Let’s have a look at the official syllabus-wise resources for the CKS exam. All the topics mentioned are as per the official Linux Foundation Certified Kubernetes Security Specialist Exam CKS Exam Curriculum.
CKS Exam aims to test your skills in different security aspects. The following table shows the different domains and their weightage for the CKS Exam Curriculum.
Topic | Weightage |
---|---|
Cluster Setup | 10% |
Cluster Hardening | 15% |
System Hardening | 15% |
Minimize Microservice Vulnerabilities | 20% |
Supply Chain Security | 20% |
Monitoring, Logging, and Runtime Security | 20% |
Cluster Setup 10%
This section carries 10% weightage in the CKS Exam Curriculum
Under Cluster setup , The security features of the cluster components are more the center of attention. The CKS questions accord this portion a 10% weighting.
Use Network security policies to restrict cluster-level access
- Kubernetes Network Security Policy Documentation
- Traffic using network policies
- Securing Kubernetes clusters
- Declare network policies to control how Pods communicate
- Strengthen the cluster network strategy
Use CIS benchmarks to check the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
The benchmarks for Kubernetes security requirements were developed by the Center for Internet Security (CIS) and the Kubernetes community.
The Kubernetes CIS benchmarks can help organisations meet compliance and security needs.
Configure the security settings of the ingress
- Ingress documentation
- what Ingress is
- What are Ingress Controllers?
- Set up ingress on Minikube ingress controller
- What are Ingress Controllers?
Protect node metadata and endpoints
- Restrict access to metadata via API
- Restricting cloud metadata API access
- Guide to configuring network policies
Minimize the use and access to the dashboard
Kubernetes dashboard access must be secured because cluster users from many networks inside an organization use it. Additionally, numerous Kubernetes hacking issues were caused by incorrect Kubernetes dashboard security configurations.
You must get knowledgeable about all the configurations and best practices needed to build up a safe Kubernetes dashboard.
Verify platform binaries before deployment
Learn how to use the checksum to validate the Kubernetes binaries. The version numbers and SHA ids needed to validate the binaries are available on the Kubernetes Github release page.
Cluster Hardening 15%
This section carries 15 % weightage in the CKS Exam Curriculum
Restrict access to the Kubernetes API
When it comes to Kubernetes production implementation, restricting API access is crucial. Only services with the necessary permissions should have access to the Kubernetes API, including those running within the cluster.
Bootstrap tokens, RBAC, ABAC, service accounts, and admission webhooks would be the main topics under this area.
- Ways to access Kubernetes cluster API
- Controlling access to Kubernetes API
- Kubernetes Authentication Overview
- Kubernetes Authorization Overview
- Admission Controllers Overview
- Admission Webhooks Overview
- Understand the process of accessing kubernetes api
- Control access to the Kubernetes API
Use RBAC to minimize resource exposure
To uphold the principle of least privilege, Kubernetes RBAC enables you to create fine-grained control over who has access to the Kubernetes API. A common error made during Kubernetes implementations is granting unnecessary cluster-wide access to everyone.
Exercise caution in using service accounts e.g., disable defaults, minimize permissions on newly created ones
The ideal way to grant applications or pods that need access to the Kubernetes API is through service accounts.
If you don’t specifically specify a service account, the default service account for each namespace will be associated to the pod. There are no privileges associated with the standard service account. However, if you assign a role to it, all of the access indicated in the role will be granted to it, and it will be applicable to every pod in the namespace.
To uphold the principle of least privilege, it is common practice to deploy various workloads with several service accounts.
- Service Account Management Guide
- Configure service account for a Pod
- Access Control: Exploring Service Account SA
- Kubernetes: Create Service Accounts and Kubeconfigs
- Set the service account SA for Pods
- Kubernetes should not mount the default service account
- Secure Kubernetes clusters by eliminating dangerous permissions
Update Kubernetes frequently
To ensure the availability of the application, you should adhere to the suggested measures whenever you upgrade a Kubernetes cluster.
System Hardening 15%
This section carries 15 % weightage in the CKS Exam Curriculum
System hardening tries to decrease attack surfaces by addressing vulnerabilities in infrastructure and application components
The typical system hardening tasks include :
- patching up as needed
- removing all auxiliary utilities
- limiting access using tools and firewall rules.
- logging every system action.
We have the following list of system hardening efforts for CKS.
Minimize host OS footprint (reduce attack surface
Minimize IAM roles
- Learn what is the Principle of Least Privilege (POLP)
- Refer to RBAC section
Minimize external network access
Appropriate use of kernel hardening tools, such as AppArmor, seccomp
- Restrict a Container’s Access to Resources with AppArmor
- Restrict a Container’s Syscalls with Seccomp
- Securing a Pod Using Apparmor
- Set the Seccomp Profile for a Container
Minimize Microservice Vulnerabilities 20%
This section carries 20% weightage in the CKS Exam Curriculum
This section focuses mainly on service-to-service communications, as the title suggests. The fundamental ideas and Kubernetes objects involved in safeguarding communication between pods must all be mastered.
Improve security with PSP, OPA, security context
- Learn what is Open Policy Agent (OPA)
- Configuration of OPA Gatekeeper
- Configure a Security Context for a Pod or Container
Manage Kubernetes secrets
Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
- Sandboxed Pods
- Workload Isolation using gVisor and kata containers
- What is gVisor? install gvisor
- Secure Containers with Google’s gVisor
- Running Pods with gVisor
- Kata containers and Kubernetes: how do they fit together?
- How to use Kata containers with Kubernetes?
Implement Pod-to-Pod encryption using mTLS
The process of enabling mTLS across pods is not documented. However, you can create certificates for use in the pod-to-pod encryption using the Kubernetes certificates.k8s.io API.
Supply Chain Security 20%
This section carries 20% weightage in the CKS Exam Curriculum
The course outline for the Linux Foundation emphasises the following key ideas :
- Minimize base image footprint
- Secure your supply chain: whitelist allowed registries, sign and validate images
- Use static analysis of user workloads (e.g. Kubernetes resources, Dockerfiles)
- Scan images for known vulnerabilities
Considering that this area accounts for 20% of the total points, it is reasonable to anticipate 3-5 supply chain security-related questions.
The various ideas that the CKS will emphasize in the supply chain security area are summarized below.
Minimize base image footprint
Secure the supply chain: whitelist allowed image repositories, sign and verify images
- Understanding Admission Controllers
- Using ImagePolicyWebhook Admission Controller
- Understand and configure ImagePolicyWebhooks to ensure that only images from approved sources are run
- Sign and verify images
Use static analysis of user workloads (e.g.Kubernetes resources, Docker files)
Scan images for known vulnerabilities
Monitoring, Logging and Runtime Security 20%
The sixth and last section of the CKS Exam focuses on cluster monitoring, logging, and runtime security.
The Linux Foundation emphasises the following fundamental ideas :
- Conduct behavioral analytics on host- and container-level syscall process and file activity to look for malicious activity.
- Detect threats within a physical infrastructure, apps, networks, data, users, and workloads
- Detect every stage of an attack, no matter where it starts or how it spreads.
- Conduct in-depth analysis to find problematic actors in the environment and identify them.
- At runtime, make sure containers are immutable.
- Monitoring access with audit logging
20% of the points scored are allocated to this section, and it is reasonable to expect 3-5 questions concerning runtime security, logging, and monitoring. During the exam
The various concepts that the CKS will highlight in the monitoring, logging, and runtime security are outlined below.
Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
Detect threats in physical infrastructure, applications, networks, data, users and workloads
A threat detection engine in Kubernetes is called Falco. It can easily identify threats and notify users to any abnormal program behavior.
- Using Falco for threat detection
- Kubernetes configuration security threats
- Kubernetes Threat Modeling Guide
Detect all phases of an attack, no matter where it occurs and how it spreads
- Using Falco for threat detection
- Kubernetes attack scenarios in the threat stack
- Anatomy of a Kubernetes Attack – How Untrusted Docker Images Broke Us Down
- Why do we use immutable Docker images?
- With immutable infrastructure, your system can come back to life
Perform deep analytical investigation and identification of bad actors within the environment
Ensure immutability of containers at runtime
Instead of using PodSecurityPolicy, you can enforce similar restrictions on Pods using either or both:
- Pod Security Admission
- a 3rd party admission plugin, that you deploy and configure yourself
Kubernetes Audit
$395 $316
- Upon registration, you have ONE YEAR to schedule and complete the exam.
- The CKA exam is conducted online and remotely proctored.
- To pass the exam, you must achieve a score of 67% or higher.
- The CKS Certification remains valid for a period of 2 years.
- You are allowed a maximum of 2 attempts to take the test. However, if you miss a scheduled exam for any reason, your second attempt will be invalidated.
- Free access to killer.sh for the CKS practice exam.
CKS Exam Voucher: Use coupon Code TECK20 at checkout