Everybody wants to learn Kubernetes these days, and the best way to learn is to perform.
The Certified Kubernetes Security Specialist certification is being developed to enable cloud-native professionals to demonstrate their security skills to current and potential employers.
This post covers Hands-On Activity Guides that you must perform in order to learn the Kubernetes Security Specialist and clear the CKS certification exam.
Note: Know more about Certified Kubernetes Security Specialist (CKS)
The topics discussed are shared below:
- Setting up Kubernetes cluster using kubeadm tool and calico CNI
- Securing the nodes and processes with TLS (Transport layer Security)
- Setting up Kube-bench for running Kubernetes CIS Benchmark Tests
- Protecting cluster metadata and endpoints with Calico
- Securing Kubelet and etcd key value Datastore
- Exploring with Service Account and Namespace
- RBAC Authorization modes for Kubernetes API server
- Implementing Cluster Roles and Role binding for securing cluster
- Implementing Network Policies with Calico
- Upgrading kubeadm clusters
- Using Packer and Ansible for Server Hardening
- Implementing the Principle of Least Privilege (POLP)
- Restrict a Container Happens to Resources with AppArmor
- Restrict a Container’s Symbols with Seccomp
- Configuring Pod Security Policies (PSP)
- Enforcing policies on Kubernetes objects with Open Policy Agent (OPA)
- Configure a Security Context for a Pod or Container
- Working with secrets to store sensitive information
- Implementing secure Containers using Google’s gVisor
- Traffic encryption using mTLS
- Building small container Images in Kubernetes
- Configuring and Working with secured image registry
- Static analysis with Kube-score
- Kubernetes static code analysis with Chekhov
- Scan your Docker images for vulnerabilities
- Detecting Kubernetes vulnerability using Falco
- Investigating Kubernetes Security with Open source tool
- Ensuring container immutability
- Monitoring Kubernetes audit logs
Activity Guide I: Setting Up Kubernetes Cluster Using Kubeadm Tool And Calico CNI ^
In Kubernetes, nodes pool together their resources to form a more powerful machine. When you deploy programs onto the cluster, it intelligently handles distributing work to the individual nodes for you. If any nodes are added or removed, the cluster will shift around work as necessary.
In this activity guide, we cover Setting Up Kubernetes Cluster, Create Kubernetes Cluster, using kubeadm tool, and calico CNI.
II: Securing The Nodes And Processes With TLS ^
The TLS module provides an implementation of the Transport Layer Security (TLS) and Secure Socket Layer (SSL) protocols that are built on top of OpenSSL. The TLS/SSL is a public/private key infrastructure (PKI). For most common cases, each client and server must have a private key.
In this activity guide for Certified Kubernetes Security Specialist, we cover Perfect forward secrecy, ALPN, and SNI, Pre-shared keys, Client-initiated renegotiation attack mitigation, Session resumption.
III: Setting Up Kube-bench For Running Kubernetes CIS Benchmark Tests ^
kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark. Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
In this activity guide, we cover how to Install Kube Bench, Run Kube Bench, Running Kube Bench on Managed Clusters.
Also read: Kubernetes service by Amazon EKS
IV: Protecting Cluster Metadata And Endpoints With Calico ^
Each host has one or more network interfaces that it uses to communicate externally. You can represent these interfaces in Calico using host endpoints and then use network policy to secure them.
Calico host endpoints can have labels, and they work the same as labels on workload endpoints. The network policy rules can apply to both workload and host endpoints using label selectors.
In this activity guide, we cover how to protect metadata and calico.
Also check: All you need to know on Kubernetes RBAC
V: Securing Kubelet And etcd Key-value Datastore ^
The etcd distributed key/value store is starting to play a key role in the management of fleets of Kubernetes clusters in the enterprise.
In this activity guide, we cover Use cases, NewSQL (Cloud Spanner, CockroachDB, TiDB), Using etcd for metadata, Using etcd for distributed coordination.
Also read Comparison between Docker vs VM, a difference of both the machines you should know.
VI: Exploring With Service Account And Namespace
Kubernetes has the notion of users and service account to access resources. A user is associated with a key and certificate to authenticate API requests. Any request originated outside of the cluster is authenticated using one of the configured schemes.
In this activity guide, we cover Manually create a service account API token, Add ImagePullSecrets to a service account, Service Account Token Volume Projection, Service Account Issuer Discovery.
Read about: Monolithic vs Microservices – Difference, Advantages & Disadvantages
VII: RBAC Authorization Modes For Kubernetes API Server ^
Role-based access control (RBAC) is a method of regulating access to a computer or network resources based on the roles of individual users within your organization. In Kubernetes, you must be authenticated (logged in) before your request can be authorized (granted permission to access). Kubernetes expects attributes that are common to REST API requests.
In this activity guide, we cover API objects, Role and ClusterRole, RoleBinding and ClusterRoleBinding, Aggregated ClusterRoles, Default roles and role bindings, Privilege escalation prevention, and bootstrapping.
VIII: Implementing Cluster Roles And Role Binding For Securing Cluster ^
This guide will cover the basic Kubernetes Role-Based Access Control (RBAC) API Objects, how to implement cluster roles, and role binding for securing clusters. At the end of this guide, you should have enough knowledge to implement RBAC policies in your cluster.
XI: Implementing Network Policies With Calico ^
Calico network policy provides a richer set of policy capabilities than Kubernetes including policy ordering/priority, deny rules, and more flexible match rules. Calico network policy is a namespaced resource that applies to pods/containers/VMs in that namespace.
In this Activity guide, we cover Installing Calico, Endpoints, kubectl vs calicoctl, Ingress and egress, Setting up Network Policies.
X: Upgrading Kubeadm Clusters ^
The upgrade workflow at a high level is the following:
- Upgrade the primary control plane node.
- Upgrade additional control plane nodes.
- Upgrade worker nodes.
In this Activity guide, we cover Upgrading control plane nodes, Upgrade kubelet and kubectl, Upgrade worker nodes, Recovering from a failure state.
Also Check: Our previous blog post on Kubernetes Architecture
XI: Using Packer And Ansible For Server Hardening ^
The ansible Packer provisioner runs Ansible playbooks. It dynamically creates an Ansible inventory file configured to use SSH, runs an SSH server, executes ansible-playbook, and marshals Ansible plays through the SSH server to the machine being provisioned by Packer.
In this Activity guide, we cover Vagrant and Packer Workflow, Using Ansible, Building Immutable Infrastructure with Ansible.
Note: Cluster Hardening has 15% weightage in Certified Kubernetes Security Specialist (CKS) Exam
XII: Implementing The Principle Of Least Privilege (POLP) ^
The Principle of Least Privilege is the idea that any user, program, or process should have only the bare minimum privileges necessary to perform its function. This works by allowing only enough access to perform the required job.
XIII: Restrict A Container Happens To Resources With AppArmor ^
AppArmor is a Linux kernel security module that supplements the standard Linux user and group-based permissions to confine programs to a limited set of resources. AppArmor can be configured for any application to reduce its potential attack surface and provide a greater in-depth defense.
In this Activity guide, we cover Securing a Pod, Setting up nodes with profiles, Restricting profiles with the PodSecurityPolicy, Authoring Profiles, PodSecurityPolicy Annotations.
XIV: Restrict A Container’s Symbols With Seccomp ^
Secure computing mode is a Linux kernel feature. You can use it to restrict the actions available within the container. The system call operates on the second state of the calling process. You can use this feature to restrict your application’s access.
In this Activity guide, we cover Create Seccomp Profiles, Create a Local Kubernetes Cluster with Kind, Create a Pod with a Seccomp profile for syscall auditing, Create Pod with Seccomp Profile that Causes Violation, Create Pod that uses the Container Runtime Default Seccomp Profile.
XV: Configuring Pod Security Policies (PSP) ^
In Kubernetes, a Pod Security Policy (PSP) is a cluster-level resource that controls security sensitive aspects of the pod specification. PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for related fields.
In this Activity guide, we cover Configure pod security Policies.
XVI: Enforcing Policies On Kubernetes Objects With Open Policy Agent (OPA) ^
In Kubernetes, Admission Controllers enforce semantic validation of objects during creating, update, and delete operations. With OPA you can enforce custom policies on Kubernetes objects without recompiling or reconfiguring the Kubernetes API server.
XVII: Configure A Security Context For A Pod or Container ^
A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The Pod Security Policy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.
In this Activity guide, we cover What is a Pod Security Policy, Enabling Pod Security Policies, Authorizing Policies.
XVIII: Working With Secrets To Store Sensitive Information ^
In this guide, we will be covering topics related to protecting a cluster from accidental or malicious access and provides recommendations on overall security.
XIX: Implementing Secure Containers Using Google’s gVisor ^
gVisor was designed around the premise that any security boundary could potentially be compromised with enough time and resources. We tried to optimize for a solution that was as costly and time-consuming for an attacker as possible, at every layer.
Consequently, gVisor was built through a combination of intentional design principles and specific technology choices that work together to provide the security isolation needed for running hostile containers on a host.
In this Activity guide, we cover Introducing gVisor, How to Implement Sandboxed Containers Using gVisor.
XX: Traffic Encryption Using mTLS ^
Transport authentication, also known as service-to-service authentication ensures that traffic is encrypted on transit between services.
In this Activity guide, we cover Mutual TLS – Service, Namespace, Mesh, mTLS in practice, Check TLS.
XXI: Building Small Container Images In Kubernetes
The first step to deploying any app to Kubernetes is to bundle the app in a container. There are several officials, and community-backed container images for various languages and distros, and most of these containers can be really large, or sometimes contain overheads your app may never need/use.
In this Activity guide, we cover Building small container images.
XXII: Configuring And Working With Secured Image Registry ^
The Docker Registry is a service that can talk to the docker daemon in order to upload and download docker images. the docker registry is called Distribution. There are multiple ways to deploy your own private registry. This guide explains how to do this.
In this Activity guide, we cover Configuring the Registry in a safe way, Integrating the Registry with Portus, Configuring the JWT token sent by Portus.
XXIII: Static Analysis With Kube-score ^
Kube-Score is a tool that does static code analysis of your Kubernetes object definitions. The output is a list of recommendations of what you can improve to make your application more secure and resilient.
In this Activity guide, we cover Installation and analyzing Kube-score.
XXIV: Kubernetes Static Code Analysis With Chekhov ^
Checkov, our open-source infrastructure-as-code analysis tool, now scans Kubernetes manifests and identifies security and configuration issues in Kubernetes workloads.
In this Activity guide, we cover we’ll walk you through using Checkov to scan sample Kubernetes manifests, Installing Checkov, Scanning for Kubernetes misconfigurations.
XXV: Scan Your Docker Images For Vulnerabilities ^
Each batch of files added to an image end up creating a layer that is added to the image. Your Docker image is the concatenation of all these layers in the specific order in which they’ve originally been created.
Security vulnerabilities are not viruses. Security vulnerabilities exist in, usually, good-intended source code that has a logical or technical flaw resulting in a system weakness that can be exploited to compromise a system.
In this Activity guide, we cover Security Vulnerabilities, Vulnerability databases, Docker Static Vulnerability Scanning, Anchore Engine.
XXVI: Detecting Kubernetes Vulnerability Using Falco ^
Falco is the CNCF open-source project for runtime threat detection for containers and Kubernetes. You can use Falco to detect malicious activity both at the host and at the container level.
In this Activity Guide for Certified Kubernetes Security Specialist, we cover how to detect Pods with Vulnerable Volume Types Created.
XXVII: Investigating Kubernetes Security With Open Source Tool ^
Container environments present some new challenges, so require a few additional security layers. Fortunately, there are a lot of innovations to leverage in the open-source world, including many advances in the Linux kernel that give us tighter control over what activities are permitted at this core level.
In this Activity guide, we cover Infrastructure, Pod security policies, Cilium for network filtering, Build, Anchore for image scanning, Kubernetes Admission controllers. Kubesec.io for deployment checks.
XXVIII: Ensuring Container Immutability ^
One of the principles of Docker containers is that an image is immutable — once built, it’s unchangeable, and if you want to make changes, you’ll get a new image as a result.
In this Activity guide, we cover Container Immutability, Container Resource Utilization, Container Portability Container Performance, Container Scalability, Container Operating Costs, Containers as a Service.
XXIX: Monitoring Kubernetes Audit Logs ^
Kubernetes auditing provides a security-relevant chronological set of records documenting the sequence of activities that have affected the system by individual users, administrators, or other components of the system.
In this Activity guide, we cover Audit Policy, Audit backends, Log backend, Webhook backend, Batching, Parameter tuning, Truncate, Setup for multiple API servers.
Related / References:
- Visit our YouTube channel on “Docker & Kubernetes”
- Certified Kubernetes Administrator (CKA) Certification Exam
- (CKA) Certification: Step By Step Activity Guides/Hands-On Lab Exercise & Learning Path
- Kubernetes Architecture | An Introduction to Kubernetes Components
Next Task For You
Begin your journey towards becoming a Certified Kubernetes Security Specialist [CKS] and earning a lot more in 2021 by joining our FREE CLASS. You will also know more about the Roles and Responsibilities, Job opportunities for K8s security specialist in the market, and what to study Including Hands-On labs you must perform to clear the Certified Kubernetes Security Specialist [CKS] certification exam by registering for our FREE Masterclass.
Click on the below image to Register Our FREE Masterclass on CKA exam preparation now!
kenna Ofoegbu says
Hi , The activities here are mostly descriptions and not full links
Are there full articles to each activity ?
Rahul Dangayach says
Hi Kenna.
Regarding your query, I would like to inform you that these activity guides are well covered in our CKS course.
For more details on the course please drop an email to contact@k21academy.com team will help you.
Thanks and Regards
Rahul Dangayach
Team K21 Academy