Where to begin with the CKS Exam?

My journey in preparing for the CKS (Certified Kubernetes Security Specialist) exam. Resources and top tips in helping you prepare for the Certified Kubernetes Security Specialist Exam.

Let’s just say this exam is no joke. The CKS is the ‘crème de la crème’ of the Kubernetes certifications. This exam is pretty tough but with enough practice, preparation and a good fundamental understanding, it can be a really enjoyable process. In this article, I will list a set of curated courses and learning materials for you to follow and make the journey for preparation easier for you.

I must say thanks to The Linux Foundation & the Cloud Native Computing Foundation for producing these hands-on exams. They are not multiple choice exams and rigorously test your knowledge with a bunch of practical questions on the terminal.

Why the CKS?

As someone who has provisioned Kubernetes solutions previously, I wanted to achieve this one to ensure I’m up to date with the latest security measures and best practices in Kubernetes. Security is an aspect that should be implemented from day zero!

I was able to get a score of 83 for the CKS. Preparing for this exam was the best part. I was able to increase my knowledge in topics like: Linux security modules, container security, ensuring Dockerfiles are prepared by following best practices currently used in the industry, ensuring pods are not using any ‘privileged’ flags, image scanning, and many more interesting areas. As it will be mentioned later too, the CKA is a prerequisite to sit this exam and it’s crucial that you have the fundamentals covered. The exam not only covers general admin knowledge, but there is some familiarity required with self-managed Kube-API server configuration. It even includes best practices for Dockerfile designing and some tools in the exam which are outside the Kubernetes ecosystem like Trivy and Falco.

Prerequisites:

Other than the official prerequisite of the CKA to sit the exam, there are some things that I would recommend:

• Fundamental understanding of containers
• Linux fundamentals and CLI awareness
• Familiarity with vim editor (screen-editor for UNIX)
• A foundation in the basics of Kubernetes
• Foundation in Application deployment, application observability and configuration
• Basics of services and networking in the Kubernetes eco-system

Read this article if you are looking to prepare for the CKA exam:

https://moabukar.medium.com/how-to-tackle-the-infamous-cka-exam-e08c28e5cfa9

How the exam works

• Duration: 2hrs
• Passing score: 67%
• Certification validity: 2 years
• Cost: $375 USD (Keep in mind, Linux Foundation offer many discounts throughout the year)
• Eligible for two attempts at an exam simulator by killer.sh — by Kim Wüstkamp
• The exam is based on Kubernetes v1.22 (As of October 2021)

What is allowed in the exam?

K8s docs (usually allowed in all other K8s exams like CKAD and CKA)

• https://kubernetes.io/docs/home/
• https://github.com/kubernetes/
• https://kubernetes.io/blog/

Specific docs allowed for the CKS exam:

• https://github.com/aquasecurity/trivy
• https://docs.sysdig.com/
• https://falco.org/docs/
• https://gitlab.com/apparmor/apparmor/-/wikis/Documentation

A detailed breakdown of the topics in the CKS exam — can also be found on the official page of Linux Foundation

• Cluster setup (10%):

1. Using network policies to restrict cluster level access
2. Using CIS benchmark to review security configuration of k8s components (kube-api, kubelet, etcd, kubedns) — Kube-bench
3. Properly setting up ingress objects with security controls
4. Protecting node metadata and endpoints
5. Minimising the use of, and access to, GUI elements
6. Verify platform binaries before deployment — binary verification using sha512 hash

• Cluster Hardening (15%):

1. Restricting access to the Kubernetes API
2. Using RBAC (role-based access controls) to minimise exposure
3. Using service account with minimal permissions and disabling defaults — opting out of automounting credentials for service accounts
4. Keeping up to date with the latest Kubernetes versions

• System Hardening (15%):

1. Minimising footprint of host OS to reduce attack surface
2. Minimising IAM roles. Principle of least privilege — Authentication and Authorisation
3. Minimise external access to the network — denying external access to outside the cluster
4. Using kernel hardening tools — such as seccomp and AppArmor correctly

• Minimise Microservice Vulnerabilities (20%):

1. Setting up appropriate OS level security domains like PSP, OPA and security contexts
2. Managing K8s secrets
3. Use container runtime sandboxes in multi-tenant environments like gVisor and kata containers.
4. Implementation of pod-to-pod encryption by using mTLS configurations

• Supply Chain Security (20%):

1. Minimise base image footprint — distroless, alpine and an image relevant to your build as well as following best practices when creating containers
2. Securing your supply chain by signing and validating images and a whitelist of allowed image registries — ImagePolicyWebhook admission controller.
3. Scan images for known vulnerabilities — Aquasec Trivy

• Monitoring, Logging and Runtime security (20%):

1. Performing analytics of syscall processes at host and container level to detect malicious activities — Falco
2. Detect threats within physical infrastructure, apps, networks, data, users and workloads
3. Detect all phase of attack regardless of where it happens and its spread
4. Performing deep analytical investigation and identification of bad actors within environment — Sysdig
5. Ensuring immutability of containers at runtime
6. Audit logs to monitor access

A good understanding of the below topics are a must:

• A thorough knowledge of the overall Kubernetes architecture and topics like RBAC, Network Policies and PSPs (Pod Security Policies).
• Must be very familiar with the kube-api server, debugging issues in the kube-api, kubelet, etcd server, admission controllers etc.
• A good knowledge and practical understanding of these tools are important: Kube-bench, Falco/sysdig, AppArmor, OPA, PSPs, Seccomp and Trivy.
• Best practices for producing Docker images are important. Ensuring your Dockerfiles are light in size without having multiple RUN/ADD layers and last but not least, to ensure you are not running privileged pods or containers with ROOT.
• Good knowledge of Linux fundamentals particularly with kernel security, cGroup mapping etc.

Practical advice for the exam

• Be comfortable and confident in using the K8s official documentation. This will be your companion in the exam lest you get stuck.
• You will be debugging and editing the kube-apiserver YAML file often in this exam. So, a quick ‘cp’ (copy) and backup of these will go a long way. If a cluster fails and you are not unable to bring it up, you may not achieve the marks for the question.

General advice for this exam

Time management is crucial in the CKS exam so skipping a question and returning to them later is much needed especially if you are stuck on 1 question for longer than 5 mins. Flag these questions and return to them.

Ensure that you always check your context (kubectl config current-context) or just simply apply the context even if you have to do this again (kubectl config set-context NAME).

As it’s an open book exam and you have access to the k8s.io docs and other 3rd party sites like falco — so make sure you are familiar with navigating these docs and able to quickly find resources. The alias is for ‘k’ (kubectl) is already configured on both the master and worker nodes, so use this to save time.

Most importantly, a cool head is definitely required for this exam. Clusters are prone to failing constantly. I had 3 clusters failing in my exam and just made it in time to bring them back before full-time. So just relax if this happens and return to the question. Also, “systemctl restart kubelet” will come in handy once you change any kubelet configurations.

Now once you have gone through Mumshads mock exam and killer.sh portal questions and you are getting good scores, go book that exam. Lastly, remember this is an open-book exam. However, you don’t have the time luxury to search for answers. How you search needs to be instinctive and you need to know what you’re searching for. For example, if I’m looking to create an Auditing policy and enable that in the kube-apiserver, I would go to the docs and would search the shortest word I can to find that information. In this case, you would literally search “Audit” in the docs and the first link at the top should usually be what you’re looking for.

Resources & links for exam prep:

Core resources:

• My personal repo (also have worked alongside other Senior Engineers) that contains exercises to help you prepare for the CKS — https://github.com/moabukar/CKS-Exercises-Certified-Kubernetes-Security-Specialist
• Mumshad’s CKS course on KodeKloud https://kodekloud.com/courses/certified-kubernetes-security-specialist-cks/
• Killer.sh portal by Kim Wüstkamp — https://killer.sh/
• GitHub repo containing very useful CKS resources and tips by Walid Shaari — https://github.com/walidshaari/Certified-Kubernetes-Security-Specialist
• Kim’s CKS Challenge series — https://github.com/killer-sh/cks-challenge-series
• Stackrox CKS Study Guide — https://github.com/stackrox/Kubernetes_Security_Specialist_Study_Guide

Other useful supplementary videos:

• Container Security — https://www.youtube.com/watch?v=iXz4i2EbB4M
• K8s security best practices — https://www.youtube.com/watch?v=wqsUfvRyYpw
• Intro to Falco — https://www.youtube.com/watch?v=zgRFN3o7nJE
• Intro to Seccomp — https://www.youtube.com/watch?v=Ro4QRx7VPsY
• Getting familiar with RBAC — https://www.youtube.com/watch?v=4HMRFcg6nEY

Specific material relating to Kubernetes-native tools:

• Network Policies

I’ve mentioned these again as they are a very important security tool and allow you to have more control over the traffic that is flowing between your pods in a cluster. In Kubernetes, by default, all pods in a cluster can communicate to each other so restrictions are sometimes necessary to put in place.

Network Policies

• Admission controllers

Make sure you are familiar with the different types of admission controllers such as ImagePolicyWebhook and PodSecurityPolicy. Get familiar with them and understand how they link with the API server, and also how they provided that extra security to the cluster.

• Pod Security Policies

This resource allows for a more detailed and granular authorisation of resources, however, it will be deprecated as of Kubernetes v1.21 and they will be removed in v1.25. OPAs (Open Policy Agent) will come into play. Read this article for more info on why it is being removed :

How to Manage Kubernetes Pod Security Policy Deprecation

Pod Security Policies

• gVisor

gVisor is an application kernel written in GoLang, it implements a large portion of the Linux syscall interface. In simple terms, it provides an extra layer of isolation between running applications and the host operating system. gVisor comes with an OCI runtime called runsc and it makes it easy to work with existing container tooling. This runsc runtime integrates with Docker and Kubernetes, thus making it easier to run sandboxed containers. In other words, gVisor provides a virtualised environment to allow for sandboxed containers.

GitHub - google/gvisor: Application Kernel for Containers

• Immutable containers

Containers can be made immutable by using the ‘securitycontext’ flag and by avoiding mutable configurations like allowing shell access to a container. The good thing about using immutable containers is that we are always aware of the state of containers. Other measures like enabling the ‘readOnlyRootFilesystem’ flag, using AppArmor, Seccomp, and privilege escalations.

Configure a Security Context for a Pod or Container

Pod Security Standards

• Auditing:

K8s provides you with auditing for a security-relevant, chronological list highlighting the sequence of actions that took place in a cluster. The cluster audits the activities generated by users, applications that use the K8s API and the control plane itself. Basically, Auditing in K8s allows the cluster-admin to know information like: what happened? when did it happen? on what? who initiated the process? where was it observed? from where was it initiated? and to where it was going? An audit policy file is usually configured with a list of events that you wish the cluster to Audit. This is enabled by inserting the flag “ — audit-policy-file” in the kube-apiserver. If this flag is omitted, no events are logged.

Auditing

3rd-party tools to get familiar with:

• Falco

Make sure you practice finding common Falco rules in the ‘/etc/falco/falco_rules.yaml’ and inserting them into the local_rules yaml file. Also, get familiar with changing the output to your desired one.

Supported Fields for Conditions and Outputs

• AppArmor

Get used to loading profiles and then applying them in your Pod manifest files.

Documentation · Wiki · AppArmor / apparmor

• Aquasec Trivy

An image scanning tool used for scanning vulnerabilities.

GitHub - aquasecurity/trivy: Scanner for vulnerabilities in container images, file systems, and Git…

• Aqua Sec Kube-bench

You are easily able to run this on your cluster. Kube-bench is used to check whether your Kubernetes has been deployed in a secure manner by running the checks that are mentioned in the CIS Kubernetes Benchmark.

GitHub - aquasecurity/kube-bench: Checks whether Kubernetes is deployed according to security best…

I hope to be constantly updating this CKS exam guide with all the latest useful resources and tips to help you prepare for the CKS exam. Possibly aim to create a GitHub repo sometime soon so that examples of the syllabus are demonstrated.

All the best on your learning journey! If you feel like you can contribute to this article, just message me and we can work on adding that in. And if you know anyone preparing for this, do share this with them.

Feel free to reach out on LinkedIn if you have more questions :)

Mohamed A. - Platform Engineer - Capgemini | LinkedIn