The Certified Kubernetes Security Specialist (CKS) certification is designed for Kubernetes professionals who want to demonstrate their expertise in securing container-based applications and Kubernetes platforms during build, deployment, and runtime. This module will guide you through the key areas of knowledge required to pass the CKS exam, including practical examples and exercises to reinforce your learning.

1. Cluster Setup
2. Cluster Hardening
3. System Hardening
4. Minimize Microservice Vulnerabilities
5. Supply Chain Security
6. Monitoring, Logging, and Runtime Security

Setting up a secure Kubernetes cluster involves configuring the cluster components and network to ensure security from the ground up.

• Kubeadm: A tool to set up a secure Kubernetes cluster.
• Network Policies: Define how pods communicate with each other and other network endpoints.
• RBAC (Role-Based Access Control): Manage permissions within the cluster.

1. Create a namespace:

   kubectl create namespace secure-namespace
   

2. Create a Role:

   apiVersion: rbac.authorization.k8s.io/v1
   kind: Role
   metadata:
     namespace: secure-namespace
     name: pod-reader
   rules:
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["get", "watch", "list"]
   

3. Create a RoleBinding:

   apiVersion: rbac.authorization.k8s.io/v1
   kind: RoleBinding
   metadata:
     name: read-pods
     namespace: secure-namespace
   subjects:
   - kind: User
     name: jane
     apiGroup: rbac.authorization.k8s.io
   roleRef:
     kind: Role
     name: pod-reader
     apiGroup: rbac.authorization.k8s.io
   

Cluster hardening involves securing the Kubernetes components and configurations to protect against unauthorized access and vulnerabilities.

• API Server Security: Secure the Kubernetes API server.
• Etcd Security: Secure the etcd database.
• Kubelet Security: Secure the kubelet on each node.

1. Create an audit policy file:

   apiVersion: audit.k8s.io/v1
   kind: Policy
   rules:
   - level: Metadata
   

2. Configure the API server to use the audit policy:

   - --audit-policy-file=/etc/kubernetes/audit-policy.yaml
   

System hardening involves securing the underlying operating system and container runtime.

• Operating System Security: Secure the OS running Kubernetes nodes.
• Container Runtime Security: Secure the container runtime (e.g., Docker, containerd).

1. Create an AppArmor profile:

   sudo vi /etc/apparmor.d/k8s-apparmor-profile
   
   # Add the following profile
   profile k8s-apparmor-profile flags=(attach_disconnected,mediate_deleted) {
     #include <tunables/global>
     file,
     network,
     capability,
   }
   

2. Apply the AppArmor profile to a pod:

   apiVersion: v1
   kind: Pod
   metadata:
     name: apparmor-pod
     annotations:
       container.apparmor.security.beta.kubernetes.io/nginx: localhost/k8s-apparmor-profile
   spec:
     containers:
     - name: nginx
       image: nginx
   

Minimizing microservice vulnerabilities involves securing the application code and configurations.

• Image Security: Use secure and trusted container images.
• Pod Security Policies: Define security policies for pods.

1. Create a Pod Security Policy:

   apiVersion: policy/v1beta1
   kind: PodSecurityPolicy
   metadata:
     name: restricted
   spec:
     privileged: false
     seLinux:
       rule: RunAsAny
     runAsUser:
       rule: MustRunAsNonRoot
     fsGroup:
       rule: MustRunAs
       ranges:
       - min: 1
         max: 65535
     volumes:
     - 'configMap'
     - 'emptyDir'
     - 'projected'
     - 'secret'
     - 'downwardAPI'
     - 'persistentVolumeClaim'
   

2. Apply the Pod Security Policy:

   kubectl apply -f psp.yaml
   

Supply chain security involves securing the software supply chain, including source code, build processes, and dependencies.

• Source Code Security: Secure the source code repository.
• Dependency Management: Use secure and trusted dependencies.

1. Install Snyk Docker plugin:

   snyk install docker
   

2. Scan a Docker image:

   snyk test --docker nginx:latest
   

Monitoring, logging, and runtime security involve continuously monitoring the cluster and applications for security threats and vulnerabilities.

• Prometheus: Monitor Kubernetes clusters.
• EFK Stack: Collect and analyze logs.
• Falco: Monitor runtime security.

1. Create a Falco rule file:

   - rule: Write below etc
     desc: Detect any write below /etc
     condition: evt.type = write and fd.name startswith /etc
     output: "Write below /etc detected (user=%user.name command=%proc.cmdline file=%fd.name)"
     priority: WARNING
   

2. Apply the Falco rule:

   sudo cp falco-rules.yaml /etc/falco/falco_rules.local.yaml
   sudo systemctl restart falco
   

In this module, you have learned about the key areas of focus for the Certified Kubernetes Security Specialist (CKS) certification. You have explored practical examples and exercises to help you understand and apply security best practices in Kubernetes. By mastering these concepts, you will be well-prepared to secure Kubernetes clusters and applications, and to pass the CKS exam.