stackrox/Kubernetes_Security_Specialist_Study_Guide stackrox/Kubernetes_Security_Specialist_Study_Guide

  • Stars
    star
    422
  • Rank 99,374 (Top 3 %)
  • Language HCL
  • License
    MIT License
  • Created over 3 years ago
  • Updated over 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
stackrox/Kubernetes_Security_Specialist_Study_Guide
github

stackrox

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Certified Kubernetes Security Specialist Study Guide

CKS Overview

The CKS is the third Kubernetes based certification backed by the Cloud Native Computing Foundation (CNCF). CKS will join the existing Certified Kubernetes Administrator (CKA) and Certified Kubernetes Application Developer (CKAD) programs. All three certifications are online, proctored, performance-based exams that will require solving multiple Kubernetes security tasks from the command line. With the massive investment into Kubernetes over the last five years, these certifications continue to be highly sought after by many seeking out technical knowledge about Kubernetes.

This repository contains resources to build a Kubernetes cluster, and example questions and answers based on the Certified Kubernetes Security Specialist (CKS) exam curriculum.

Repository Structure

study_guide/
└ cluster_setup/
  └ Makefile
  └ gcp   -> Create a 1.19 cluster in GCP with RKE.
  └ aws   (coming soon)
  └ azure (coming soon)
└ img/
  └ all_images_used
└ walkthrough/
  └ p0_intro/
  └ p1_cluster_setup /
  └ p2_cluster_hardening/
  └ p3_system_hardening/
  └ p4_minimizing_vulnerabilities/
  └ p5_supply_chain_security/
  └ p6_monitoring_logging_runtime_security/
└ LICENSE
└ README.md

Outline

The CKS test will be online, proctored and performance-based, and candidates have 2 hours to complete the exam tasks. This information is currently based on the Linux Foundations release of the CKS outline.

From the CKS Exam Curriculum repository, The exam will test domains and competencies including:

Exam News and Overview

-> CNCF CKS Overview

KubeCon Announcement and Preparation Tips

-> KubeCon Announcement and Linux Foundation Update

Curriculum

Below is the CKS curriculum broken down by its six sections. Each section has its own folder in the repository, where you can walk through individual questions relating to their respective topic. Each section in the curriculum overview also contains external resources that you may find useful in your studying journey,

Cluster Setup - 10%

Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
Verify platform binaries before deploying
Protect node metadata and endpoints
Use Network security policies to restrict cluster level access
Properly set up Ingress objects with security control
Minimize use of, and access to, GUI elements

Cluster Hardening - 15%

Restrict access to Kubernetes API
Use Role Based Access Controls to minimize exposure
Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones

System Hardening - 15%

Minimize host OS footprint (reduce attack surface)
Minimize IAM roles
Minimize external access to the network
Appropriately use kernel hardening tools such as AppArmor, seccomp

Minimize Microservice Vulnerabilities - 20%

Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts
Manage Kubernetes secrets
Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
Implement pod to pod encryption by use of mTLS

Supply Chain Security - 20%

Minimize base image footprint
Secure your supply chain: whitelist allowed image registries, sign and validate images
Use static analysis of user workloads (e.g. kubernetes resources, docker files)
Scan images for known vulnerabilities

Monitoring, Logging and Runtime Security - 20%

Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
Detect threats within physical infrastructure, apps, networks, data, users and workloads
Detect all phases of attack regardless where it occurs and how it spreads
Perform deep analytical investigation and identification of bad actors within environment
Ensure immutability of containers at runtime
Use Audit Logs to monitor access

Extra Resources

More Repositories

1

kube-linter

KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
Go
2,766
star
2

stackrox

The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment.
Go
1,072
star
3

admission-controller-webhook-demo

Kubernetes admission controller webhook example
Go
241
star
4

go-grpc-http1

A gRPC via HTTP/1 Enabling Library for Go
Go
105
star
5

helm-charts

Helm charts for StackRox Kubernetes Security Platform
Smarty
62
star
6

collector

Runtime data collection for the StackRox Kubernetes Security Platform using eBPF
C++
52
star
7

contributions

Samples for customer implementations & integrations
Shell
46
star
8

scanner

Go
39
star
9

bsidessf-2020-workshop

Materials for a live workshop at BSidesSF on deployment-level Kubernetes security controls
Go
36
star
10

network-policy-examples

YAML files accompanying the StackRox Network Policies guide.
33
star
11

kube-linter-action

GitHub action for automating KubeLinter.
32
star
12

blog-examples

Sample code and files from StackRox blog posts
Open Policy Agent
27
star
13

ansible-demo

Create sales demos on k8s/OpenShift with Ansible
Jinja
15
star
14

acs-fleet-manager

Go
14
star
15

k8s-i-use

Source for k8siuse, a site in the style of caniuse that visualizes GVKs and their fields over different versions of the Kubernetes API
CSS
14
star
16

helmtest

helmtest is a Go-based framework for testing helm charts in various configurations
Go
12
star
17

stackrox-env

Stackrox development environment
Nix
8
star
18

berserker

Workload generator for ACS Collector
Rust
7
star
19

jenkins-plugin

The StackRox Jenkins Plugin for image scanning and security
Java
5
star
20

dev-docs

5
star
21

kernel-packer

📦 Crawl and repackage kernel headers for collector
Python
5
star
22

k8s-cves

Curated repo of Kubernetes CVEs
Go
4
star
23

dotnet-scraper

.NET scraper houses .NET vulnerabilities, a primitive scraper and a cron job to ensure that we have all the most updated vulns
Go
3
star
24

workflow

Shell
3
star
25

falcosecurity-libs

Internal Fork of https://github.com/falcosecurity/libs
C
3
star
26

istio-cves

Go
3
star
27

rox-ci-image

Dockerfile
2
star
28

k8s-istio-cve-pusher

This repo pulls CVEs from NVD, filters them and pushes to stackrox google cloud bucket.
Go
2
star
29

junit-parse

Junit parsing CLI
Go
2
star
30

infra

🌧️ Automated infrastructure and demo provisioning
Go
2
star
31

actions

Various Reusable GitHub Actions
Shell
1
star
32

prometheus-metric-parser

Utility to parse prometheus metrics and compare them against other metrics
Go
1
star
33

nvdtools

Go
1
star
34

bleve

Go
1
star
35

goland-indexes

Shared indexes for stackrox project
1
star
36

automation-standard

🤖 A micro-framework for building standardized cluster automation entrypoints
Go
1
star
37

docker-registry-client

Public fork of github.com/heroku/docker-registry-client
Go
1
star
38

release-registry

A mechanism to mark, identify and search release artifacts using Quality Milestones.
Go
1
star
39

central-login

TypeScript
1
star