Vulnerabilities in software and IT infrastructure pose a major threat to organizations. In response, the Cloud Native Computing Foundation (CNCF) developed the Certified Kubernetes Security Specialist (CKS) certification to verify an administrator's proficiency to protect Kubernetes clusters and the cloud native software they contain. This practical book helps you fully prepare for the certification exam by walking you through all of the topics covered.
Different from typical multiple-choice formats used by other certifications, this performance-based exam requires deep knowledge of the tasks it covers under intense time pressure. If you want to pass the CKS exam on the first go, author Benjamin Muschko shares his personal experience to help you learn the objectives, abilities, and tips and tricks you need to pass on the first attempt.
• Identify, mitigate, and/or minimize threats to cloud native applications and Kubernetes clusters
• Learn the ins and outs of Kubernetes's security features, and external tools for security detection and mitigation purposes
• Demonstrate competency to perform the responsibilities of a Kubernetes administrator or application developer with a security viewpoint
• Solve real-world Kubernetes problems in a hands-on, command-line environment
• Effectively navigate and solve questions during the CKS exam
Author(s): Benjamin Muschko
Edition: 1
Publisher: O'Reilly Media
Year: 2023
Language: English
Commentary: Publisher's PDF
Pages: 211
City: Sebastopol, CA
Tags: DevOps; Security; Monitoring; System Administration; Logging; Microservices; Clusters; Best Practices; Kubernetes; Hardening; Certification
Copyright
Table of Contents
Preface
Who This Book Is For
What You Will Learn
Structure of This Book
Conventions Used in This Book
Using Code Examples
O’Reilly Online Learning
How to Contact Us
Acknowledgments
Chapter 1. Exam Details and Resources
Kubernetes Certification Learning Path
Kubernetes and Cloud Native Associate (KCNA)
Kubernetes and Cloud Native Security Associate (KCSA)
Certified Kubernetes Application Developer (CKAD)
Certified Kubernetes Administrator (CKA)
Certified Kubernetes Security Specialist (CKS)
Exam Objectives
Curriculum
Cluster Setup
Cluster Hardening
System Hardening
Minimize Microservice Vulnerabilities
Supply Chain Security
Monitoring, Logging, and Runtime Security
Involved Kubernetes Primitives
Involved External Tools
Documentation
Candidate Skills
Practicing and Practice Exams
Summary
Chapter 2. Cluster Setup
Using Network Policies to Restrict Pod-to-Pod Communication
Scenario: Attacker Gains Access to a Pod
Observing the Default Behavior
Denying Directional Network Traffic
Allowing Fine-Grained Incoming Traffic
Applying Kubernetes Component Security Best Practices
Using kube-bench
The kube-bench Verification Result
Fixing Detected Security Issues
Creating an Ingress with TLS Termination
Setting Up the Ingress Backend
Creating the TLS Certificate and Key
Creating the TLS-Typed Secret
Creating the Ingress
Calling the Ingress
Protecting Node Metadata and Endpoints
Scenario: A Compromised Pod Can Access the Metadata Server
Protecting Metadata Server Access with Network Policies
Protecting GUI Elements
Scenario: An Attacker Gains Access to the Dashboard Functionality
Installing the Kubernetes Dashboard
Accessing the Kubernetes Dashboard
Creating a User with Administration Privileges
Creating a User with Restricted Privileges
Avoiding Insecure Configuration Arguments
Verifying Kubernetes Platform Binaries
Scenario: An Attacker Injected Malicious Code into Binary
Verifying a Binary Against Hash
Summary
Exam Essentials
Sample Exercises
Chapter 3. Cluster Hardening
Interacting with the Kubernetes API
Processing a Request
Connecting to the API Server
Restricting Access to the API Server
Scenario: An Attacker Can Call the API Server from the Internet
Restricting User Permissions
Scenario: An Attacker Can Call the API Server from a Service Account
Minimizing Permissions for a Service Account
Updating Kubernetes Frequently
Versioning Scheme
Release Cadence
Performing the Upgrade Process
Summary
Exam Essentials
Sample Exercises
Chapter 4. System Hardening
Minimizing the Host OS Footprint
Scenario: An Attacker Exploits a Package Vulnerability
Disabling Services
Removing Unwanted Packages
Minimizing IAM Roles
Scenario: An Attacker Uses Credentials to Gain File Access
Understanding User Management
Understanding Group Management
Understanding File Permissions and Ownership
Minimizing External Access to the Network
Identifying and Disabling Open Ports
Setting Up Firewall Rules
Using Kernel Hardening Tools
Using AppArmor
Using seccomp
Summary
Exam Essentials
Sample Exercises
Chapter 5. Minimizing Microservice Vulnerabilities
Setting Appropriate OS-Level Security Domains
Scenario: An Attacker Misuses root User Container Access
Understanding Security Contexts
Enforcing the Usage of a Non-Root User
Setting a Specific User and Group ID
Avoiding Privileged Containers
Scenario: A Developer Doesn’t Follow Pod Security Best Practices
Understanding Pod Security Admission (PSA)
Enforcing Pod Security Standards for a Namespace
Understanding Open Policy Agent (OPA) and Gatekeeper
Installing Gatekeeper
Implementing an OPA Policy
Managing Secrets
Scenario: An Attacker Gains Access to the Node Running etcd
Accessing etcd Data
Encrypting etcd Data
Understanding Container Runtime Sandboxes
Scenario: An Attacker Gains Access to Another Container
Available Container Runtime Sandbox Implementations
Installing and Configuring gVisor
Creating and Using a Runtime Class
Understanding Pod-to-Pod Encryption with mTLS
Scenario: An Attacker Listens to the Communication Between Two Pods
Adopting mTLS in Kubernetes
Summary
Exam Essentials
Sample Exercises
Chapter 6. Supply Chain Security
Minimizing the Base Image Footprint
Scenario: An Attacker Exploits Container Vulnerabilities
Picking a Base Image Small in Size
Using a Multi-Stage Approach for Building Container Images
Reducing the Number of Layers
Using Container Image Optimization Tools
Securing the Supply Chain
Signing Container Images
Scenario: An Attacker Injects Malicious Code into a Container Image
Validating Container Images
Using Public Image Registries
Scenario: An Attacker Uploads a Malicious Container Image
Whitelisting Allowed Image Registries with OPA GateKeeper
Whitelisting Allowed Image Registries with the ImagePolicyWebhook Admission Controller Plugin
Implementing the Backend Application
Configuring the ImagePolicyWebhook Admission Controller Plugin
Static Analysis of Workload
Using Hadolint for Analyzing Dockerfiles
Using Kubesec for Analyzing Kubernetes Manifests
Scanning Images for Known Vulnerabilities
Summary
Exam Essentials
Sample Exercises
Chapter 7. Monitoring, Logging, and Runtime Security
Performing Behavior Analytics
Scenario: A Kubernetes Administrator Can Observe Actions Taken by an Attacker
Understanding Falco
Installing Falco
Configuring Falco
Generating Events and Inspecting Falco Logs
Understanding Falco Rule File Basics
Overriding Existing Rules
Ensuring Container Immutability
Scenario: An Attacker Installs Malicious Software
Using a Distroless Container Image
Configuring a Container with a ConfigMap or Secret
Configuring a Read-Only Container Root Filesystem
Using Audit Logs to Monitor Access
Scenario: An Administrator Can Monitor Malicious Events in Real Time
Understanding Audit Logs
Creating the Audit Policy File
Configuring a Log Backend
Configuring a Webhook Backend
Summary
Exam Essentials
Sample Exercises
Appendix A. Answers to Review Questions
Chapter 2, “Cluster Setup”
Chapter 3, “Cluster Hardening”
Chapter 4, “System Hardening”
Chapter 5, “Minimize Microservice Vulnerabilities”
Chapter 6, “Supply Chain Security”
Chapter 7, “Monitoring, Logging, and Runtime Security”
Index
About the Author
Colophon
