CKS (Certified Kubernetes Security Specialist) #

2024真题 #

CKS-2024 4月最新题库分享

CKS教程 2024

CKS Goal #

https://devopscube.com/cks-exam-guide-tips/

Exam Objects #

🌈 Cluster Setup - 10% #

Securing a Cluster

Use Network security policies to restrict cluster level access
Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
- Kube-bench - Checks whether Kubernetes is deployed securely by running the checks documented ain the CIS Kubernetes Benchmark.
Properly set up Ingress objects with security control

Protect node metadata and endpoints

Using Kubernetes network policy to restrict pods access to cloud metadata

This example assumes AWS cloud, and metadata IP address is 169.254.169.254 should be blocked while all other external addresses are not.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-only-cloud-metadata-access
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
      cidr: 0.0.0.0/0
      except:
      - 169.254.169.254/32

Minimize use of, and access to, GUI elements
Verify platform binaries before deploying
Kubernetes binaries can be verified by their digest **sha512 hash**
- Checking the Kubernetes release page for the specific release
- Checking the change log for the images and their digests

🌈 Cluster Hardening - 15% #

Restrict access to Kubernetes API

Use Role-Based Access Controls to minimize exposure
- Handy site collects together articles, tools and the official documentation all in one place
- Simplify Kubernetes Resource Access Control using RBAC Impersonation

Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones

Opt out of automounting API credentials for a service account

Opt out at service account scope #

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-robot
automountServiceAccountToken: false

Opt out at pod scope #

apiVersion: v1
kind: Pod
metadata:
  name: cks-pod
spec:
  serviceAccountName: default
  automountServiceAccountToken: false

Update Kubernetes frequently

🌈 System Hardening - 15% #

Minimize host OS footprint (reduce attack surface)
Reduce host attack surface
- seccomp which stands for secure computing was originally intended as a means of safely running untrusted compute-bound programs
- AppArmor can be configured for any application to reduce its potential host attack surface and provide greater in-depth defense.
- PSA enforces
- Apply host updates
- Install minimal required OS fingerprint
- Identify and address open ports
- Remove unnecessary packages
- Protect access to data with permissions
  - Restirct allowed hostpaths
Using least-privilege identity and access management
- Access authentication and authorization
Minimize external access to the network
if it means deny external traffic to outside the cluster?!!
- not tested, however, the thinking is that all pods can talk to all pods in all name spaces but not to the outside of the cluster!!!
```
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-external-egress
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
    to:
    - namespaceSelector: {}
```
Appropriately use kernel hardening tools such as AppArmor, seccomp
- AppArmor， Turorial
- Seccomp， Turorial

🌈 Minimize Microservice Vulnerabilities - 20% #

Use appropriate pod security standards
Manage kubernetes secrets
Understand and implement isolation techniques (multi-tenancy, sandbox containers, etc)
- Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
Implement pod to pod encryption using Cilium
- Implement pod to pod encryption by use of mTLS
- check if service mesh is part of the CKS exam

🌈 Supply Chain Security - 20% #

Minimize base image footprint
Minimize base Image
- Use distroless, UBI minimal, Alpine, or relavent to your app nodejs, python but the minimal build.
- Do not include uncessary software not required for container during runtime e.g build tools and utilities, troubleshooting and debug binaries.
  - Learnk8s: 3 simple tricks for smaller Docker images
  - GKE 7 best practices for building containers
Understand your supply chain (e.g. SBOM, CI/CD, artifact repositories)
Secure your supply chain: whitelist allowed image registries, sign and validate images