How to pass CKS — Kubernetes Security Specialist exam. Part 3
CKS requires CKA (Certified Kubernetes Administrator) passed first. It is a mandatory pre-request. I shared my tips in a different post on how to pass CKA and CKAD. If you received CKA, know how to use kubectl and Kubernetes documentation in an efficient way, you can start study for CKS. CKS is harder than the other two K8s exams. Good preparation requires deep study of native and external Kubernetes security tools, best security practices, and also requires a good knowledge of Kubernetes architecture, especially about API server, etcd, and kubelet. The exam covers the following areas: gVisor, AppArmor, RBAC, Network Policies, Auditing, Falco,Trivy, Admission Controllers, CIS Benchmark, Pod Security Policies, writing secure Dockerfiles, Secrets, Privileged Pods.
- Episode — Network Policies
- Episode — gVisor
- Episode — Trivy
- Episode — AppArmor
- Episode — PodSecurityPolicies
- RBAC
- Dockerfile & SecurityContext
Trivy is a simple and comprehensive vulnerability scanner for containers and other artifacts. Trivy is easy to use. All you need to do for scanning is to specify a target such as an image name of the container.
Let’s scan nginx:1.17.1-alpine , alpine:3.13.4 and httpd and see if we find any vulnerabilities in class HIGHT or CRITICAL . We can use Trivy via this simple command:
trivy image --severity HIGH,CRITICAL image-name:taglet’s see how it work
trivy image --severity HIGH,CRITICAL nginx:1.17.1-alpine2021-04-11T23:20:21.509+0100 INFO Detecting Alpine vulnerabilities...2021-04-11T23:20:21.510+0100 INFO Trivy skips scanning programming language libraries because no supported file was detected2021-04-11T23:20:21.510+0100 WARN This OS version is no longer supported by the distribution: alpine 3.9.4nginx:1.17.1-alpine (alpine 3.9.4)
==================================
Total: 14 (HIGH: 11, CRITICAL: 3)
trivy image --severity HIGH,CRITICAL alpine:3.13.42021-04-11T23:24:25.784+0100 INFO Detecting Alpine vulnerabilities...2021-04-11T23:24:25.786+0100 INFO Trivy skips scanning programming language libraries because no supported file was detectedalpine:3.13.4 (alpine 3.13.4)
=============================
Total: 0 (HIGH: 0, CRITICAL: 0)
trivy image --severity HIGH,CRITICAL httpd2021-04-11T23:41:03.097+0100 WARN You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed2021-04-11T23:41:05.092+0100 INFO Detecting Debian vulnerabilities...2021-04-11T23:41:05.109+0100 INFO Trivy skips scanning programming language libraries because no supported file was detectedhttpd (debian 10.9)
===================
Total: 24 (HIGH: 20, CRITICAL: 4)
It was easy! We can see on the output above imagealpine:3.13.4 has no vulnerabilities in class HIGHT or CRITICAL (at least Trivy did not find them)
Thank you and see you soon in the next episode! The next post will be about AppArmor
