CKS 1.23 Write-UP / Tips
Rules #
During the CKS exam, candidates may:
- Review the Exam content instructions that are presented in the command line terminal.
- Review Documents installed by the distribution (i.e. /usr/share and its subdirectories) use their Chrome or Chromium browser to open one additional tab in order to access
Allowed sites #
Kubernetes Documentation #
- https://kubernetes.io/docs/ and their subdomains
- https://github.com/kubernetes/ and their subdomains
- https://kubernetes.io/blog/ and their subdomains
- This includes all available language translations of these pages (e.g. https://kubernetes.io/zh/docs/)
Tools #
- Trivy documentation https://aquasecurity.github.io/trivy/
- Falco documentation https://falco.org/docs/ This includes all available language translations of these pages (e.g. https://falco.org/zh/docs/)
App Armor #
The allowed sites above may contain links that point to external sites. It is the responsibility of the candidate not to click any links to navigate to a domain that is not allowed.
You may use the search function provided on https://kubernetes.io/docs/. However, you may only open search results that have a domain matching the ones specified above
Exam Breakdown/Weights #
- Cluster Setup: 10%
- Cluster Hardening: 15%
- System Hardening: 15%
- Minimize Microservice Vulnerabilities: 20%
- Supply Chain Security: 20%
- Monitoring, Logging, and Runtime Security: 20%
Cluster Setup: 10% #
- Use Network security policies to restrict cluster level access
- EX:
Create a networkpolicy that only allows ingress to specific pod from all pods in another namespace
- EX:
- Use CIS benchmark | kube-bench to review the security configuration of Kubernetes components
(etcd, kubelet, kubedns, kubeapi)
- EX:
Secure the kubeapi server that have the 'FAILED' security findings
- EX:
- Properly set up Ingress objects with security control
- Protect node metadata and endpoints
- Minimize use of, and access to, GUI elements
- Verify platform binaries before deploying
- EX:
sha512sum $FILENAME | sha265sum $FILENAME
- EX:
Cluster Hardening: 15% #
- Restrict access to Kubernetes API
- EX:
Change cluster from always allow to Node,RBAC,Webhook for kubeapi-server in manifests folder on master node
- EX:
- Use Role Based Access Controls to minimize exposure
- EX:
Create a SERVICEACCOUNT that uses a ROLE / CLUSTERROLE, for a pod that limits access to a namespace
- EX:
- Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
- Update Kubernetes frequently
- EX:
Use kubeadm to plan a upgrade from 1.22.3 to 1.23
- EX:
System Hardening: 15% #
- Minimize host OS footprint (reduce attack surface)
- Remove unnecessary kernel modules
- Minimize IAM roles
- Minimize external access to the network
- Documentation Apparmor
- Appropriately use kernel hardening tools such as AppArmor, seccomp
- EX:
Apply a apparmor profile on a workernode and use it for a pod
- Reference: Applying profiles apparmor_parser $FILENAME , Securing a pod with apparmor
- EX:
Minimize Microservice Vulnerabilities: 20% #
- Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts
- Manage kubernetes secrets
- EX:
Create a secret and mount them as a volume for a pod
- EX: ```Write the base64 of a secret, and use etcdctl to get the encrypted secret at rest``
- reference: ensure-all-secrets-are-encrypted
-
1 2 3 4 5
ETCDCTL_API=3 etcdctl --endpoints 127.0.0.1:2379 \ --cert=/etc/kubernetes/pki/etcd/server.crt \ --key=/etc/kubernetes/pki/etcd/server.key \ --cacert=/etc/kubernetes/pki/etcd/ca.crt \ get /registry/secrets/NAMESPACE/SECRETNAME
- EX:
- Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
- EX:
A specific node has the runtime of gvisor enabled, create a pod that uses the gvisor container runtime
-
1 2 3
kind: Pod spec: runtimeClassName: gvisor
-
- NOTE, if more one one node is on the cluster then you need to use nodeselector to make sure that pod gets deployed to the workers that have the container runtime installed
- EX:
- Implement pod to pod encryption by use of mTLS
Supply Chain Security: 20% #
- Minimize base image footprint
- Secure your supply chain: whitelist allowed image registries), sign and validate images
- EX:
enable ImagePolicyWebhook and set defaultAllow: false
- The question for this is rather complicated, most files will be provided , make sure to pay attention to the question and study on how to enable addmission controllers
- EX:
- Use static analysis of user workloads (e.g. kubernetes resources, docker files)
- Scan images for known vulnerabilities
- EX:
find pods running in a namespace that have high and critical findings, then remove them
- EX:
Monitoring, Logging, and Runtime Security: 20% #
- Perform behavioral analytics of syscall process and file activities at the host and container
- EX:
Find what pods are making syscalls and disable them
- Use
strace -s pid_of_container
(get this by looking at thecrictl ps
to grab the proccess id directly on the node)
- EX:
- Level to detect malicious activities
- EX:
Enable auditing on the control-plane, and Create a policy that get the request body of config-map changes in kube-system.
add --audit-policy-file=filename.yaml to kubeapi manifest
- Reference: Log Backend
- EX:
- Detect threats within physical infrastructure, apps, networks, data, users and workloads
- EX:
A node has falco installed, modify the rule to display a specific format
- EX:
- Detect all phases of attack regardless where it occurs and how it spreads
- EX:
View a audit log and change the passwords that a compromised serviceaccount accessed
- EX:
- Perform deep analytical investigation and identification of bad actors within environment
- EX:
You have received a notification that a user was able to access secrets from a service account in a namespace, identify the security hole and fix the issue
- For example the service isnt able to directly access the secret but they are able to exec into a pod. Once inside the pod that pod has a serviceaccount attached. By using
curl
you can use the service token that is imbedded in the container as a volume to list secrets.
- EX:
- Ensure immutability of containers at runtime
- EX:
Delete the containers that are not immutable
- Check the pods and make sure they don’t have privilege access and that they have a readonly file system
- EX:
- Use Audit Logs to monitor access
Important things to consider / Tips
-
Questions are weighted meaning that every part of a question gives points, for examples if a question asks you to parse logs to a file named
file.log
, if you don’t know how to answer the question just creating the file will give you some points rather than 0 -
If you get any questions regarding Trivy, update the version of Trivy, as now you can scan namespaces, this will save you alot of time for these questions
-
Refer to the documentation as much as possible, just to verify your work, its faster to find the documentation and copy and paste it into your yaml
-
16-17 questions in 2 hours ~8.0 min per, if you exceed 8min you should flag and come back to the question, better to miss a question than to miss 5 easy ones because you are stuck
-
Use imperative ways of creating resources as much as possible, such as
kubectl run nginx --image=nginx
, reuse documentation examples as much as possible to save time. -
Kubernetes docs for all the commands and what they do, this is a website version of MAN page
-
Kubectl explain Helpful to explain quickly the yaml syntax
-
Vim is the default editor