Certified Kubernetes Security Specialist (CKS) - V1.26

The objective of this repository is help you for taking the Certified Kubernetes Security Specialist (CKS) exam using online resources, especially using resources from Kubernetes Official Documentation.

The references were selected for the Exam Curriculum 1.26, and there are exclusive information for API objects and annotations. For more information, please see CNCF Curriculum.

Please, feel free to place a pull request whether something is not up-to-date, should be added or contains wrong information/reference.

There are other Kubernetes certification exam preparation guides available:

• Certified Kubernetes Administrator (CKA) - Preparation Guide

Exam

The exam is kind of "put your hands on", where you have some problems to fix within 120 minutes.

My tip: Spend your time wisely. Use the Notebook feature (provided in exam's UI) to keep track of your progress, where you might take notes of each question, put some annotations in order to help you. Additionally, don't get stuck, move to the next problem, and take it back when you finish all the other problems.

Exam Cost: $375 and includes one free retake.

It's important to mention that you have access to Kubernetes Official Documentation during the exam. So get yourself familiar with Kubernetes online documentation, and know where to find all specific topics listed below. It might be helpful for you during the exam.

For information about the exam, please refer Certified Kubernetes Security Specialist (CKS) Program.

CKS Curriculum

Exam objectives that outline of the knowledge, skills and abilities that a Certified Kubernetes Security Specialist (CKS) can be expected to demonstrate.

Cluster Setup (10%)

• Use Network security policies to restrict cluster level access

  • Kubernetes Documentation > Concepts > Services, Load Balancing, and Networking > Network Policies

• Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)

  • CIS Security > Securing Kubernetes
  • Cloud Native Wiki - CIS Benchmark Best Practices
  • GitHub > Aqua Security > kube-bench

• Properly set up Ingress objects with security control

  • Kubernetes Documentation > Concepts > Services, Load Balancing, and Networking > Ingress > TLS

• Protect node metadata and endpoints

  • Kubernetes Documentation > Tasks > Administer a Cluster > Securing a Cluster

    # all pods in namespace cannot access metadata endpoint
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
    name: cloud-metadata-deny
    namespace: default
    spec:
    podSelector: {}
    policyTypes:
    - Egress
    egress:
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0
            except:
            - 169.254.169.254/32

• Minimize use of, and access to, GUI elements

  • Kubernetes Documentation > Tasks > Access Applications in a Cluster > Deploy and Access the Kubernetes Dashboard

• Verify platform binaries before deploying

  • Kubernetes Documentation > Tasks > Install Tools > Install and Set Up kubectl on Linux

    Note: Check the step 2 - validate binary

Cluster Hardening (15%)

• Restrict access to Kubernetes API

  • Kubernetes Documentation > Concepts > Security > Controlling Access to the Kubernetes API

• Use Role Based Access Controls to minimize exposure

  • Kubernetes Documentation > Reference > API Access Control > Using RBAC Authorization

• Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones

  • Kubernetes Documentation > Reference > API Access Control > Managing Service Accounts

• Update Kubernetes frequently

  • Kubernetes Documentation > Tasks > Administer a Cluster > Upgrade A Cluster

System Hardening (15%)

• Minimize host OS footprint (reduce attack surface)

  • Remove unnecessary packages
  • Identify and address open ports
  • Shut down any unnecessary services

• Minimize IAM roles

  • AWS > Security best practices in IAM
  • GCP - Using IAM securely
  • Azure > Best practices for Azure RBAC

• Minimize external access to the network

  • Kubernetes Documentation > Concepts > Services, Load Balancing, and Networking > Network Policies

• Appropriately use kernel hardening tools such as AppArmor, seccomp

  • Kubernetes Documentation > Tutorials > Security > Restrict a Container's Access to Resources with AppArmor
  • Kubernetes Documentation > Tutorials > Security > Restrict a Container's Syscalls with seccomp
  • AppArmor Documentation

Minimize Microservice Vulnerabilities (20%)

• Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts

  • Kubernetes Documentation > Concepts > Security > Pod Security Policies
  • Kubernetes Blog > OPA Gatekeeper: Policy and Governance for Kubernetes
  • Kubernetes Documentation > Tasks > Configure Pods and > Containers > Configure a Security Context for a Pod or Container

• Manage kubernetes secrets

  • Kubernetes Documentation > Concepts > Configuration > Secrets

• Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers

  • Kubernetes Documentation > Concepts > Security > Pod Security Standards
  • Kubernetes Documentation > Concepts > Containers > Runtime Class
  • gvisor
  • kata containers

• Implement pod to pod encryption by use of mTLS

  • Kubernetes Documentation > Concepts > Services, Load Balancing, and Networking > Ingress > TLS

Supply Chain Security (20%)

• Minimize base image footprint

  • Remove exploitable and non-sssential software
  • Use multi-stage Dockerfiles to keep software compilation out of runtime images
  • Never bake any secrets into your images
  • Image scanning

• Secure your supply chain: whitelist allowed image registries, sign and validate images

  • Kubernetes Documentation > Reference > API Access Control > Using Admission Controllers > ImagePolicyWebhook

• Use static analysis of user workloads (e.g. kubernetes resources, docker files)

  • Secure base images
  • Remove unnecessary packages
  • Stop containers from using elevated privileges

• Scan images for known vulnerabilities

  • Trivy

Monitoring, Logging and Runtime Security (20%)

• Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities

  • Falco

• Detect threats within physical infrastructure, apps, networks, data, users and workloads

• Detect all phases of attack regardless where it occurs and how it spreads

  • Protecting Kubernetes Against MITRE ATT&CK

• Perform deep analytical investigation and identification of bad actors within environment

  • Kubernetes Documentation > Tasks > Monitoring, Logging, and Debugging >Auditing

• Ensure immutability of containers at runtime

  • Kubernetes Documentation > Concepts > Containers

  • Kubernetes Documentation > Tasks > Configure Pods and > Containers > Configure a Security Context for a Pod or Container

    readOnlyRootFilesystem: Mounts the container's root filesystem as read-only

• Use Audit Logs to monitor access

  • Kubernetes Documentation > Tasks > Monitoring, Logging, and Debugging >Auditing

CKS Preparation Courses

• Certified Kubernetes Security Specialist (CKS) - A Cloud Guru (formerly Linux Academy)
• KodeKloud - Certified Kubernetes Security Specialist (CKS)

kubectl Ninja

Tip: Use kubectl Cheatsheet during the exam. You don't need to decorate everything.

Practice

Practice a lot with Kubernetes:

• Killer.sh - CKS Simulator

CKS Tips

Some links that contain tips that might help you from different perspectives of the CKS exam.

• CKS Exam Guide and Tips
• How to pass CKS — Kubernetes Security Specialist exam