Certified Kubernetes Security Specialist - CKSS

This repository is a collection of resources to prepare for the Certified Kubernetes Security Specialist (CKSS) exam.

The given references and links below are just assumptions and ideas around the CKSS curriculum.

CKS Overview

The Kubernetes Security Specialist (CKS) certification ensure that the holder has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.

The certification is generally available to take from here as anounced during the KubeCon NA20

CKS Outline

The CKS test will be online, proctored and performance-based with 15-20 hands-on performance based tasks, and candidates have 2 hours to complete the exam tasks.

From the CKS Exam Curriculum repository, The exam will test domains and competencies including:

1. Cluster Setup (15%): Best practice configuration to control the environment's access, rights and platform conformity.
2. Cluster Hardening (15%): Protecting K8s API and utilize RBAC.
3. System Hardening (10%): Improve the security of OS & Network; restrict access through IAM
4. Minimize Microservice Vulnerabilities (20%): Utilizing on K8s various mechanisms to isolate, protect and control workload.
5. Supply Chain Security (20%): Container oriented security, trusted resources, optimized container images, CVE scanning.
6. Monitoring, Logging, and Runtime Security (20%): Analyse and detect threads.

CKS Exam Preparation

In order to take the CKS exam, you must have Valid CKA certification prior to attempting the CKS exam to demonstrate you possess sufficient Kubernetes expertise. A first good starting point for securing Kubernetes is the Task section Securing a Cluster of the official K8s documentation. The exam will be based on the version of Kubernetes as specified by the CKS Curriculum doc in the CNCF Curriculum repository

Allowed resources to access during the CKS exam:

According to the LF docs, during the CKS exam the candidates may:

• review the Exam content instructions that are presented in the command line terminal.

• review Documents installed by the distribution (i.e. /usr/share and its subdirectories)

• use the Firefox browser in the exam environment in order to access

  • Kubernetes Documentation:

    • https://kubernetes.io/docs/ and their subdomains
    • https://kubernetes.io/blog/ and their subdomains

    This includes all available language translations of these pages (e.g. https://kubernetes.io/zh/docs/)

  • Tools:

    • Falco documentation https://falco.org/docs/
    • Bom documentation https://kubernetes-sigs.github.io/bom/cli-reference/
    • etcd documentation https://etcd.io/docs/
    • NGINX Ingress Controller Documentation https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/
    • Cilium Documentation https://docs.cilium.io/en/stable
    • Istio Documentation https://istio.io/latest/docs/

  The allowed sites above may contain links that point to external sites. It is the responsibility of the candidate not to click any links to navigate to a domain that is not allowed but the exam environment is typically configured to block access to disallowed domains.

Cluster Setup (15%)

Use Network security policies to restrict cluster level access

Allowed Ressources

• Network Policies
• Securing a Cluster
• Declare Network Policy
• Enforcing Network Policies in Kubernetes

3rd Party Ressources

• Get started with Kubernetes network policy
• kubernetes-network-policy-recipes
• Kubernetes Network Policies Best Practices

Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)

3rd Party Ressources

• CIS benchmark for Kubernetes
• What is Center for Internet Security (CIS) Benchmarks
• Kube-bench: A tool for running Kubernetes CIS Benchmark tests
• GKE: CIS Benchmarks for etcd & kubelet

Properly set up Ingress objects with TLS

Allowed Ressources

• Ingress
• Ingress Controllers
• NGINX Configuration
• secure an Ingress by specifying a Secret that contains a TLS private key and certificate

3rd Party Ressources

• How to deploy NGINX Ingress Controller
• TLS/HTTPS

Protect node metadata and endpoints

Allowed Ressources

• Restricting cloud metadata API access
• Kubelet authentication/authorization

3rd Party Ressources

• Setting up secure endpoints in Kubernetes
• GKE Protecting cluster metadata
• Retrieving EC2 instance metadata
• EC2 Instance user data

Verify platform binaries before deploying

Allowed Ressources

• Kubernetes Binaries
• Verify Signed Kubernetes Artifacts

Cluster Hardening (15%)

Use Role Based Access Controls to minimize exposure

Allowed Ressources

• Using RBAC Authorization
• Authorization modes for Kubernetes API server

3rd Party Ressources

• Site for Kubernetes RBAC
• Understand Role-Based Access Control in Kubernetes
• RBAC Study Guide

Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones

Allowed Ressources

• Managing Service Accounts
• Default roles and role bindings
• Authorization Modes
• Configure Service Accounts for Pods

3rd Party Ressources

• Kubernetes should not mount default service account credentials by default
• Kubernetes: Creating Service Accounts and Kubeconfigs
• Kubernetes Access Control: Exploring Service Accounts
• Disable default service account by deployments in Kubernetes
• Securing Kubernetes Clusters by Eliminating Risky Permissions
• Understand Role Based Access Control in Kubernetes
• Cloud Native Short Take - Kubernetes: Roles-based Access Control RBAC

Restrict access to Kubernetes API

Allowed Ressources

• Controlling Access to the Kubernetes API
• Certificate Signing Requests: Create Normal User
• Generate cluster certificates (easyrsa, openssl or cfssl)

3rd Party Ressources

• GKE: Hardening your cluster's security
• Kubernetes RBAC and TLS certificates – Kubernetes security guide
• Securing Your Kubernetes API Server

Upgrade Kubernetes to avoid vulnerabilities

Allowed Ressources

• kubeadm upgrade

System Hardening (10%)

Minimize host OS footprint (reduce attack surface)

Allowed Ressources

• Preventing containers from loading unwanted kernel modules

3rd Party Ressources

• Reduce Kubernetes Attack Surfaces
• CIS Benchmark Ubuntu Linux
• CIS Benchmark RedHat
• CIS Benchmark Debian
• CIS Benchmark SUSE
• CIS Benchmark Oracle

Using least-privilege identity and access management

3rd Party Ressources

• What is the Principle of Least Privilege (POLP)?
• IAM Grant least privilege

Minimize external access to the network

Allowed Ressources

• K8s quotas (services.loadbalancers)

3rd Party Ressources

• Admission control plugin: ResourceQuota
• Secure hosts with OS-level firewall (ufw)
• Configure firewall with ufw
• Use security groups to secure network (Azure)
• Amazon EKS security group considerations
• Amazon EC2 security groups for Linux instances

Appropriately use kernel hardening tools such as AppArmor, seccomp

Allowed Ressources

• Restrict a Container's Access to Resources with AppArmor
• Restrict a Container's Syscalls with Seccomp

3rd Party Ressources

• NSA, CISA Kubernetes Hardening Guide
• Container Security: Fundamental Technology Concepts that Protect Containerized Application by Liz Rice

Minimize Microservice Vulnerabilities (20%)

Use appropriate pod security standards

Allowed Ressources

• Pod Security Standards
• Pod Security Admission
• Configure a Security Context for a Pod or Container
• OPA Gatekeeper: Policy and Governance for Kubernetes

3rd Party Ressources

• Kubernetes security context, security policy, and network policy – Kubernetes security guide (part 2)
• Open Policy Agent Introduction
• Enforce policies on Kubernetes objects with OPA

Manage kubernetes secrets

Allowed Ressources

• Kubernetes Secrets
• Encrypting Secret Data at Rest
• Using a KMS provider for data encryption

3rd Party Ressources

• Secrets Store CSI driver
• How to Manage Secrets in Kubernetes

Understand and implement isolation techniques (multi-tenancy, sandboxed containers, etc.)

Allowed Ressources

• container runtime
• Assigning Pods to Nodes

3rd Party Ressources

• container runtime sandboxes examples
• What is gVisor?
• Cluster multi-tenancy
• Use gVisor to run Kubernetes pods
• Implementing secure Containers using Google’s gVisor
• Kata containers and Kubernetes: How they fit together?
• How to use Kata Containers with Kubernetes?

Implement Pod-to-Pod encryption (Cilium, Istio)

Allowed Ressources

• Manage TLS Certificates in a Cluster
• Cilium Network Policy
• Istio PeerAuthentication
• Using Istio to improve end-to-end security

3rd Party Ressources

• A Kubernetes engineer’s guide to mTLS
• Secure communication between services in Istio with mutual TLS
• Mutual TLS Authentication (mTLS) De-Mystified
• Traffic encryption using mTLS

Supply Chain Security (20%)

Minimize base image footprint

3rd Party Ressources

• Why build small container images in Kubernetes
• 7 best practices for building containers
• distroless containers
• Docker Hardened Images
• SlimToolkit
• Docker multi-stage builds
• Tips to Reduce Docker Image Sizes
• 3 simple tricks for smaller Docker images
• Docker multi-stage build with Go

Secure your supply chain (permitted registries, sign and validate artifacts, etc.)

Allowed Ressources

• Using Admission Controllers
• Dynamic Admission Control
• A Guide to Kubernetes Admission Controllers

3rd Party Ressources

• Ensure images only from approved sources are run
• How to reject docker registries in Kubernetes?
• Restrict pulling images from Registry
• Sign and verify container images with Sigstore Cosign

Perform static analysis of user workloads and container images (e.g. Kubesec, KubeLinter)

Allowed Ressources

• 11 Ways (Not) to Get Hacked: statically-analyse-yaml

3rd Party Ressources

• Trivy
• Static analysis with KubeLinter
• Static analysis with Kube-score
• kubesec
• Kubernetes static code analysis with Checkov

Understand your supply chain (e.g. SBOM, CI/CD, artifact repositories)

Allowed Ressources

• Check artifacts against SPDX manifests with bom

3rd Party Ressources

• What is a software bill of materials (SBOM)?
• Linux Foundation: SPDX tools

Monitoring, Logging and Runtime Security (20%)

Perform behavioral analytics to detect malicious activities

Allowed Ressources

• Restrict a Container's Syscalls with Seccomp
• An Introduction to Kubernetes Security using Falco
• Falco Rules

3rd Party Ressources

• Kubernetes Security monitoring at scale

Detect threats within physical infrastructure, apps, networks, data, users and workloads

3rd Party Ressources

• Common Kubernetes config security threats
• A guidance on Kubernetes threat modeling
• A Deep Dive Into Kubernetes Threat Modeling
• Threat matrix for Kubernetes

Investigate and identify phases of attack and bad actors within the environment

3rd Party Ressources

• Anatomy of a Kubernetes attack – How untrusted Docker images fails us
• The seven phases of a cyber attack
• Threat matrix for Kubernetes
• MITRE ATT&CK framework for container runtime security with Falco
• Mitigating Kubernetes attacks

Ensure immutability of containers at runtime

Allowed Ressources

• "ReadOnlyRootFilesystem" (securityContext)
• "readOnly" volume mount
• Principles of Container-based Application Design

3rd Party Ressources

• Leverage Kubernetes to ensure that containers are immutable
• Why I think we should all use immutable Docker images

Use Kubernetes audit logs to monitor access

Allowed Ressources

• Kubernetes Audit

3rd Party Ressources

• Kubernetes Audit logging
• How to monitor Kubernetes audit logs?
• Kubernetes Audit: Making Log Auditing a Viable Practice Again

Related Kubernetes security resources

• FREE CKS self-study course
• Kubernetes Security Essentials (LFS260) video course
• Cloud Native Security Tutorial
• Killer Shell CKS Simulator
• Killer Coda CKS Simulator
• Sysdig Kubernetes Security Guide
• Kubernetes Security Best Practices - Ian Lewis, Google
• Kubernetes security concepts and demos
• Tutorial: Getting Started With Cloud Native Security - Liz Rice, Aqua Security & Michael Hausenblas
• 11 Ways (Not) to Get Hacked
• Kubernetes Goat
• Kubernetes CTF on vagrant environment (archived)
• CKS 5-day Boot Camp (live, instructor-led)
• CKS 1-day Exam Prep (live, instructor-led)
• Certified Kubernetes Security Specialist 2026 video course
• NSA/CISA Kubernetes Hardening Guidance 08/2022

White Papers

• CNCF cloud-native security white paper v2 May 2022

Keep Updating

• LIVING DOCUMENT - I WILL UPDATE IT FREQUENTLY WHEN I HAVE NEW INFORMATIONS
• PRs are always welcome so star, fork and contribute
  • please make a pull request if you would like to add or update

Ibrahim Jelliti © 2020