ibrahimjelliti / Ckss Certified Kubernetes Security Specialist
Licence: mit
This repository is a collection of resources to prepare for the Certified Kubernetes Security Specialist (CKSS) exam.
Stars: ✭ 333
Programming Languages
golang
3204 projects
Labels
Projects that are alternatives of or similar to Ckss Certified Kubernetes Security Specialist
Nexclipper
Metrics Pipeline for interoperability and Enterprise Prometheus
Stars: ✭ 533 (+60.06%)
Mutual labels: cloud-native, monitoring, cncf
siddhi-operator
Operator allows you to run stream processing logic directly on a Kubernetes cluster
Stars: ✭ 16 (-95.2%)
Mutual labels: cncf, cloud-native
pixie
Instant Kubernetes-Native Application Observability
Stars: ✭ 3,238 (+872.37%)
Mutual labels: cncf, cloud-native
Micrometer
An application metrics facade for the most popular monitoring tools. Think SLF4J, but for metrics.
Stars: ✭ 3,173 (+852.85%)
Mutual labels: cloud-native, monitoring
opentelemetry-js-api
OpenTelemetry Javascript API
Stars: ✭ 75 (-77.48%)
Mutual labels: cncf, cloud-native
gryllidae
Opinionated CNCF-based, Docker Compose setup for everything needed to develop a 12factor app
Stars: ✭ 18 (-94.59%)
Mutual labels: cncf, cloud-native
landscape
🌄The Cloud Native Interactive Landscape filters and sorts hundreds of projects and products, and shows details including GitHub stars, funding or market cap, first and last commits, contributor counts, headquarters location, and recent tweets.
Stars: ✭ 8,067 (+2322.52%)
Mutual labels: cncf, cloud-native
service-mesh-performance
Standardizing Service Mesh Value Measurement
Stars: ✭ 234 (-29.73%)
Mutual labels: cncf, cloud-native
Sysmon Config
Sysmon configuration file template with default high-quality event tracing
Stars: ✭ 3,287 (+887.09%)
Mutual labels: monitoring, logging
Kubernetes Certified Administrator
Online resources that will help you prepare for taking the CNCF CKA 2020 "Kubernetes Certified Administrator" Certification exam. with time, This is not likely the comprehensive up to date list - please make a pull request if there something that should be added here.
Stars: ✭ 3,438 (+932.43%)
Mutual labels: certification, cncf
kubernetes the easy way
Automating Kubernetes the hard way with Vagrant and scripts
Stars: ✭ 22 (-93.39%)
Mutual labels: cluster, cncf
meshery.io
Site for Meshery, the cloud native management plane
Stars: ✭ 135 (-59.46%)
Mutual labels: cncf, cloud-native
inspr
Inspr is an agnostic application mesh for simpler, faster, and securer development of distributed applications (dApps).
Stars: ✭ 49 (-85.29%)
Mutual labels: cluster, cloud-native
inclavare-containers
A novel container runtime, aka confidential container, for cloud-native confidential computing and enclave runtime ecosystem.
Stars: ✭ 510 (+53.15%)
Mutual labels: cncf, cloud-native
saltstack-kubernetes
Deploy the lowest-cost production ready Kubernetes cluster using terraform and saltstack.
Stars: ✭ 47 (-85.89%)
Mutual labels: cluster, cncf
glossary
The CNCF Cloud Native Glossary Project aims to define cloud native concepts in clear and simple language, making them accessible to anyone — whether they have a technical background or not (https://glossary.cncf.io).
Stars: ✭ 442 (+32.73%)
Mutual labels: cncf, cloud-native
Certified Kubernetes Security Specialist - CKSS
This repository is a collection of resources to prepare for the Certified Kubernetes Security Specialist (CKSS) exam.
The given references and links below are just assumptions and ideas around the CKSS curriculum.
CKS Overview
The Kubernetes Security Specialist (CKS) certification ensure that the holder has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.
The certification is generally available to take from here as anounced during the KubeCon NA20
CKS Outline
The CKS test will be online, proctored and performance-based with 15-20 hands-on performance based tasks, and candidates have 2 hours to complete the exam tasks.
From the CKS Exam Curriculum repository, The exam will test domains and competencies including:
- Cluster Setup (10%): Best practice configuration to control the environment's access, rights and platform conformity.
- Cluster Hardening (15%): Protecting K8s API and utilize RBAC.
- System Hardening (15%): Improve the security of OS & Network; restrict access through IAM
- Minimize Microservice Vulnerabilities (20%): Utilizing on K8s various mechanisms to isolate, protect and control workload.
- Supply Chain Security (20%): Container oriented security, trusted resources, optimized container images, CVE scanning.
- Monitoring, Logging, and Runtime Security (20%): Analyse and detect threads.
CKS Exam Preparation
In order to take the CKS exam, you must have Valid CKA certification prior to attempting the CKS exam to demonstrate you possess sufficient Kubernetes expertise. A first good starting point for securing Kubernetes is the Task section Securing a Cluster of the official K8s documentation. The exam will be based on Kubernetes v1.19 documentation as of November general availability announcement.
Allowed resources to access during my CKS exam:
According to the LF docs, during the CKS exam the candidates may:
-
review the Exam content instructions that are presented in the command line terminal.
-
review Documents installed by the distribution (i.e. /usr/share and its subdirectories)
-
use their Chrome or Chromium browser to open one additional tab in order to access
-
Kubernetes Documentation:
- https://kubernetes.io/docs/ and their subdomains
- https://github.com/kubernetes/ and their subdomains
- https://kubernetes.io/blog/ and their subdomains
This includes all available language translations of these pages (e.g. https://kubernetes.io/zh/docs/)
-
Tools:
- Trivy documentation https://github.com/aquasecurity/trivy
- Sysdig documentation https://docs.sysdig.com/
- Falco documentation https://falco.org/docs/
-
App Armor:
The allowed sites above may contain links that point to external sites. It is the responsibility of the candidate not to click any links to navigate to a domain that is not allowed
-
Cluster Setup (10%)
Use Network security policies to restrict cluster level access
Allowed Ressources
3rd Party Ressources
Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
3rd Party Ressources
-
CIS benchmark for Kubernetes
- The benchmark is not yet available for
Kubernetes 1.19, but it gives great understanding.
- The benchmark is not yet available for
- What is Center for Internet Security (CIS) Benchmarks
- Kube-bench: A tool for running Kubernetes CIS Benchmark tests
- GKE: CIS Benchmarks for etcd & kubelet
Properly set up Ingress objects with security control
Allowed Ressources
Protect node metadata and endpoints
Allowed Ressources
3rd Party Ressources
Minimize use of, and access to, GUI elements
Allowed Ressources
3rd Party Ressources
Cluster Hardening (15%)
Restrict access to Kubernetes API
Allowed Ressources
- Controlling Access to the Kubernetes API
- Certificate Signing Requests: Create Normal User
- Generate cluster certificates (easyrsa, openssl or cfssl)
3rd Party Ressources
Use Role Based Access Controls to minimize exposure
Allowed Ressources
3rd Party Ressources
Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
Allowed Ressources
- Managing Service Accounts
- Default roles and role bindings
- Authorization Modes
- Configure Service Accounts for Pods
- Kubernetes should not mount default service account credentials by default
3rd Party Ressources
System Hardening (15%)
Minimize host OS footprint (reduce attack surface)
Allowed Ressources
3rd Party Ressources
Minimize IAM roles
3rd Party Ressources
Minimize external access to the network
Allowed Ressources
- K8s quotas (services.loadbalancers)
- Restrict Access For LoadBalancer Service
- Admission control plugin: ResourceQuota
3rd Party Ressources
Appropriately use kernel hardening tools such as AppArmor, seccomp
Allowed Ressources
- Restrict a Container's Access to Resources with AppArmor
- Restrict a Container's Syscalls with Seccomp
3rd Party Ressources
Minimize Microservice Vulnerabilities (20%)
Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts
Allowed Ressources
- Pod Security Policies
- Configure a Security Context for a Pod or Container
- OPA Gatekeeper: Policy and Governance for Kubernetes
- Kubernetes security context, security policy, and network policy – Kubernetes security guide (part 2)
3rd Party Ressources
Manage kubernetes secrets
Allowed Ressources
3rd Party Ressources
Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
Allowed Ressources
- container runtime
- container runtime sandboxes examples
- Enforce tenant isolation (Limit Ranges, Quotas, PSPs) with Policies
- Affinity and anti-affinity
3rd Party Ressources
Implement pod to pod encryption by use of mTLS
Allowed Ressources
3rd Party Ressources
Supply Chain Security (20%)
Minimize base image footprint
3rd Party Ressources
Secure your supply chain: whitelist allowed image registries, sign and validate images
Allowed Ressources
- Using Admission Controllers
- Dynamic Admission Control
- A Guide to Kubernetes Admission Controllers
- Ensure images only from approved sources are run
3rd Party Ressources
Use static analysis of user workloads (e.g. kubernetes resources, docker files)
Allowed Ressources
3rd Party Ressources
Monitoring, Logging and Runtime Security (20%)
Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
Allowed Ressources
- Restrict a Container's Syscalls with Seccomp
- Auditing with Falco (Obsoledted)
- How to detect a Kubernetes vulnerability using Falco
3rd Party Ressources
Detect threats within physical infrastructure, apps, networks, data, users and workloads
3rd Party Ressources
Detect all phases of attack regardless where it occurs and how it spreads
3rd Party Ressources
- Investigating Kubernetes attack scenarios in Threat Stack
- Anatomy of a Kubernetes attack – How untrusted Docker images fails us
- Investigating Kubernetes Attack Scenarios in Threat Stack (part 1)
- The seven phases of a cyber attack
- Threat matrix for Kubernetes
- MITRE ATT&CK framework for container runtime security with Falco
- Mitigating Kubernetes attacks
Perform deep analytical investigation and identification of bad actors within environment
3rd Party Ressources
Ensure immutability of containers at runtime
Allowed Ressources
- "ReadOnlyRootFilesystem" (securityContext, PSP)
- "readOnly" volume mount
- Principles of Container-based Application Design
3rd Party Ressources
Use Audit Logs to monitor access
Allowed Ressources
3rd Party Ressources
Related Kubernetes security resources
- Kubernetes Security Essentials (LFS260)
- Cloud Native Security Tutorial
- Killer Shell CKS Simulator
- Sysdig Kubernetes Security Guide
- Kubernetes Security Best Practices - Ian Lewis, Google
- Kubernetes security concepts and demos
- Tutorial: Getting Started With Cloud Native Security - Liz Rice, Aqua Security & Michael Hausenblas
- 11 Ways (Not) to Get Hacked
- Kubernetes Goat
- Kubernetes CTF on vagrant environment
- Udemy Kubernetes CKS 2020 Complete Course and killer.sh Simulator
White Papers
Keep Updating
- LIVING DOCUMENT - I WILL UPDATE IT FREQUENTLY WHEN I HAVE NEW INFORMATIONS
- PRs are always welcome so star, fork and contribute
- please make a pull request if you would like to add or update
Ibrahim Jelliti © 2020
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].