This is the third installment in our six-part CKS Certification series. Don’t forget to check out all the posts in the series:
- Part 1 — CKS Certification Study Guide: Cluster Setup in Kubernetes
- Part 2 — CKS Certification Study Guide: Cluster Hardening
- Part 3 — CKS Certification Study Guide: System Hardening in Kubernetes
- Part 4 — CKS Certification Study Guide: Minimize Microservice Vulnerabilities
- Part 5 — CKS Certification Study Guide: Supply Chain Security
- Part 6 — CKS Certification Study Guide: Monitoring, Logging, and Runtime Security
- CKS CNCF Announcement and Exam Study
This blog references tools to set up a Kubernetes version 1.19 cluster and review the CKS — Cluster Setup section. There is the ability to create a Kubernetes cluster from our GitHub repository using Terraform and Rancher Kubernetes Engine (RKE) in Google Cloud Platform (GCP) or Amazon Web Services (AWS). This cluster environment will help to simulate a real Kubernetes environment instead of a local cluster. To get the cluster up and running, follow the readme.md that outlines what applications you will need and the repository’s general structure.
- Minimize base image footprint
- Secure your supply chain: whitelist allowed registries, sign and validate images
- Use static analysis of user workloads (e.g. Kubernetes resources, Dockerfiles)
- Scan images for known vulnerabilities
This section takes up 20% of the overall point total, and it is reasonable to assume 3–5 questions revolving around supply chain security. Each of the questions will also need to be completed in about 5–6 minutes on average during the exam. Below is an overview of the various concepts that the CKS will highlight in the supply chain security section.
Regardless of how this is implemented in the test, minimizing your base images is always a good idea to decrease the attack surface for your containers. Always make sure only to include the packages that are necessary for each containerized application. When choosing a base image, note how well maintained the image is and its default installed software. In the exam, I expect you will have the option of selecting from a range of base images and choosing their defaults. There may be a question that requires using Trivy to view CVEs related to a base image and then prioritizing image selection accordingly. As a core concept, image scanning and minimizing your images is a handy way to lower the attack surface within your cluster.
Securing the images that are allowed to run in your cluster is essential. Also, you will need to verify that the pulled image is from the correct source. The ImagePolicyWebhook admission controller will allow you to set up rules around what images should be allowed within the cluster. An example rule the admission controller could monitor is not allowing any image with the tag
latest. You will most likely have to connect the ImagePolicyWebhook with a previously setup webhook server during the exam.
Static analysis might be the most straightforward concept outline in this course. You will need to vet the configuration of Kubernetes YAML files and Dockerfiles and fix any security issues. This includes setting secure base images, removing unnecessary packages, stopping containers from using elevated privileges, and removing the ability to ssh into a container. When hardening Kubernetes resources, look for elevated privileges, security contexts that allow for a UID of 0, and host volumes that should not be mounted.
I mentioned container scanning in the previous section, and it would seem there is some crossover between these two topics. Out of the open-source tools that are allowed, Trivy is the only one focused on container scanning. You are also allowed to use the GitHub documentation during the exam, so it’s worth bookmarking the quick start documentation.
The StackRox CKS study guide contains a list of more resources and the ability to create a Kubernetes 1.19 cluster. In the GitHub repository, six folders contain mock exam questions and answers. Make sure to star and watch the repository for new updates as you begin your quest to becoming a Certified Kubernetes Security Specialist.