CKS 官方考纲: [CKS_Curriculum_ v1.19.pdf](./CKS_Curriculum_ v1.19.pdf)
-
Use Network security policies to restrict cluster level access
-
Use CIS benchmark to review the security configuration of Kubernetes components(etcd, kubelet, kubedns, kubeapi)
-
Properly set up Ingress objects with security control
-
Protect node metadata and endpoints
-
Minimize use of, and access to, GUI elements
-
Verify platform binaries before deploying
- https://github.com/kubernetes/kubernetes/releases
- Kubernetes binaries can be verified by their digest sha512 hash
- checking the Kubernetes release page for the specific release
- checking the change log for the images and their digests
- Kubernetes binaries can be verified by their digest sha512 hash
- https://github.com/kubernetes/kubernetes/releases
-
Restrict access to Kubernetes API
-
Use Role-Based Access Controls to minimize exposure
-
Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
-
opt out of automounting API credentials for a service account
-
service account scope
apiVersion: v1 kind: ServiceAccount metadata: name: build-robot automountServiceAccountToken: false
-
pod scope
apiVersion: v1 kind: Pod metadata: name: cks-pod spec: serviceAccountName: default automountServiceAccountToken: false
-
-
-
Update Kubernetes frequently
-
Minimize host OS footprint (reduce attack surface)
- Reduce host attack surface
- seccomp which stands for secure computing was originally intended as a means of safely running untrusted compute-bound programs.
- AppArmor can be configured for any application to reduce its potential host attack surface and provide greater in-depth defense.
- https://kubernetes.io/docs/tutorials/clusters/apparmor/)
- PSP pod security policy enforces
- apply host updates frequently
- Install minimal required OS fingerprint 安装所需的最小操作系统
- Protect access to data with permissions
- Restirct allowed hostpaths
-
Minimize IAM roles
- Access authentication and authorization
-
Minimize external access to the network
-
not tested, however, the thinking is that all pods can talk to all pods in all name spaces but not to the outside of the cluster!!!
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-external-egress spec: podSelector: {} policyTypes: - Egress egress: to: - namespaceSelector: {}
-
-
Appropriately use kernel hardening tools such as AppArmor, seccomp
-
Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts
- Pod Security Policies
- Open Policy Agent
- Security Contexts
-
Manage kubernetes secrets
-
Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
-
Implement pod to pod encryption by use of mTLS
- https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
- TODO: Check if service mesh is part of the CKS exam.
-
Minimize base image footprint
- Use distroless, UBI minimal, Alpine, or relavent to your app nodejs, python but the minimal build.
- Do not include uncessary software not required for container during runtime
- e.g build tools and utilities, troubleshooting and debug binaries.
-
Secure your supply chain: whitelist allowed image registries, sign and validate images
- whitelist allowed image registries
-
Use static analysis of user workloads (e.g. kubernetes resources, docker files)
-
Scan images for known vulnerabilities
-
Perform behavioural analytics of syscall process and file activities at the host and container level to detect malicious activities
-
Detect threats within a physical infrastructure, apps, networks, data, users and workloads
-
Detect all phases of attack regardless where it occurs and how it spreads
-
Perform deep analytical investigation and identification of bad actors within the environment
-
Ensure immutability of containers at runtime
-
Use Audit Logs to monitor access
- Container Security or view [here](./books/Container Security by Liz Rice)
- Learn Kubernetes Security or view [here](./books/Learn Kubernetes Security by Pranjal Jumde; Loris Degioanni; Kaizhe Huang)
- Google/Ian Lewis: Kubernetes security best practices
- Code in Action for the book Learn Kubernetes Security playlist
- Kubernetes security concepts and demos
- How to Train your Red Team (for Cloud-Native) - Andrew Martin, ControPlane
- InGuardians/Jay Beale: Kubernetes Practical attacks and defences\
- Webinars
- AquaSec webiners collection - Webinars and videos presented by leading industry experts covering Microservices, Container & Serverless security, Kubernetes, DevSecOps, and everything related to the most disruptive area in IT.
- Killer.sh CKS practice exam ⟹ use code walidshaari for 20% discount
- Udemy Kubernetes CKS 2020 Complete Course and Simulator
- Linux Foundation Kubernetes Security essentials LFS 260
- Linux Academy/ACloudGuru Kubernetes security
- Cloud native security defending containers and kubernetes
- Tutorial: Getting Started With Cloud-Native Security - Liz Rice, Aqua Security & Michael Hausenblas
- K21 academy CKS step by step activity hands-on-lab activity guide
- Andrew Martin Attacking and Defending Cloud Native Infrastructure
- Andrew Martin Control Plane Security training
- Kubernetes-security.info
- Aquasecurity Blogs
- Control-plane/Andrew Martin @sublimino: 11 ways not to get hacked
- Securekubernetes
- Simulator: A distributed systems and infrastructure simulator for attacking and debugging Kubernetes
- CNCF Kubernetes Security Anatomy and the Recently Disclosed CVEs (CVE-2020-8555, CVE-2020-8552)
- Kubernetes Vulnerability Puts Clusters at Risk of Takeover (CVE-2020-8558)
- Stackrox CKS study guide
- Viktor Vedmich - CKS resources
- Abdennour - CKS resources
- Ibrahim Jelliti - CKS resources
- Madhu Akula's Kubernetes Goat - vulnerable cluster environment to learn and practice Kubernetes security.
- Kubernetes Capture the Flag vagrant environment - was hosted online on http://k8s-ctf.rocks/
参考资料: