☸️ Certified Kubernetes Security Specialist (CKS) Study Guide - V1.31 (2024)

This guide is part of our blog Guide to Certified Kubernetes Security Specialist (CKS) .

Hit the Star! ⭐

If you are using this repo for guidance, please hit the star. Thanks A lot !

The Certified Kubernetes Security Specialist (CKS) certification program provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime. CKA certification is required to sit for this exam.

CKS Exam details (v1.31 2024 )

CKA Exam Details	Information
Exam Type	Performance Based NOT MCQ )
Exam Duration	2 hours
Pass Percentage	66% ( One Retake )
CKS Exam Kubernetes Version	Kubernetes v1.31
CKS Validity	2 Years
Exam Cost	$395 USD (GET 30% OFF CKA Exam Coupon) 💥INCREASE PRICE: $434 in January 2025

[30% OFF] CKA Exam Coupon

Save 30% using Coupon code TECK30 on all the Linux Foundation training and certification programs. This is a limited-time offer for this month. This offer is applicable for CKA, CKAD, CKS, KCNA, LFCS, PCA FINOPS, NodeJS, CHFA, and all the other certification, training, and BootCamp programs.

Kubernetes CKS VOUCHER ($395 —> $276): teckbootcamps-30%off/cks

CKS Exam Syllabus (Updated Kubernetes 1.31)

Topic	Concepts	Weightage
1. Cluster Setup - 15%	- Use Network security policies to restrict cluster-level access - Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi) - Properly set up Ingress with TLS - Protect node metadata and endpoints - Verify platform binaries before deploying	15%
2. Cluster Hardening - 15%	- Use Role-Based Access Controls to minimize exposure - Exercise caution in using service accounts (e.g., disable defaults, minimize permissions on newly created ones) - Restrict access to Kubernetes API - Upgrade Kubernetes to avoid vulnerabilities	15%
3. System Hardening - 10%	- Minimize host OS footprint (reduce attack surface) - Use least-privilege identity and access management - Minimize external access to the network - Appropriately use kernel hardening tools such as AppArmor, seccomp	10%
4. Minimize Microservice Vulnerabilities - 20%	- Use appropriate pod security standards - Manage Kubernetes secrets - Understand and implement isolation techniques (multi-tenancy, sandboxed containers, etc.) - Implement Pod-to-Pod encryption using Cilium	20%
5. Supply Chain Security - 20%	- Minimize base image footprint - Understand your supply chain (e.g., SBOM, CI/CD, artifact repositories) - Secure your supply chain (permitted registries, sign and validate artifacts, etc.) - Perform static analysis of user workloads and container images (e.g., Kubesec, KubeLinter)	20%
6. Monitoring, Logging and Runtime Security - 20%	- Perform behavioral analytics to detect malicious activities - Detect threats within physical infrastructure, apps, networks, data, users, and workloads - Investigate and identify phases of attack and bad actors within the environment - Ensure immutability of containers at runtime - Use Kubernetes audit logs to monitor access	20%

1. Cluster Setup (15%)

This domain constitutes 15% of the CKS Exam. Below are the key topics explained with examples and best practices to secure your Kubernetes cluster.

Use Network Security Policies to Restrict Cluster Level Access

NetworkPolicies control communication between Pods and network endpoints, enforcing security rules.

Example:

Create a NetworkPolicy to Deny All Traffic Except from Specific Pods:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: restrict-access
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: backend
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 8080

kubectl apply -f networkpolicy.yaml

Verify NetworkPolicy:

kubectl describe networkpolicy restrict-access

• Learn more about NetworkPolicies

Use CIS Benchmark to Review the Security Configuration of Kubernetes Components

The Center for Internet Security (CIS) benchmarks provide best practices for securing Kubernetes.

Example:

Run CIS Benchmark Tools:

• Use tools like kube-bench to audit the security configurations.

kube-bench run --targets etcd,kubelet,kubeapi

Manually Review Security Settings:

• Etcd: Ensure encryption at rest and restricted access.
• Kubelet: Restrict anonymous access (--anonymous-auth=false).
• API Server: Enable RBAC and audit logging.

• Learn more about CIS Benchmarks

Properly Set Up Ingress with TLS

Ingress with TLS secures HTTP communication to services.

Example:

Create a Secret for TLS:

kubectl create secret tls tls-secret --cert=cert.crt --key=cert.key

Configure Ingress Resource with TLS:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tls-example
spec:
  tls:
  - hosts:
    - example.com
    secretName: tls-secret
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-service
            port:
              number: 80

kubectl apply -f ingress-tls.yaml

Test Ingress:

curl -k https://example.com

• Learn more about TLS with Ingress

Protect Node Metadata and Endpoints

Securing node metadata prevents unauthorized access to sensitive information.

Best Practices:

• Disable Metadata APIs for Pods: Use --enable-metadata-concealment in cloud providers like GKE.
• Restrict Access to Node Endpoints: Set firewall rules to limit access.

Example:

Block Metadata Access with iptables:

iptables -A OUTPUT -d 169.254.169.254 -j DROP

• Learn more about protecting metadata

Verify Platform Binaries Before Deploying

Ensuring the integrity of platform binaries mitigates risks of tampered software.

Best Practices:

• Use package managers to verify binary checksums.
• Always download binaries from official sources.

Example:

Verify Binary Checksum:

curl -LO https://dl.k8s.io/release/v1.24.0/bin/linux/amd64/kubectl
curl -LO https://dl.k8s.io/release/v1.24.0/bin/linux/amd64/kubectl.sha256
sha256sum --check kubectl.sha256

• Learn more about binary verification

---

Resources to Prepare

• Kubernetes Documentation
• Kubectl Cheat Sheet
• CKS Exam Tips

2. Cluster Hardening (15%)

This domain constitutes 15% of the CKS Exam. Below are the key topics explained with examples and best practices to harden your Kubernetes cluster.

Use Role-Based Access Controls (RBAC) to Minimize Exposure

RBAC ensures that users and applications have only the permissions they need.

Example:

Create a Role with Minimal Permissions:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list"]

Create a RoleBinding to Assign the Role:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods-binding
  namespace: default
subjects:
- kind: User
  name: jane
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

kubectl apply -f role.yaml
kubectl apply -f rolebinding.yaml

• Learn more about RBAC

Exercise Caution in Using Service Accounts

By default, service accounts may have more privileges than necessary. Disable or restrict these accounts to improve security.

Best Practices:

• Disable the Default Service Account:

kubectl patch serviceaccount default -p '{"automountServiceAccountToken":false}'

• Create a Service Account with Limited Permissions:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: limited-sa
  namespace: default

kubectl apply -f serviceaccount.yaml

• Associate the Service Account with a Role: Refer to the RBAC example above to link this service account to minimal permissions.

• Learn more about Service Accounts

Restrict Access to Kubernetes API

Limiting access to the Kubernetes API minimizes the risk of unauthorized actions.

Best Practices:

• Restrict API Server Access by IP Address:

kubectl create clusterrolebinding restricted-access --clusterrole=view --user=<your-user>

• Use Network Policies to Block API Access:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: restrict-api-access
  namespace: kube-system
spec:
  podSelector:
    matchLabels:
      component: kube-apiserver
  ingress:
  - from:
    - ipBlock:
        cidr: 192.168.1.0/24

kubectl apply -f networkpolicy.yaml

• Learn more about securing API access

Upgrade Kubernetes to Avoid Vulnerabilities

Regularly upgrading Kubernetes ensures that you benefit from security patches and new features.

Best Practices:

• Check Current Version:

kubectl version --short

• Plan and Execute an Upgrade:

1. Drain worker nodes:

   kubectl drain <node-name> --ignore-daemonsets

2. Upgrade control plane components using your cluster manager (e.g., kubeadm, cloud provider tools).
3. Upgrade worker nodes:

   kubectl uncordon <node-name>

• Learn more about upgrading Kubernetes

---

Resources to Prepare

• Kubernetes Documentation
• Kubectl Cheat Sheet
• CKS Exam Tips

3. System Hardening (10%)

This domain constitutes 10% of the CKS Exam. Below are the key topics explained with examples and best practices to harden your system.

Minimize Host OS Footprint (Reduce Attack Surface)

A minimal host OS reduces the attack surface by limiting unnecessary services and applications.

Best Practices:

• Use minimal OS distributions like Container-Optimized OS, Flatcar, or Ubuntu Minimal.
• Remove unused software and disable unnecessary services.

Example:

Install a Minimal OS on a Node:

# For Container-Optimized OS (GCP)
gcloud compute instances create <instance-name> --image-family=cos-stable --image-project=cos-cloud

• Learn more about Container-Optimized OS

Use Least-Privilege Identity and Access Management

Ensure that users and applications have only the permissions they need.

Example:

Restrict IAM Permissions for Cloud Resources:

# GCP Example: Assign minimal roles to Kubernetes Engine
gcloud projects add-iam-policy-binding <project-id> --member=<user> --role=roles/container.viewer

Limit Privileges in Kubernetes: Use Role-Based Access Control (RBAC) as shown in the "Cluster Hardening" section to restrict permissions for users and service accounts.

• Learn more about IAM Best Practices

Minimize External Access to the Network

Restrict external access to nodes and Kubernetes resources to reduce exposure.

Best Practices:

• Use firewall rules to limit external access.
• Disable SSH access to nodes if possible.
• Restrict access to specific IP ranges using network policies.

Example:

Create Firewall Rules to Restrict Access:

# GCP Example: Block all ingress traffic except from trusted IP ranges
gcloud compute firewall-rules create restrict-access --direction=INGRESS --priority=1000 --action=DENY --rules=all --source-ranges=0.0.0.0/0

Apply Network Policies: Refer to the "Cluster Hardening" section for examples of network policies to restrict access to Kubernetes resources.

• Learn more about securing networks

Appropriately Use Kernel Hardening Tools (e.g., AppArmor, seccomp)

Kernel hardening tools like AppArmor and seccomp restrict what system calls and resources a container can access.

Example:

Use seccomp to Restrict System Calls:

apiVersion: v1
kind: Pod
metadata:
  name: seccomp-demo
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec:
  containers:
  - name: app-container
    image: busybox
    command: ["sh", "-c", "echo Hello Kubernetes! && sleep 3600"]

kubectl apply -f seccomp-demo.yaml

Apply AppArmor Profiles:

apiVersion: v1
kind: Pod
metadata:
  name: apparmor-demo
  annotations:
    container.apparmor.security.beta.kubernetes.io/app-container: runtime/default
spec:
  containers:
  - name: app-container
    image: nginx

kubectl apply -f apparmor-demo.yaml

• Learn more about seccomp
• Learn more about AppArmor

---

Resources to Prepare

• Kubernetes Documentation
• Kubectl Cheat Sheet
• CKS Exam Tips

4. Minimize Microservice Vulnerabilities (20%)

This domain constitutes 20% of the CKS Exam. Below are the key topics explained with examples and best practices to minimize vulnerabilities in microservices.

Use Appropriate Pod Security Standards

Pod security standards (PSS) define best practices for securing Pods by restricting capabilities and enforcing security policies.

Example:

Apply a PodSecurity Admission Policy (restricted):

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
spec:
  privileged: false
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: MustRunAs
    ranges:
    - min: 1
      max: 65535
  fsGroup:
    rule: MustRunAs
    ranges:
    - min: 1
      max: 65535
  volumes:
  - 'configMap'
  - 'emptyDir'
  - 'projected'
  - 'secret'

kubectl apply -f podsecuritypolicy.yaml

• Learn more about Pod Security Standards

Manage Kubernetes Secrets

Secrets store sensitive data like passwords, tokens, and keys, and should be managed securely.

Example:

Create and Consume a Secret:

kubectl create secret generic db-credentials --from-literal=username=admin --from-literal=password=secret123

Use the Secret in a Pod:

apiVersion: v1
kind: Pod
metadata:
  name: secret-demo
spec:
  containers:
  - name: app-container
    image: nginx
    env:
    - name: DB_USERNAME
      valueFrom:
        secretKeyRef:
          name: db-credentials
          key: username
    - name: DB_PASSWORD
      valueFrom:
        secretKeyRef:
          name: db-credentials
          key: password

kubectl apply -f secret-demo.yaml

• Learn more about Kubernetes Secrets

Understand and Implement Isolation Techniques (Multi-Tenancy, Sandboxed Containers, etc.)

Isolation techniques help separate workloads for security and resource management.

Best Practices:

• Use Kubernetes namespaces for multi-tenancy.
• Implement sandboxed containers with gVisor or Kata Containers.

Example:

Create a Namespace for Isolation:

kubectl create namespace team-a

Apply Resource Quotas:

apiVersion: v1
kind: ResourceQuota
metadata:
  name: team-a-quota
  namespace: team-a
spec:
  hard:
    pods: "10"
    requests.cpu: "4"
    requests.memory: "2Gi"

kubectl apply -f resource-quota.yaml

• Learn more about Namespace Isolation
• Learn more about gVisor
• Learn more about Kata Containers

Implement Pod-to-Pod Encryption Using Cilium

Cilium enables secure communication between Pods using eBPF-based networking and encryption.

Example:

Install Cilium:

helm repo add cilium https://helm.cilium.io/
helm install cilium cilium/cilium --namespace kube-system --set encryption.enabled=true

Enable Pod-to-Pod Encryption:

kubectl annotate namespace default io.cilium.encryption=true

Verify Encryption:

kubectl exec -it <pod-name> -- curl https://<target-pod-ip>

• Learn more about Cilium

---

Resources to Prepare

• Kubernetes Documentation
• Kubectl Cheat Sheet
• CKS Exam Tips

5. Supply Chain Security (20%)

This domain constitutes 20% of the CKS Exam. Below are the key topics explained with examples and best practices to secure your Kubernetes supply chain.

Minimize Base Image Footprint

Using minimal base images reduces the attack surface by limiting unnecessary software and dependencies.

Best Practices:

• Use minimal base images like distroless or alpine.
• Avoid including unused libraries and tools in your images.

Example:

Create a Dockerfile with a Minimal Base Image:

FROM gcr.io/distroless/base
COPY app /app
CMD ["/app"]

Build and Push the Image:

docker build -t <registry>/minimal-app:latest .
docker push <registry>/minimal-app:latest

• Learn more about distroless images

Understand Your Supply Chain (e.g., SBOM, CI/CD, Artifact Repositories)

Understanding your software supply chain involves tracking the sources and dependencies of your workloads.

Example:

Generate a Software Bill of Materials (SBOM): Use syft to generate an SBOM for your container image:

syft <registry>/minimal-app:latest -o json > sbom.json

Integrate Dependency Scanning in CI/CD: Use tools like Trivy or Snyk to scan dependencies during CI/CD builds.

trivy image <registry>/minimal-app:latest

• Learn more about SBOM
• Learn more about Trivy

Secure Your Supply Chain (Permitted Registries, Sign and Validate Artifacts, etc.)

Enforcing policies for registries and artifact validation ensures secure deployment of images.

Example:

Restrict to Permitted Registries: Use Admission Controllers to enforce registry restrictions:

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: registry-restriction
webhooks:
- name: validate.registries.k8s.io
  clientConfig:
    service:
      name: registry-validator
      namespace: kube-system
    caBundle: <base64-encoded-ca>
  rules:
  - operations: ["CREATE"]
    resources: ["pods"]
  failurePolicy: Fail

Sign and Validate Images: Use cosign to sign and verify images:

cosign sign --key cosign.key <registry>/minimal-app:latest
cosign verify <registry>/minimal-app:latest

• Learn more about Cosign

Perform Static Analysis of User Workloads and Container Images

Static analysis tools help detect misconfigurations and vulnerabilities in workloads and container images.

Example:

Use KubeSec for Policy Validation:

kubesec scan pod.yaml

Use KubeLinter for Workload Analysis:

kubelinter lint pod.yaml

Scan Container Images for Vulnerabilities:

trivy image <registry>/minimal-app:latest

• Learn more about KubeSec
• Learn more about KubeLinter

---

Resources to Prepare

• Kubernetes Documentation
• Kubectl Cheat Sheet
• CKS Exam Tips

6. Monitoring, Logging, and Runtime Security (20%)

This domain constitutes 20% of the CKS Exam. Below are the key topics explained with examples and best practices to enhance monitoring, logging, and runtime security in Kubernetes.

Perform Behavioral Analytics to Detect Malicious Activities

Behavioral analytics involves monitoring application and system behavior to detect anomalies that may indicate malicious activities.

Example:

Use Falco to Detect Anomalies: Falco monitors runtime behavior in Kubernetes clusters.

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco --namespace kube-system

Create a Falco Rule:

- rule: Write Below Binary Dir
  desc: Detect any process writing below /bin or /sbin
  condition: evt.type = "write" and fd.name startswith "/bin/"
  output: "Process writing below /bin or /sbin (user=%user.name command=%proc.cmdline)"
  priority: CRITICAL

• Learn more about Falco

Detect Threats Within Physical Infrastructure, Apps, Networks, Data, Users, and Workloads

Threat detection ensures a comprehensive security posture across the Kubernetes environment.

Example:

Use Sysdig to Detect Threats:

helm install sysdig sysdig/sysdig --set sysdig.accessKey=<YOUR-ACCESS-KEY>

Enable Runtime Threat Detection: Monitor threats across the cluster by configuring Sysdig or similar tools for Kubernetes.

• Learn more about Sysdig

Investigate and Identify Phases of Attack and Bad Actors Within the Environment

Understanding attack phases helps in identifying and mitigating threats effectively.

Example:

Use EFK (Elasticsearch, Fluentd, Kibana) Stack to Investigate Attacks:

• Deploy EFK to aggregate and visualize logs.

helm install efk elasticsearch fluentd kibana --namespace monitoring

• Analyze logs in Kibana to track suspicious activity.

• Learn more about Kubernetes Logging

Ensure Immutability of Containers at Runtime

Immutability ensures that containers remain unchanged during runtime, preventing unauthorized modifications.

Example:

Use Read-Only Root Filesystem:

apiVersion: v1
kind: Pod
metadata:
  name: immutable-container
spec:
  containers:
  - name: app
    image: my-app:latest
    securityContext:
      readOnlyRootFilesystem: true

kubectl apply -f immutable-container.yaml

Use Tools to Enforce Immutability: Enable runtime immutability with tools like Falco and Sysdig.

• Learn more about Immutability

Use Kubernetes Audit Logs to Monitor Access

Audit logs provide detailed records of cluster activities, helping to monitor and investigate access.

Example:

Enable Kubernetes Audit Logging: Edit the kube-apiserver configuration to enable audit logging:

--audit-log-path=/var/log/kubernetes/audit.log
--audit-policy-file=/etc/kubernetes/audit-policy.yaml

Create an Audit Policy:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
  resources:
  - group: ""
    resources: ["pods"]

View Audit Logs:

kubectl logs -n kube-system kube-apiserver

• Learn more about Audit Logs

---

Resources to Prepare

• Kubernetes Documentation
• Kubectl Cheat Sheet
• CKS Exam Tips

CKS Exam Questions And Answers

Practice a lot with Kubernetes:

• CKS Exam Questions And Answers

Additional Resources

• 💬 Kubernetes Slack Channel #certifications^Slack
• 📚 Guide to Certified Kubernetes Administrator (CKA)^Blog
• 📚 Guide to Certified Kubernetes Security Specialist (CKS) ^Blog
• 🎞️ Kubernetes CKS Full Course Theory + Practice + Browser Scenarios^{Video Course}
• 🎞️ Kubernetes Fundamentals (LFS258) - Linux Foundation^{Official Course}
• 🎞️ Kubernetes Deep Dive - A Cloud Guru^{Video Course}

Practice

Practice a lot with Kubernetes:

• CKS Simulator - killer.sh
• Kubernetes the Hard Way by Kelsey Hightower
• CKS Scenarios - killercoda.com
• Learning Playground - by Docker

💬 Share To Your Network

If this repo has helped you in any way, feel free to share !