My feedback about Kubernetes Security Specialist exam (CKS)

Dec 15, 2020·3 min read

CKS: Certified Kubernetes Security Specialist was issued by The Linux Foundation to Jihad BENABRA.

Earners of this designation are accomplished Kubernetes practitioners (as evidenced by holding the CKA credential)…

www.youracclaim.com

I’ve achieved my CKS certificate this weekend, and for that many people come to ask me about feedback and exam big topics.

Therefore, you should to understand that the exam scenario is not the same for all people, but in my case the challenge was to resolve 19 questions concerning this topics:

ImagePolicyWebhook

The goals is to enable this plugin and connect it with webhook server.

Using Admission Controllers

This page provides an overview of Admission Controllers. What are they? An admission controller is a piece of code that…

kubernetes.io

Audit Policy

Enable plugin, define logs for some resources ( for namespaces and secrets…) at different levels (Metadata, Request…)…

Auditing

Kubernetes auditing provides a security-relevant, chronological set of records documenting the sequence of actions in a…

kubernetes.io

Anomaly fix with Falco or Sysdig

Check containers and pod anomaly using scanners like Falco or Sysdig, and format the output in a specific format.

What is Falco, and how it work with Kubernetes

When using Kubernetes as orchestrator, securing our deployments and pods become a major topic because many teams and…

jihadbenabra.medium.com

Sandbox containers, RuntimeClass and gVisor

Deploy a RuntimeClass, and create deployment using this class on the correct worker node.

Kubenretes: Enable sandboxed containers using gVisor

One of big topics for the Kubernetes Security Specialist is to enable Sandboxed containers using gVisor.

jihadbenabra.medium.com

Runtime Class

FEATURE STATE: Kubernetes v1.20 [stable] This page describes the RuntimeClass resource and runtime selection mechanism…

kubernetes.io

PodSecurityPolicies

Create PSP and it’s ClusterRole, ClusterRoleBinding and deploy a pod impacted by the PSP.

Pod Security Policies

FEATURE STATE: Kubernetes v1.20 [beta] Pod Security Policies enable fine-grained authorization of pod creation and…

kubernetes.io

CSI Bench

Try to resolve security issues detected by kube-bench on master, node and ETCD.

aquasecurity/kube-bench

kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in…

github.com

Static Dockerfile best security and hardening practice

Analyse a static Dockerfile and try to fix many security issues and hardening best security and optimization practices.

Cluster security hardening with Strace

Strace is a diagnostic and debugging userspace utility for Linux. It is used to monitor and tamper with interactions between processes and the Linux kernel, which include system calls…

Kubernetes cluster security hardening with Strace

One of biggest topic when talking about Kubernetes cluster security is kernel command using linux syscall executed by…

jihadbenabra.medium.com

Others

Of course, you need to practice and practice cases like:

RBAC
NetworkPolicies
Sidecar containers
Image vulnerability (Trivy)
Verify kube-apiserver sha512…

Using RBAC Authorization

Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles…

kubernetes.io

Network Policies

If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using…

kubernetes.io

Finally, every scenario is different, but the big topics are the same :)

My feedback about Kubernetes Security Specialist exam (CKS)

CKS: Certified Kubernetes Security Specialist was issued by The Linux Foundation to Jihad BENABRA.

Earners of this designation are accomplished Kubernetes practitioners (as evidenced by holding the CKA credential)…

ImagePolicyWebhook

Using Admission Controllers

This page provides an overview of Admission Controllers. What are they? An admission controller is a piece of code that…

Audit Policy

Auditing

Kubernetes auditing provides a security-relevant, chronological set of records documenting the sequence of actions in a…

Anomaly fix with Falco or Sysdig

What is Falco, and how it work with Kubernetes

When using Kubernetes as orchestrator, securing our deployments and pods become a major topic because many teams and…

Sandbox containers, RuntimeClass and gVisor

Kubenretes: Enable sandboxed containers using gVisor

One of big topics for the Kubernetes Security Specialist is to enable Sandboxed containers using gVisor.

Runtime Class

FEATURE STATE: Kubernetes v1.20 [stable] This page describes the RuntimeClass resource and runtime selection mechanism…

PodSecurityPolicies

Pod Security Policies

FEATURE STATE: Kubernetes v1.20 [beta] Pod Security Policies enable fine-grained authorization of pod creation and…

CSI Bench

aquasecurity/kube-bench

kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in…

Static Dockerfile best security and hardening practice

Cluster security hardening with Strace

Kubernetes cluster security hardening with Strace

One of biggest topic when talking about Kubernetes cluster security is kernel command using linux syscall executed by…

Others

Using RBAC Authorization

Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles…

Network Policies

If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using…

Jihad Benabra

More From Medium