CKS: Certified Kubernetes Security Specialist was issued by The Linux Foundation to Jihad BENABRA.
Earners of this designation are accomplished Kubernetes practitioners (as evidenced by holding the CKA credential)…
I’ve achieved my CKS certificate this weekend, and for that many people come to ask me about feedback and exam big topics.
Therefore, you should to understand that the exam scenario is not the same for all people, but in my case the challenge was to resolve 19 questions concerning this topics:
The goals is to enable this plugin and connect it with webhook server.
Enable plugin, define logs for some resources ( for namespaces and secrets…) at different levels (Metadata, Request…)…
Anomaly fix with Falco or Sysdig
Sandbox containers, RuntimeClass and gVisor
Deploy a RuntimeClass, and create deployment using this class on the correct worker node.
Kubenretes: Enable sandboxed containers using gVisor
One of big topics for the Kubernetes Security Specialist is to enable Sandboxed containers using gVisor.
Create PSP and it’s ClusterRole, ClusterRoleBinding and deploy a pod impacted by the PSP.
Try to resolve security issues detected by kube-bench on master, node and ETCD.
kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in…
Static Dockerfile best security and hardening practice
Analyse a static Dockerfile and try to fix many security issues and hardening best security and optimization practices.
Cluster security hardening with Strace
Strace is a diagnostic and debugging userspace utility for Linux. It is used to monitor and tamper with interactions between processes and the Linux kernel, which include system calls…
Of course, you need to practice and practice cases like:
- Sidecar containers
- Image vulnerability (Trivy)
- Verify kube-apiserver sha512…
Using RBAC Authorization
Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles…
If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using…
Finally, every scenario is different, but the big topics are the same :)