How to pass CKS — Kubernetes Security Specialist exam. Part 7

CKS requires CKA (Certified Kubernetes Administrator) passed first. It is a mandatory pre-request. I shared my tips in a different post on how to pass CKA and CKAD. If you received CKA, know how to use kubectl and Kubernetes documentation in an efficient way, you can start study for CKS. CKS is harder than the other two K8s exams. Good preparation requires deep study of native and external Kubernetes security tools, best security practices, and also requires a good knowledge of Kubernetes architecture, especially about API server, etcd, and kubelet. The exam covers the following areas: gVisor, AppArmor, RBAC, Network Policies, Auditing, Falco,Trivy, Admission Controllers, CIS Benchmark, Pod Security Policies, writing secure Dockerfiles, Secrets, Privileged Pods.

1. Episode — Network Policies
2. Episode — gVisor
3. Episode — Trivy
4. Episode — AppArmor
5. Episode — PodSecurityPolicies
6. RBAC
7. Dockerfile & SecurityContext

Docker and container security are broad problem spaces and there are many low hanging fruits one can harvest to mitigate risks. A good starting point is to follow some best practices when writing Dockerfiles.

You can be asked on exam to validate Dockerfile in the context of best security practices and change the file if required. You can be also asked to configure or fix a Security Context for a Pod or Container

1. Rootless containers

Running as non-root might require a couple of additional steps in Dockerfile, you will need to:

• Make sure the user specified in the USER instruction exists inside the container and is not a root user.

FROM alpine:3.12
# Create user and set ownership and permissions as required
RUN adduser -D myuser && chown -R myuser /myapp-data
# ... copy application files
USER root                                # change it to myuser user
ENTRYPOINT ["/myapp"]

• Never put any secret or credentials in the Dockerfile instructions — environment variables, args, or hard coded into any command. If you find any on exam remove them.

2. Security Context for a Pod or Container (pay attention to runAsUser,allowPrivilegeEscalation or readOnlyRootFilesystem )

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 0          # change to a diffrent number, 0 is a root
  containers:
    - name: sec-ctx-demo
      image: gcr.io/google-samples/node-hello:1.0

.

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000
  containers:
  - name: sec-ctx-demo-2
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      runAsUser: 2000
      allowPrivilegeEscalation: true            # change to false

.

apiVersion: v1  
kind: Pod  
metadata:  
  name: hello-world  
spec:  
  containers:  
  # specification of the pod’s containers  
  # ...  
  securityContext:  
    readOnlyRootFilesystem: flase.   # set to true 
    runAsNonRoot: true

Thank you and see you soon in the next episode! The next post will be about Secrets,