by creating some set of workloads and services and try to access them through an ingress object in secured manner.
Runtime Class
RuntimeClass is a feature for selecting the container runtime configuration. The container runtime configuration is used to run a Pod’s containers. If you need to run a set of workloads or pods in a different runtime environment you should be comfortable in installing that runtime environment and trying to get the pods running in that customised runtime environment.
Upgrade Cluster
Upgrading a cluster is the most important aspect in ensuring that your kubernetes cluster is uptodate with the latest vulnerability fixes and enhancements. Be comfortable with how you can upgrade a kubernetes cluster control plane and worker nodes.
Securing Components
Go through all the important configuration options related to kubernetes components (ie. apiserver, controller-manager, scheduler, kube-proxy and kubelet ) and understand which configuration options when applied will make your kubernetes cluster more secure.
Security Context
A security context defines privilege and access control settings for a Pod or Container. Play with all the security contexts that can be applied at the pod or container level to ensure that the pods are allowed to do as what is defined in the declared in the security context object.
CIS benchmarking
The kubernetes cluster consist of different components running in both control plan and worker node. We need to ensure that these components are adhering as CIS benchmarking standards by scanning the kubernetes components configurations and setting using kube-bench tool. Download the CIS benchmarking for kubernetes PDF and go through all the configuration and setting that can be applied to the kubernetes cluster components to security harden the cluster.
Dockerfile and Kubernetes yaml definition hardening
Pods are the smallest deployable units of computing that you can create and manage in Kubernetes. These pods are nothing but a set of containers that are instantiaed from an image. We build images using the Dockerfile and deploy kubernetes workload using kubernetes yaml definition files for different workload. Be comfortable in hardening and securing your docker image and kubernetes workloads by appling and modifying the required options or setting in these files.
You can go through the “Overview of best practices for writing Dockerfiles” – to understand how we can build an efficient image.
Trivy
Trivy is the most popular open source security scanner, reliable, fast, and easy to use. Use Trivy to find vulnerabilities & IaC misconfigurations, SBOM discovery, Cloud scanning, Kubernetes security risks,and more.
You should be comfortable in using this tool to identify the vulnerabilities in any image used by any container in the kubernetes cluster. Play around with the different options that you can pass to the trivy tool and validate the results and get comfortable with it.
Falco
Falco provides near real-time threat detection for cloud, container, and Kubernetes workloads by leveraging runtime insights.
You should be comfortable in installing and updating the falco configuration to update the rules as per the requirement. Have a look at the all the output fields that can be used customize the log format.
ETCD
ETCD is a persistent storage used by kubernetes cluster to store the cluster configuration data. We need to be comfortable in securing the ETCD server as it holds the important data about the cluster. You should also be able to encrypt the data at rest and transist. Check on security related configuration that can be applied to the etcd server to make it more secure.
Coming to the exam its a 2 hours test wherein we need to work on some clusters on the security hardening tasks. The more you practice and get well worse with the imperative commands the easier it will become for you. Need to be calm and try to get the thing right in first go as you might not have enough time left by the time you get to the last question. Around 15 – 20 questions in 120 minutes. Giving 4 – 5 min avg time for each question and if you don’t feel you will be able to do it flag and get back to it again if you have any time left.
ADDITIONAL RESOURCES
Kubernetes Hardening Guide by National Security Agency and Cybersecurity and Infrastructure Security Agency
Linux Foundation Certification Exam: Candidate Handbook (using PSI BRIDGE Proctoring platform)
IMPORTANT
Please ensure that you validate your changes that you carry to the cluster components. Ensure that your components are coming up after the changes are applied.
Don’t Panic if failed in first attempt as there is always a second change. You just got a chance to get better at the topics that you could not perform better.
Happy learning!!
Leave a Reply
You must be logged in to post a comment.