CKS 1.22 - 1.23

CKS 1.22 - 1.23

📅️ Published:

🔄 Updated:

🕔 6 min read ∙ 1128 words

CKS 1.23 Write-UP / Tips

Rules #

During the CKS exam, candidates may:

  • Review the Exam content instructions that are presented in the command line terminal.
  • Review Documents installed by the distribution (i.e. /usr/share and its subdirectories) use their Chrome or Chromium browser to open one additional tab in order to access

Allowed sites #

Kubernetes Documentation #

Tools #

App Armor #

The allowed sites above may contain links that point to external sites. It is the responsibility of the candidate not to click any links to navigate to a domain that is not allowed.

You may use the search function provided on https://kubernetes.io/docs/. However, you may only open search results that have a domain matching the ones specified above

Exam Breakdown/Weights #

  • Cluster Setup: 10%
  • Cluster Hardening: 15%
  • System Hardening: 15%
  • Minimize Microservice Vulnerabilities: 20%
  • Supply Chain Security: 20%
  • Monitoring, Logging, and Runtime Security: 20%

Cluster Setup: 10% #

  • Use Network security policies to restrict cluster level access
    • EX: Create a networkpolicy that only allows ingress to specific pod from all pods in another namespace
  • Use CIS benchmark | kube-bench to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
    • EX: Secure the kubeapi server that have the 'FAILED' security findings
  • Properly set up Ingress objects with security control
  • Protect node metadata and endpoints
  • Minimize use of, and access to, GUI elements
  • Verify platform binaries before deploying
    • EX: sha512sum $FILENAME | sha265sum $FILENAME

Cluster Hardening: 15% #

  • Restrict access to Kubernetes API
    • EX: Change cluster from always allow to Node,RBAC,Webhook for kubeapi-server in manifests folder on master node
  • Use Role Based Access Controls to minimize exposure
    • EX: Create a SERVICEACCOUNT that uses a ROLE / CLUSTERROLE, for a pod that limits access to a namespace
  • Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
  • Update Kubernetes frequently
    • EX: Use kubeadm to plan a upgrade from 1.22.3 to 1.23

System Hardening: 15% #

Minimize Microservice Vulnerabilities: 20% #

  • Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts
  • Manage kubernetes secrets
    • EX: Create a secret and mount them as a volume for a pod
    • EX: ```Write the base64 of a secret, and use etcdctl to get the encrypted secret at rest``
    • reference: ensure-all-secrets-are-encrypted
    • 1
      2
      3
      4
      5
      
      ETCDCTL_API=3 etcdctl --endpoints 127.0.0.1:2379 \
        --cert=/etc/kubernetes/pki/etcd/server.crt \
        --key=/etc/kubernetes/pki/etcd/server.key \
        --cacert=/etc/kubernetes/pki/etcd/ca.crt \
        get /registry/secrets/NAMESPACE/SECRETNAME
      
  • Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
    • EX: A specific node has the runtime of gvisor enabled, create a pod that uses the gvisor container runtime
      • 1
        2
        3
        
        kind: Pod
        spec:
          runtimeClassName: gvisor
        
    • NOTE, if more one one node is on the cluster then you need to use nodeselector to make sure that pod gets deployed to the workers that have the container runtime installed
  • Implement pod to pod encryption by use of mTLS

Supply Chain Security: 20% #

  • Minimize base image footprint
  • Secure your supply chain: whitelist allowed image registries), sign and validate images
    • EX: enable ImagePolicyWebhook and set defaultAllow: false
    • The question for this is rather complicated, most files will be provided , make sure to pay attention to the question and study on how to enable addmission controllers
  • Use static analysis of user workloads (e.g. kubernetes resources, docker files)
  • Scan images for known vulnerabilities
    • EX: find pods running in a namespace that have high and critical findings, then remove them

Monitoring, Logging, and Runtime Security: 20% #

  • Perform behavioral analytics of syscall process and file activities at the host and container
    • EX: Find what pods are making syscalls and disable them
    • Use strace -s pid_of_container (get this by looking at the crictl ps to grab the proccess id directly on the node)
  • Level to detect malicious activities
    • EX: Enable auditing on the control-plane, and Create a policy that get the request body of config-map changes in kube-system.
    • add --audit-policy-file=filename.yaml to kubeapi manifest
    • Reference: Log Backend
  • Detect threats within physical infrastructure, apps, networks, data, users and workloads
    • EX: A node has falco installed, modify the rule to display a specific format
  • Detect all phases of attack regardless where it occurs and how it spreads
    • EX: View a audit log and change the passwords that a compromised serviceaccount accessed
  • Perform deep analytical investigation and identification of bad actors within environment
    • EX: You have received a notification that a user was able to access secrets from a service account in a namespace, identify the security hole and fix the issue
    • For example the service isnt able to directly access the secret but they are able to exec into a pod. Once inside the pod that pod has a serviceaccount attached. By using curl you can use the service token that is imbedded in the container as a volume to list secrets.
  • Ensure immutability of containers at runtime
    • EX: Delete the containers that are not immutable
    • Check the pods and make sure they don’t have privilege access and that they have a readonly file system
  • Use Audit Logs to monitor access

Important things to consider / Tips

  • Questions are weighted meaning that every part of a question gives points, for examples if a question asks you to parse logs to a file named file.log, if you don’t know how to answer the question just creating the file will give you some points rather than 0

  • If you get any questions regarding Trivy, update the version of Trivy, as now you can scan namespaces, this will save you alot of time for these questions

  • Refer to the documentation as much as possible, just to verify your work, its faster to find the documentation and copy and paste it into your yaml

  • 16-17 questions in 2 hours ~8.0 min per, if you exceed 8min you should flag and come back to the question, better to miss a question than to miss 5 easy ones because you are stuck

  • Use imperative ways of creating resources as much as possible, such as kubectl run nginx --image=nginx, reuse documentation examples as much as possible to save time.

  • Kubernetes docs for all the commands and what they do, this is a website version of MAN page

  • Kubectl explain Helpful to explain quickly the yaml syntax

  • Vim is the default editor