├── .images
    ├── dynamic-container-image-scan-tools.png
    ├── filter-network-traffic.png
    ├── manage-sensitive-data.png
    ├── manage-supply-chain+artifacts.png
    ├── policies-enforcer.png
    ├── sign-container-image-crypto.png
    └── static-container-image-scan-tools.png
├── README.md
├── docs
    └── 01-cluster-setup
    │   ├── CIS Benchmarks  _  Kubernetes Engine Documentation  _  Google Cloud.pdf
    │   └── CIS_Kubernetes_Benchmark_v1.5.1.pdf
├── tutos
    └── 01-cluster-setup
    │   └── 02-c-cis-benchmark
    │       └── using-dev-sec-cis-k8s.md
└── v1.19
    └── CKS_Curriculum_ v1.19 Coming Soon November 2020.pdf


/.images/dynamic-container-image-scan-tools.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdennour/certified-kubernetes-security-specialist/a856f0d93c2f00a07564460b843d8e0d8e95ba05/.images/dynamic-container-image-scan-tools.png


--------------------------------------------------------------------------------
/.images/filter-network-traffic.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdennour/certified-kubernetes-security-specialist/a856f0d93c2f00a07564460b843d8e0d8e95ba05/.images/filter-network-traffic.png


--------------------------------------------------------------------------------
/.images/manage-sensitive-data.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdennour/certified-kubernetes-security-specialist/a856f0d93c2f00a07564460b843d8e0d8e95ba05/.images/manage-sensitive-data.png


--------------------------------------------------------------------------------
/.images/manage-supply-chain+artifacts.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdennour/certified-kubernetes-security-specialist/a856f0d93c2f00a07564460b843d8e0d8e95ba05/.images/manage-supply-chain+artifacts.png


--------------------------------------------------------------------------------
/.images/policies-enforcer.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdennour/certified-kubernetes-security-specialist/a856f0d93c2f00a07564460b843d8e0d8e95ba05/.images/policies-enforcer.png


--------------------------------------------------------------------------------
/.images/sign-container-image-crypto.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdennour/certified-kubernetes-security-specialist/a856f0d93c2f00a07564460b843d8e0d8e95ba05/.images/sign-container-image-crypto.png


--------------------------------------------------------------------------------
/.images/static-container-image-scan-tools.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdennour/certified-kubernetes-security-specialist/a856f0d93c2f00a07564460b843d8e0d8e95ba05/.images/static-container-image-scan-tools.png


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com)
  2 | 
  3 | # Cluster Setup – 10%
  4 | 
  5 | ## Use Network security policies to restrict cluster level access
  6 | - https://kubernetes.io/docs/concepts/services-networking/network-policies/
  7 | - 🔬 https://github.com/ahmetb/kubernetes-network-policy-recipes 
  8 | - https://medium.com/@reuvenharrison/an-introduction-to-kubernetes-network-policies-for-security-people-ba92dd4c809d
  9 | - https://github.com/Tufin/test-network-policies
 10 | 
 11 | ## Use CIS benchmark to review the security configuration of  Kubernetes components (etcd, kubelet, kubedns, kubeapi)
 12 | 
 13 | ```sh
 14 | # install kube-bench in the current host dir
 15 | docker run --rm -it -v `pwd`:/host aquasec/kube-bench:latest install
 16 | 
 17 | # benchmarking your cluster ( verify the curren kubeconfig before)
 18 | ./kube-bench <name-of-node>
 19 | ```
 20 | 
 21 | - https://www.cisecurity.org/benchmark/kubernetes/
 22 | - https://github.com/dev-sec/cis-kubernetes-benchmark
 23 | - https://github.com/aquasecurity/kube-bench
 24 | - https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks
 25 | 
 26 | ## Properly set up Ingress objects with security control
 27 | 
 28 | - [secure an Ingress by specifying a Secret that contains a TLS private key and certificate](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls)
 29 | 
 30 | ## Protect node metadata and endpoints
 31 | 
 32 | - Prevent unauthenticated / unauthorised to api-server (authorization-mode, .. son on)
 33 | 
 34 | ## Minimize use of, and access to, GUI elements
 35 | 
 36 | - https://blog.heptio.com/on-securing-the-kubernetes-dashboard-16b09b1b7aca
 37 | 
 38 | ## Verify platform binaries before deploying
 39 | 
 40 | - https://github.com/kubernetes/kubernetes/releases
 41 | 
 42 | 
 43 | # Cluster Hardening – 15%
 44 | 
 45 | ## Restrict access to Kubernetes API
 46 | - [Controlling Access to the Kubernetes API](https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/) : https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/ 
 47 | 
 48 | ## Use Role Based Access Controls to minimize exposure
 49 | 
 50 | - https://kubernetes.io/docs/reference/access-authn-authz/rbac/
 51 | - https://github.com/David-VTUK/CKA-StudyGuide/blob/master/RevisionTopics/Part-5-Security.md
 52 | 
 53 | ##  Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
 54 | 
 55 | - https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/
 56 | - https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
 57 | 
 58 | ## Update Kubernetes frequently
 59 | 
 60 | - https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/
 61 | 
 62 | 
 63 | 
 64 | # System Hardening – 15%
 65 | 
 66 | ## Minimize host OS footprint (reduce attack surface)
 67 | 
 68 | - [CIS benchmark Overview/General](https://www.cisecurity.org/benchmark/distribution_independent_linux/)
 69 | 
 70 | - CIS benchmark dedicated for each distribution
 71 | * https://www.cisecurity.org/benchmark/red_hat_linux/
 72 | * https://www.cisecurity.org/benchmark/ubuntu_linux/
 73 | * https://www.cisecurity.org/benchmark/centos_linux/
 74 | * https://www.cisecurity.org/benchmark/debian_linux/
 75 | * https://www.cisecurity.org/benchmark/suse_linux/
 76 | * https://www.cisecurity.org/benchmark/oracle_linux/
 77 | 
 78 | ## Minimize IAM roles
 79 | 
 80 | - [Least privilege pincipal](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) is generally the way to go!
 81 | 
 82 | ## Minimize external access to the network
 83 | 
 84 | - ACL at the level of subnet : https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
 85 | - Security Group at the level of machine : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
 86 | - Firewall at the level of OS ( ufw, firewall-cmd ) : https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw/
 87 | 
 88 | ## Appropriately use kernel hardening tools such as AppArmor, seccomp
 89 | 
 90 | - https://kubernetes.io/docs/tutorials/clusters/apparmor/
 91 | 
 92 | - https://kubernetes.io/docs/tutorials/clusters/seccomp/
 93 | 
 94 | - 📚 ["Container Security"](https://cdn2.hubspot.net/hubfs/1665891/Assets/Container%20Security%20by%20Liz%20Rice%20-%20OReilly%20Apr%202020.pdf?utm_medium=email&_hsmi=85733108&_hsenc=p2ANqtz--tQO3LhW0VqGNthE1dZqnfki1pYhEq-I_LU87M03pmQlvhXhA1lO4jO3vLjN4NtcbEiFyIL2lEBlzzMHe96VPXERZryw&utm_content=85733108&utm_source=hs_automation) by Liz Rice which covers AppArmor, Seccomp, SELinux and the whole gang.
 95 | 
 96 | 
 97 | #  Minimize Microservice Vulnerabilities – 20%
 98 | 
 99 | ## Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts
100 | 
101 | - > PSP : https://kubernetes.io/docs/concepts/policy/pod-security-policy/
102 | - > OPA : https://www.openpolicyagent.org/docs/latest/kubernetes-primer/
103 | - > Security Context : https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
104 | 
105 | ## Manage Kubernetes secrets
106 | 
107 | - https://kubernetes.io/docs/concepts/configuration/secret/
108 | 
109 | - 📹 TGIK - Advanced k8s secret management : https://www.youtube.com/watch?v=IznsHhKL428&ab_channel=VMwareCloudNativeApps
110 | 
111 | - 🔬 Sealed Secrets : https://github.com/bitnami-labs/sealed-secrets
112 | 
113 | - secrets-store-csi-driver : https://github.com/kubernetes-sigs/secrets-store-csi-driver
114 |   
115 | - https://spacelift.io/blog/kubernetes-secrets
116 | 
117 | ## Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
118 | 
119 | - gVisor : https://gvisor.dev/docs/user_guide/install/
120 | 
121 | - kata : https://github.com/kata-containers/kata-containers
122 | 
123 | - 🔬 Hands-on Kata : https://github.com/abdennour/abdennour.github.io/blob/master/_posts/2018-06-09-successfully-running-kata-containers-in-the-cloud.markdown
124 | 
125 | ## Implement pod to pod encryption by use of mTLS
126 | 
127 | - https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
128 | 
129 | - Using **istio** , https://developer.ibm.com/technologies/containers/tutorials/istio-security-mtls/
130 | 
131 | - Using **linkerd**, https://linkerd.io/2/features/automatic-mtls/
132 | 
133 | - 🔬 https://www.istioworkshop.io/11-security/01-mtls/
134 | 
135 | 
136 | # Supply Chain Security – 20%
137 | 
138 | ## Minimize base image footprint
139 | 
140 | - [7 best practices](https://cloud.google.com/blog/products/gcp/7-best-practices-for-building-containers) for build containers.
141 | 
142 | - https://github.com/GoogleContainerTools/distroless
143 | 
144 | 
145 | ## Secure your supply chain: whitelist allowed registries, sign and validate images
146 | 
147 | - Docker Way : https://docs.docker.com/engine/security/trust/content_trust/
148 | 
149 | - Tools for manage supply chain and artifacts:
150 | ![](.images/manage-supply-chain+artifacts.png)
151 | 
152 | - tools for siging container image Cryptographically:
153 | 
154 | ![](.images/sign-container-image-crypto.png)
155 | 
156 | - example - [restrict pulling images from registries](https://www.openpolicyagent.org/docs/latest/kubernetes-primer/)
157 | 
158 | - Related also with https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/
159 | 
160 | ## Use static analysis of user workloads (e.g.Kubernetes resources, Docker files)
161 | 
162 | - kubehunter: https://github.com/aquasecurity/kube-hunter
163 | - Tools around static container image scan:
164 | ![](.images/static-container-image-scan-tools.png)
165 | 
166 | ## Scan images for known vulnerabilities
167 | 
168 | - Clair: https://github.com/quay/clair
169 | 
170 | - Tools around dynamic container image scan : 
171 | 
172 | ![](.images/dynamic-container-image-scan-tools.png)
173 | 
174 | # Monitoring, Logging and Runtime Security – 20%
175 | 
176 | ## Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
177 | 
178 | - https://kubernetes.io/docs/tutorials/clusters/seccomp/
179 | 
180 | ## Detect threats within physical infrastructure, apps, networks, data, users and workloads
181 | 
182 | ## Detect all phases of attack regardless where it occurs and how it spreads
183 | 
184 | - Get the General Concept : https://www.dnvgl.com/article/the-seven-phases-of-a-cyber-attack-118270
185 | 
186 | ## Perform deep analytical investigation and identification of bad actors within environment
187 | 
188 | ## Ensure immutability of containers at runtime
189 | 
190 | - [Falco](https://falco.org/docs/) might help ?
191 | 
192 | ## Use Audit Logs to monitor access
193 | 
194 | - https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
195 | 
196 | -------
197 | 
198 | # Other links :
199 | 
200 | - [SIG security - MoM](https://docs.google.com/document/d/170y5biX9k95hYRwprITprG6Mc9xD5glVn-4mB2Jmi2g/edit#heading=h.7hyo00ewips2)
201 | 
202 | - [Firecracker](https://firecracker-microvm.github.io/) for multi-tenancy, [Bottlerocket](https://aws.amazon.com/bottlerocket/) to reduce the attack surface, [audit2rbac](https://github.com/liggitt/audit2rbac) for generating RBAC roles
203 | 
204 | -------
205 | 
206 | # Disclaimer
207 | 
208 | > The given links are our assumptions and ideas - we neither have insights into the exam requirements, nor do we know how exactly it will look like. We are guessing about possibilities and try to collect resources.
209 | 
210 | 
211 | # License
212 | 
213 | [![License: CC BY-SA 4.0](https://licensebuttons.net/l/by-sa/4.0/80x15.png)](https://creativecommons.org/licenses/by-sa/4.0/)
214 | 
215 | 
216 | 
217 | # Stargazers over time
218 | 
219 | [![Stargazers over time](https://starchart.cc/abdennour/certified-kubernetes-security-specialist.svg)](https://starchart.cc/abdennour/certified-kubernetes-security-specialist)
220 | 


--------------------------------------------------------------------------------
/docs/01-cluster-setup/CIS Benchmarks  _  Kubernetes Engine Documentation  _  Google Cloud.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdennour/certified-kubernetes-security-specialist/a856f0d93c2f00a07564460b843d8e0d8e95ba05/docs/01-cluster-setup/CIS Benchmarks  _  Kubernetes Engine Documentation  _  Google Cloud.pdf


--------------------------------------------------------------------------------
/docs/01-cluster-setup/CIS_Kubernetes_Benchmark_v1.5.1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdennour/certified-kubernetes-security-specialist/a856f0d93c2f00a07564460b843d8e0d8e95ba05/docs/01-cluster-setup/CIS_Kubernetes_Benchmark_v1.5.1.pdf


--------------------------------------------------------------------------------
/tutos/01-cluster-setup/02-c-cis-benchmark/using-dev-sec-cis-k8s.md:
--------------------------------------------------------------------------------
 1 | # Overview
 2 | About running https://github.com/dev-sec/cis-kubernetes-benchmark
 3 | 
 4 | # 1. install inspec
 5 | - For mac : `brew cask install chef/chef/inspec`
 6 | - For others: https://www.inspec.io/downloads/
 7 | - Validation: `inspec --version` (.e.g: 4.21.3)
 8 | 
 9 | 
10 | # 2. Exec profile
11 | 
12 | `inspec exec . --controls=cis-kubernetes-benchmark-1.1.2 cis-kubernetes-benchmark-1.3.5`


--------------------------------------------------------------------------------
/v1.19/CKS_Curriculum_ v1.19 Coming Soon November 2020.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdennour/certified-kubernetes-security-specialist/a856f0d93c2f00a07564460b843d8e0d8e95ba05/v1.19/CKS_Curriculum_ v1.19 Coming Soon November 2020.pdf


--------------------------------------------------------------------------------