.svg){kind=logo}
How to master the Certified Kubernetes Security Specialist (CKS) CNCF program
First thing’s first: why CKS? Why do you need to study and obtain yet another Kubernetes certification? Let’s talk a step back. If you are into Kubernetes, CKA and CKAD are the two closely related certifications helping developers and DevOps teams to get acclimated to the world of Kubernetes; CKS is a different ball game. CKS leaps further to test the skills, knowledge, and proficiency on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment, and runtime. By the way, having the CKA certification is a mandatory requirement to take the CKS exam.
But why is security a critical topic when it comes to containers? Well, think about it this way: with traditional computing models, the Operating System (OS) offered a tightly-coupled architecture. Then, along came cloud, introducing a new world of “exposure” and a host of new security challenges with an additional layer to protect for (virtualization) and of course the attack surface that is now… “decentralized”. Containers are yet another abstraction. This time it is the operating system being virtualized to package only the required runtime for apps to run anywhere.
But in a microservice-based world, and as organizations are moving apps to containers - by just refactoring or even re-platforming them based on new microservice-based architectures, they have to skill up to face new security risks. This transition path is fraught with many perils encountering new threats at every step. Hence security has become a very crucial aspect.
CKS covers a comprehensive toolbox to help and bring that "awareness on all areas where security needs to be hardened for a Kubernetes based deployment." CKS is for all users in IT Operations, DevOps and platform teams that deal with Kubernetes across:
- Development
- Deployment
- Management
You will be examined in setting up clusters (10% exam weight), hardening them (15%) and their infrastructure (15%), securing microservice-based apps (20%), supply chain security (20%) and monitoring, logging and runtime security (20%). You will have 2 hours to complete 16 questions.
All the tools and features you need to know about
CKS is all about security carried through ecosystem tools/packages. There are 10 tools in total that anyone taking the exam will have to familiarize themselves with, and know how to use. Those are:
- Falco
Runtime security tool based on rules
https://falco.org/docs/ - Apparmor
Application security framework used both for Linux and Kubernetes security
https://apparmor.net/ - Open Policy Agent
Policy enforcement engine for Kubernetes
https://www.openpolicyagent.org/docs/latest/ - Gatekeeper
Validating webhook to enforce OPA policies in a Kubernetes cluster
https://open-policy-agent.github.io/gatekeeper/website/docs/ - gVisor
Container sandbox to run pods securely
https://gvisor.dev/docs/ - Trivy
Image vulnerability scanner
https://github.com/aquasecurity/trivy - Clair
Image vulnerability scanner
https://github.com/quay/clair/blob/main/Documentation/howto/getting_started.md - Kube Bench
CIS Benchmarking for Kubernetes
https://github.com/aquasecurity/kube-bench - Kubehunter [Optional but Good to Know]
Penetration testing
https://github.com/aquasecurity/kube-hunter - Sonobuoy [Optional but Good to Know]
Tool to run e2e conformance tests on Kubernetes Cluster
https://sonobuoy.io
Beyond the above 10 tools, there are important native Kubernetes concepts and features that you need to be comfortable with. Those are:
- RBAC
Access control to regulate access to resources at Cluster level and Namespace level
https://kubernetes.io/docs/reference/access-authn-authz/rbac/ - Network Policies
Policies to define how a pod can communicate with other pods and network entities
https://kubernetes.io/docs/concepts/services-networking/network-policies/ - Pod Security Context
A security context defines privilege and access control settings for a Pod or Container
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - Auditing
Set of policies to record different stages of events in Kubernetes cluster
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ - K8s Dashboard
Web based UI to monitor and manage Kubernetes cluster
https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/ - Node Restriction
Admission controller to limit the Node and Pod objects a kubelet can modify
https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction - ImagePolicyWebhook
Admission controller to enforce policies during image pull
https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook - Pod Security Policy
Admission controller to enforce different security controls on Kubernetes applications cluster-wide
https://kubernetes.io/docs/concepts/policy/pod-security-policy/
Setting up a system to practice
One of the important questions is: where do you practice? In order to try out all the tools and utilities noted above we would need a minimum configuration of:
- 1 Control Plane
- 1 worker node with 1.19 Kubernetes cluster running on Ubuntu OS
Here’s a quick overview of the steps you need to take:
- Install Kubernetes 1.19 with one Control Plane and a worker
- Upgrade the setup to 1.20 using the Kubernetes document
- Enable Auditing on the Kubernetes cluster and add audit rules
- Install K8s dashboard on the cluster and secure it
- Enable Node Restriction Admission controller and verify the feature on the worker node
- Enable ImagePolicy Admission controller and test image pull using the kube-image-bouncer server.
- Download and run kubebench on the Control Plane node and worker node
- Use the cluster to try out network security policies and RBAC
- Download and run Sonobuoy conformance check on the cluster
- Install trivy and claire on the Control Plane node.
- Scan all the images that are available as part of the Kubernetes deployment
- Create a nginx pod with Dockerfile.
- Ensure that the pod does not run as root and has the minimum set of privileges
- Launch the pod with different Security contexts
- Install gVisor and launch the Nginx pod using gVisor
- Configure Apparmor on the system and run the nginx pod using an apparmor profile
- Install Seccomp, configure it to block syscalls and run the nginx pod using the seccomp profile
**Important links and tips: **
- You probably already know this one: https://www.cncf.io/certification/cks
- Killer Shell - CKS CKA CKAD Simulator and don’t forget to check this out: every user who registers for the CKS gets two killer shells for practice for free https://killer.sh/faq. The shells are super helpful to get a hands-on before the Exam. Keep one shell reserved for the day before the exam as it helps you warm up your K8s skills right before you need it the most! Also try their CKS playground here: https://github.com/surajssd/cks-playground
- All Kubernetes exams allow browsing the Kubernetes doc site, so might be useful to create a bookmark for all the core pages to save time during the exams.
- Jq is a convenient tool for exams. Most of the security reports would be in JSON format that can be viewed with a text editor. JQ would help users extract just the piece of info they need with ease. To get the list of all pod names and the corresponding image used
kubectl get pods -n kube-system -o json | jq '.items[].spec.containers[] | .name +" "+ .image' - A quick primer on jq can be found here:
https://www.baeldung.com/linux/jq-command-json - Do not worry about setting up auto-completion, and it’s already set up for you.
Make use of it liberally. For example, an alias of k=kubectl would come in very handy. - Install and configure all the tools to get an excellent understanding of the deployment and configuration aspects of the tool. This comes in very handy for debugging tool issues in the exam.
Don’t forget to check out our January CKS webinar and recording and good luck!
