CKS

(Certified Kubernetes Security Specialist)

My journey of exploring Kubernetes security with CKS certification.

I was apporached by a few folks on Slack and LinkedIN to share my journey of CKS and hence thought to create a handy resource to help the community.

It took me 4 weeks to prep, 5-6 hours each day. I got 78% on my 2nd attempt.

If you practice enough, 2 hours is more than enough (I had arond 18 mins in spare to review my flagged questions. Please know that I'm not a speed reader neither I practice Kubernetes on my day-to-day job. I gradually developed speed and accuracy with practice).

This is a very brief guide for CKS cert which consist resources from various public documents blended with my exam experience.

The brief (as of April '23)

Approximately total 15/17 questions - 2 hours.
You're allowed to browse Kubernetes, Apparmor, Trivy, Sysdig's documentation.
67% passing score.
As a prerequisite, you must have a valid CKA cert.

What CKS consists of?

Third-party tools
1. Seccomp profiles / AppArmor - Restricts syscalls between containers and kernal
2. OpenPolicyAgent (OPA) - Not a part of the exam, but good to learn.
3. Falco - More of an auditing tool (sort of Host based Intrusion Detection) from Sysdig
4. Trivy - Security image scanner for containers by AquaSecurity
5. CIS Benchmarking tool
6. OpenSSL (commands are available on Kubernetes documention, which you can access during the exam)
7. Sysdig (same as strace, but much readable, easy to use in exam compare to Falco)
Kubernetes fundamentals
1. NetworkPolicies (same as CKA)
2. AdmissionControllers
3. Dynamic Webhooks (for eg. ImagePolicy / NodeRestrictions)
4. SecurityContexts (Pod/Containers)
5. Audit Policy
6. RBAC (roles / rolebindings / clusterrole / clusterrolebindings)
7. Secrets
8. RunTimeClass (Container sandboxing using runc / gVisor / Kata containers)

Blueprint and Carriculam

Cluster Setup 10%

Use Network security policies to restrict cluster level access
Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
Properly set up Ingress objects with security control
Protect node metadata and endpoints
Minimize use of, and access to, GUI elements
Verify platform binaries before deploying

Cluster Hardening 15%

Restrict access to Kubernetes API
Use Role Based Access Controls to minimize exposure
Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
Update Kubernetes frequently

System Hardening 15%

Minimize host OS footprint (reduce attack surface)
Minimize IAM roles
Minimize external access to the network
Appropriately use kernel hardening tools such as AppArmor, seccomp

Minimize Microservice Vulnerabilities 20%

Setup appropriate OS level security domains
Manage Kubernetes secrets
Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
Implement pod to pod encryption by use of mTLS

Supply Chain Security 20%

Minimize base image footprint
Secure your supply chain: whitelist allowed registries, sign and validate images
Use static analysis of user workloads (e.g.Kubernetes resources, Docker files)
Scan images for known vulnerabilities

Monitoring, Logging and Runtime Security 20%

Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
Detect threats within physical infrastructure, apps, networks, data, users and workloads
Detect all phases of attack regardless where it occurs and how it spreads
Perform deep analytical investigation and identification of bad actors within environment
Ensure immutability of containers at runtime
Use Audit Logs to monitor access

CKS Carriculum (official)

Resources

There is no alternative of practice for this exam.

- Killerkoda labs - Free
- KodeKloud CKS challenges - Free
- Kubernetes Goat - Git repo - it's a delibrately vulnerable k8s cluster (good to have a pre-build k8s cluster for this exercise)
- CKS scenarios by Kim Wuestkamp
- I would highly recommend to create a two-nodes cluster locally (It takes less than 5 mins and it's extermely useful)!
Active CKS Slack channels
- Kubernetes Community - #cks-exam-prep
- KodeKloud CKS channel (the most active one)
On Github
- CKS Guide on Github (a bit outdated, but still a gem!)
Full courses
- CKS on Udemy
- CKS on KodeKloud

Tips (that worked for me)

Use imperative commands as much as possible.
Make sure to use a big screen! - Can't stress on this enough, but it's so so useful!
You cannot use your own browser anymore. You'll have to use PSI Secure Browser which will RDPing to an Ubuntu machine. So don't spend time maintaining bookmarks in browser or URL shortcuts, it won't help! If you're using corporate laptop or any other machine with restrictions to install 3rd party app, arrange an alternate machine.
You get 2 exam simulator from Killer.sh when you book your exam, each lab remains live for 36 hours. Make full use of it (both simulator loads the same scenarios/questions).

Myth buster - 2 hours are not enough!

2 hours is sufficient if you've practiced enough (i.e. used both the killer.sh exam simulators, KodeKloud CKS challenges, Used your training provider's mock exams)
Roughly 16 questions in 120 minutes = 7.5 minutes per question.
- Some low hanging fruits will save your time and don't need 7.5 mins, such as Network Policies, RBAC, Trivy, Secrets, Runtimesecurity. All the time you've saved here will help you to get more time in time consuming questions i.e. Audit Policy, Dynamic webhook, Falco/Sysdig, Static security analysis.

CKS