Certified Kubernetes Security Specialist (CKS) Course
These are notes from the Certified Kubernetes Security Specialist (CKS) hosted on KodeKloud.
Please note that the CKS is an advanced level course. There are concepts within this course where some knowledge is assumed you know, and is not taught in bite-sized pieces. This includes:
- You hold a valid (not expired) CKA certificate. You cannot take the exam without it.
- Any concepts that were taught in the CKA will not necessarily be repeated here, including things like knowing when to edit or replace a running pod. In some lectures and lab solutions, it is assumed that you know these concepts already.
On this basis and the fact that you should be reasonably confident with Kubernetes by now, we don't provide lab/mock exam solution walkthrough videos. All lab solutions may be found as text documents in this repo. These solutions also don't always provide detailed explanations as you should be able to see from what is given why it is the correct solution. - Reasonable proficiency with Linux, and the standard tools it provides such as
find
,grep
,sed
,cut
,tr
and the like. If you're not comfortable with these concepts, you should first take our Linux Basics course. - Proficiency with JSON, YAML, jsonpath and tools like
jq
. If you need a refresher on this, check our JSONPath course.
Sections
-
03-Cluster-Setup-and-Hardening
- 01-Section-Introduction
- 02-What-are-CIS-Benchmarks
- 03-Lab-Run-CIS-Benchmark-Assessment-tool-on-Ubuntu
- 04-CIS-benchmark-for-Kubernetes
- 05-Kube-bench
- 06-Lab-Kube-bench
- 07-Kubernetes-Security-Primitives
- 08-Authentication
- 09-Service-Accounts
- 10-Lab-Service-Accounts
- 11-TLS-Introduction
- 12-TLS-Basics
- 13-TLS-in-Kubernetes
- 14-TLS-in-Kubernetes-Certificate-Creation
- 15-View-Certificate-Details
- 16-Labs-View-Certificates
- 17-Certificates-API
- 18-Labs-Certificates-API
- 19-KubeConfig
- 20-Labs-KubeConfig
- 21-API-Groups
- 22-Authorization
- 23-RBAC
- 24-Labs-RBAC
- 25-Cluster-Roles-and-Role-Bindings
- 26-Labs-Cluster-Roles-and-Role-Bindings
- 27-Kubelet-Security
- 28-Labs-Kubelet-Security
- 29-Kubectl-Proxy-Port-Forward
- 30-Labs-Kubectl-Proxy-Port-Forward
- 31-Kubernetes-Dashboard
- 32-Securing-Kubernetes-Dashboard
- 33-Labs-Securing-Kubernetes-Dashboard
- 34-Verify-platform-binaries-before-deploying
- 35-Labs-Verify-platform-binaries-before-deploying
- 36-Kubernetes-Software-Versions
- 37-Cluster-Upgrade-Process
- 38-Demo-Cluster-Upgrade-Process
- 39-Labs-Cluster-Upgrade-Process
- 40-Network-Policy
- 41-Developing-Network-Policies
- 42-Labs-Network-Policies
- 43-Ingress
- 44-Labs-Ingress-1
- 45-Ingress-Annotations-and-rewrite-target
- 46-Labs-Ingress-2
- 47-Docker-Service-Configuration
- 48-Docker-Securing-the-Daemon
- 49-Cipher-Suites
-
- 01-Section-Introduction
- 02-Least-Privilege-Principle
- 03-Minimize-host-OS-footprint-Intro
- 04-Limit-Node-Access
- 05-lab-Limit-Node-Access
- 06-SSH-Hardening
- 07-Privilege-Escalation-in-Linux
- 08-Lab-SSH-Hardening-and-sudo
- 09-Remove-Obsolete-Packages-and-Services
- 10-Restrict-Kernel-Modules
- 11-Identify-and-Disable-Open-Ports
- 12-Lab-Identify-open-ports,-remove-packages-services
- 13-Minimize-IAM-roles
- 14-Minimize-external-access-to-the-network
- 15-UFW-Firewall-Basics
- 16-Lab-UFW-Firewall-Basics
- 17-Linux-Syscalls
- 18-AquaSecTracee
- 19-Restrict-syscalls-using-seccomp
- 20-Implement-Seccomp-in-Kubernetes
- 21-Lab-Seccomp
- 22-AppArmor
- 23-Creating-AppArmor-Profiles
- 24-AppArmor-in-Kubernetes
- 25-Linux-Capabilities
- 26-Lab-AppArmor
-
05-Minimize-Microservice-Vulnerabilities
- 01-Section-Introduction
- 02-Security-Contexts
- 03-Labs-Security-Contexts
- 04-Admission-Controllers
- 05-Labs-Admission-Controllers
- 06-Validating-and-Mutating-Admission-Controllers
- 07-Labs-Validating-and-Mutating-Admission-Controllers
- 08-Pod-Security-Policies
- 09-Labs-PSP
- 10-Open-Policy-Agent-(OPA)
- 11-Labs-OPA
- 12-OPA-in-Kubernetes
- 13-Labs-OPA-in-Kubernetes
- 14-OPA-Gatekeeper-in-Kubernetes
- 15-Manage-Kubernetes-secrets
- 16-Lab-Manage-Kubernetes-secrets
- 17-Container-Sandboxing
- 18-gVisor
- 19-kata-Containers
- 20-Runtime-Classes
- 21-Using-Runtimes-in-Kubernetes
- 22-Lab-Using-Runtimes-in-Kubernetes
- 23-One-way-SSL-vs-Mutual-SSL
- 24-Implement-pod-to-pod-encryption-by-use-of-mTLS
-
- 01-Section-Introduction
- 02-Minimize-base-image-footprint
- 03-Image-Security
- 04-Labs-Image-Security
- 05-Whitelist-Allowed-Registries-Image-Policy-Webhook
- 06-Labs-Whitelist-Allowed-Registries-ImagePolicyWebhook
- 07-Use-static-analysis-of-user-workloads
- 08-Labs-kubesec
- 09-Scan-images-for-known-vulnerabilities-(Trivy)
- 10-Labs-Trivy
-
07-Monitoring,-Logging-and-Runtime-Security
- 01-Section-Introduction
- 02-Perform-behavioral-analytics-of-syscall-process
- 03-Falco-Overview-and-Installation
- 04-Use-Falco-to-Detect-Threats
- 05-Falco-Configuration-Files
- 06-Labs-Use-Falco-to-detect-threats
- 07-Mutable-vs-Immutable-Infrastructure-Mutable-vs-Immutable-Infrastructure
- 08-Ensure-Immutability-of-Containers-at-Runtime
- 09-Lab-Ensure-Immutability-of-Containers-at-Runtime
- 10-Use-Audit-Logs-to-monitor-access
- 11-Labs-Use-Audit-Logs-to-monitor-access