Welcome to Blog-1 of the CKS – Certified Kubernetes Security Specialist study group. This certification is more than two years old now, and we already have a lot of people certified as Kubernetes Security Specialists, but if you are like me, better late than never. I am already CKA certified, and that’s one of the pre-requisite for sitting in the CKS exam.
Why one must certify in CKS?
Before, investing our time and money in any certification, we must know why we actually going for it. I am already certified with CKA, AWS SA, and TOGAF in the last two years. I know people go on certification spree on LinkedIn, and just get badges of whichever certification they get their hands onto. I am not disrespecting them, but I feel certifications must be done with two hindsight, either it’s helping you learn and perform better in your current work, or it’s helping you to land your dream job, which is something you are trying to see yourself in next two or three years.
I am planning for the CKS exam because I am working in kubernetes-based deployments, and I want to learn more about its security aspect, which again is related to my second reason as I am looking to learn about information security in cloud and containerized environments. As stated on the official Linux Foundation website, which is also the governing body for the CKS exam, “The Certified Kubernetes Security Specialist (CKS) program provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment, and runtime. “. Hence, it sounds like a good certificate for me, as it may be for you as well.
Exam Format and Syllabus
Again snipping from the Linux Foundation website, “CKS is a performance-based certification exam that tests candidates’ knowledge of Kubernetes and cloud security in a simulated, real-world environment. Candidates must have taken and passed the Certified Kubernetes Administrator (CKA) exam prior to attempting the CKS exam. CKS may be purchased but not scheduled until CKA certification has been achieved.”
In my CKA exam, a lab was provided with k8 v.20 deployed on multiple contexts. (Context in the kubernetes is a logical division with its own namespace, cluster, and config). For different questions, I need to switch over among different contexts to get a desired result. I suppose CKS also must be following a similar approach, with difference that the CKS exam now is based on the v1.23 release of K8.
Below are the domain-level topics covered in the CKS exam. We will be covering all topics as I go on studying and sharing the update here.
|Domain||% of Exam|
|Domain 1: Cluster Setup||10%|
|Domain 2: Cluster Hardening||15%|
|Domain 3: System Hardening||15%|
|Domain 4: Minimize Microservice Vulnerabilities||20%|
|Domain 5: Supply Chain Security||20%|
|Domain 6: Monitoring, Logging, and Runtime Security||20%|
Domain 1: Cluster Setup
- Use Network security policies to restrict cluster level access
- Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
- Properly set up Ingress objects with security control
- Protect node metadata and endpoints
- Minimize use of, and access to, GUI elements
- Verify platform binaries before deploying
Domain 2: Cluster Hardening
- Restrict access to Kubernetes API
- Use Role-Based Access Controls to minimize exposure
- Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
- Update Kubernetes frequently
Domain 3: System Hardening
- Minimize host OS footprint (reduce attack surface)
- Minimize IAM roles
- Minimize external access to the network
- Appropriately use kernel hardening tools such as AppArmor, seccomp
Domain 4: Minimize Microservice Vulnerabilities
- Setup appropriate OS-level security domains e.g. using PSP, OPA, and security contexts
- Manage Kubernetes secrets
- Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
- Implement pod to pod encryption by use of mTLS
Domain 5: Supply Chain Security
- Minimize base image footprint
- Secure your supply chain: whitelist allowed registries, sign and validate images
- Use static analysis of user workloads (e.g.Kubernetes resources, Docker files)
- Scan images for known vulnerabilities.
Domain 6: Monitoring, Logging, and Runtime Security
- Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
- Detect threats within a physical infrastructure, apps, networks, data, users, and workloads
- Detect all phases of attack regardless of where it occurs and how it spreads
- Perform deep analytical investigation and identification of bad actors within the environment
- Ensure immutability of containers at runtime
- Use Audit Logs to monitor access
Do note that CKS provides one retry, like the CKA exam. I am hopeful that after wrapping all topics, there won’t be a need for availing retry, but I did clear CKA in a second attempt, so no need to be over-confident here. In my next blog, I will be checking my lab setup. You can check my blog for it below.