├── .github └── workflows │ └── validate-manifests.yml ├── .gitignore ├── LICENSE ├── README.adoc ├── app-a ├── ch02 │ ├── dashboard │ │ └── dashboard-observer-user.yaml │ └── network-policy │ │ └── deny-egress-external.yaml ├── ch03 │ ├── cluster-upgrade-version │ │ └── Vagrantfile │ ├── rbac-serviceaccount-disable-automount │ │ └── pod.yaml │ └── rbac-serviceaccount │ │ ├── clusterrole.yaml │ │ ├── pod.yaml │ │ └── rolebinding.yaml ├── ch04 │ ├── apparmor │ │ ├── Vagrantfile │ │ ├── pod-setup.sh │ │ └── pod.yaml │ ├── close-ports │ │ ├── Vagrantfile │ │ └── service-setup.sh │ ├── seccomp │ │ ├── Vagrantfile │ │ ├── pod-setup.sh │ │ └── pod.yaml │ └── sysctl │ │ └── pod.yaml ├── ch05 │ ├── gatekeeper │ │ ├── replica-limits-constraint-template.yaml │ │ └── replica-limits-constraint.yaml │ ├── gvisor │ │ ├── Vagrantfile │ │ ├── pod.yaml │ │ ├── runsc.sh │ │ └── runtime-class.yaml │ ├── psa │ │ ├── psa-namespace.yaml │ │ └── psa-pod.yaml │ └── securitycontext │ │ └── busybox-security-context.yaml ├── ch06 │ ├── container-image-footprint │ │ ├── after │ │ │ ├── Dockerfile │ │ │ ├── app.js │ │ │ └── package.json │ │ └── before │ │ │ ├── Dockerfile │ │ │ ├── app.js │ │ │ └── package.json │ ├── image-validation │ │ └── pod-validate-image.yaml │ ├── kubesec │ │ ├── after │ │ │ └── pod.yaml │ │ └── before │ │ │ └── pod.yaml │ ├── kyverno │ │ └── restrict-image-registries.yaml │ └── trivy │ │ └── setup.yaml ├── ch07 │ ├── audit-log │ │ ├── Vagrantfile │ │ ├── audit-policy-setup.sh │ │ └── audit-policy.yaml │ ├── falco │ │ ├── Vagrantfile │ │ ├── falco-install.sh │ │ └── pod-setup.sh │ └── immutable-container │ │ ├── immutable.yaml │ │ └── setup.yaml └── vagrant-scripts │ ├── common.sh │ ├── control-plane.sh │ └── worker.sh ├── app-b └── exam-review-guide.adoc ├── ch02 ├── dashboard │ ├── admin-user-clusterolebinding.yaml │ ├── admin-user-serviceaccount.yaml │ ├── restricted-user-clusterrole.yaml │ ├── restricted-user-clusterrolebinding.yaml │ └── restricted-user-serviceaccount.yaml ├── ingress │ ├── ingress.yaml │ ├── secret-tls.yaml │ └── setup.yaml ├── metadata-server │ └── network-policy.yaml └── network-policy │ ├── backend-ingress-network-policy.yaml │ ├── deny-all-ingress-network-policy.yaml │ └── setup.yaml ├── ch03 ├── rbac-serviceaccount │ ├── clusterrole.yaml │ ├── rolebinding.yaml │ └── setup.yaml └── serviceaccount-disable-automount │ ├── pod.yaml │ └── serviceaccount.yaml ├── ch04 ├── apparmor │ ├── k8s-deny-write │ └── pod.yaml └── seccomp │ ├── custom-profile │ ├── mkdir-violation.json │ └── pod.yaml │ └── runtime-default-profile │ └── pod.yaml ├── ch05 ├── gatekeeper │ ├── constraint-ns-labels.yaml │ ├── constraint-template-labels.yaml │ └── namespace-app-label.yaml ├── gvisor │ ├── pod.yaml │ └── runtimeclass.yaml ├── psa │ ├── psa-namespace.yaml │ ├── psa-non-violating-pod.yaml │ └── psa-violating-pod.yaml ├── secrets │ └── enc.yaml └── securitycontext │ ├── container-non-root-user-error.yaml │ ├── container-non-root-user-success.yaml │ ├── container-user-id.yaml │ ├── non-privileged.yaml │ └── privileged.yaml ├── ch06 ├── base-image-footprint │ ├── multi-stage-dockerfile │ │ ├── after │ │ │ ├── Dockerfile │ │ │ ├── calc │ │ │ │ ├── calc.go │ │ │ │ └── calc_test.go │ │ │ ├── go.mod │ │ │ ├── go.sum │ │ │ └── main.go │ │ └── before │ │ │ ├── Dockerfile │ │ │ ├── calc │ │ │ ├── calc.go │ │ │ └── calc_test.go │ │ │ ├── go.mod │ │ │ ├── go.sum │ │ │ └── main.go │ └── run-instruction-dockerfile │ │ ├── after │ │ └── Dockerfile │ │ └── before │ │ └── Dockerfile ├── image-validation-webhook │ ├── Dockerfile │ ├── README.md │ ├── certs │ │ ├── api-server-client.crt │ │ ├── api-server-client.csr │ │ ├── api-server-client.key │ │ ├── ca.crt │ │ ├── ca.key │ │ ├── ca.srl │ │ ├── extfile.cnf │ │ ├── image-validation-webhook.crt │ │ ├── image-validation-webhook.csr │ │ └── image-validation-webhook.key │ ├── gen-certs.sh │ ├── go.mod │ ├── main.go │ └── pod.yaml ├── static-analysis │ ├── dockerfile │ │ ├── optimized │ │ │ ├── Dockerfile │ │ │ └── main.go │ │ └── unoptimized │ │ │ ├── Dockerfile │ │ │ └── main.go │ └── kubernetes │ │ ├── pod-improved-kubesec-test.yaml │ │ └── pod-initial-kubesec-test.yaml └── supply-chain │ ├── image-digest │ ├── pod-invalid-image-digest.yaml │ └── pod-valid-image-digest.yaml │ └── whitelisting-registries │ ├── gatekeeper │ ├── allowed-repos-constraint-template.yaml │ └── gcr-allowed-repos-constraint.yaml │ └── imagepolicywebhook │ ├── image-policy-webhook-admission-configuration.yaml │ └── imagepolicywebhook.kubeconfig └── ch07 ├── audit-log └── audit-policy.yaml ├── falco ├── falco_rules.local.yaml └── falco_rules.yaml └── immutable-container └── read-only-filesystem-pod.yaml /.github/workflows/validate-manifests.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/.github/workflows/validate-manifests.yml -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/.gitignore -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/LICENSE -------------------------------------------------------------------------------- /README.adoc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/README.adoc -------------------------------------------------------------------------------- /app-a/ch02/dashboard/dashboard-observer-user.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch02/dashboard/dashboard-observer-user.yaml -------------------------------------------------------------------------------- /app-a/ch02/network-policy/deny-egress-external.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch02/network-policy/deny-egress-external.yaml -------------------------------------------------------------------------------- /app-a/ch03/cluster-upgrade-version/Vagrantfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch03/cluster-upgrade-version/Vagrantfile -------------------------------------------------------------------------------- /app-a/ch03/rbac-serviceaccount-disable-automount/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch03/rbac-serviceaccount-disable-automount/pod.yaml -------------------------------------------------------------------------------- /app-a/ch03/rbac-serviceaccount/clusterrole.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch03/rbac-serviceaccount/clusterrole.yaml -------------------------------------------------------------------------------- /app-a/ch03/rbac-serviceaccount/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch03/rbac-serviceaccount/pod.yaml -------------------------------------------------------------------------------- /app-a/ch03/rbac-serviceaccount/rolebinding.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch03/rbac-serviceaccount/rolebinding.yaml -------------------------------------------------------------------------------- /app-a/ch04/apparmor/Vagrantfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch04/apparmor/Vagrantfile -------------------------------------------------------------------------------- /app-a/ch04/apparmor/pod-setup.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch04/apparmor/pod-setup.sh -------------------------------------------------------------------------------- /app-a/ch04/apparmor/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch04/apparmor/pod.yaml -------------------------------------------------------------------------------- /app-a/ch04/close-ports/Vagrantfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch04/close-ports/Vagrantfile -------------------------------------------------------------------------------- /app-a/ch04/close-ports/service-setup.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch04/close-ports/service-setup.sh -------------------------------------------------------------------------------- /app-a/ch04/seccomp/Vagrantfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch04/seccomp/Vagrantfile -------------------------------------------------------------------------------- /app-a/ch04/seccomp/pod-setup.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch04/seccomp/pod-setup.sh -------------------------------------------------------------------------------- /app-a/ch04/seccomp/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch04/seccomp/pod.yaml -------------------------------------------------------------------------------- /app-a/ch04/sysctl/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch04/sysctl/pod.yaml -------------------------------------------------------------------------------- /app-a/ch05/gatekeeper/replica-limits-constraint-template.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch05/gatekeeper/replica-limits-constraint-template.yaml -------------------------------------------------------------------------------- /app-a/ch05/gatekeeper/replica-limits-constraint.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch05/gatekeeper/replica-limits-constraint.yaml -------------------------------------------------------------------------------- /app-a/ch05/gvisor/Vagrantfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch05/gvisor/Vagrantfile -------------------------------------------------------------------------------- /app-a/ch05/gvisor/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch05/gvisor/pod.yaml -------------------------------------------------------------------------------- /app-a/ch05/gvisor/runsc.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch05/gvisor/runsc.sh -------------------------------------------------------------------------------- /app-a/ch05/gvisor/runtime-class.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch05/gvisor/runtime-class.yaml -------------------------------------------------------------------------------- /app-a/ch05/psa/psa-namespace.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch05/psa/psa-namespace.yaml -------------------------------------------------------------------------------- /app-a/ch05/psa/psa-pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch05/psa/psa-pod.yaml -------------------------------------------------------------------------------- /app-a/ch05/securitycontext/busybox-security-context.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch05/securitycontext/busybox-security-context.yaml -------------------------------------------------------------------------------- /app-a/ch06/container-image-footprint/after/Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch06/container-image-footprint/after/Dockerfile -------------------------------------------------------------------------------- /app-a/ch06/container-image-footprint/after/app.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch06/container-image-footprint/after/app.js -------------------------------------------------------------------------------- /app-a/ch06/container-image-footprint/after/package.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch06/container-image-footprint/after/package.json -------------------------------------------------------------------------------- /app-a/ch06/container-image-footprint/before/Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch06/container-image-footprint/before/Dockerfile -------------------------------------------------------------------------------- /app-a/ch06/container-image-footprint/before/app.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch06/container-image-footprint/before/app.js -------------------------------------------------------------------------------- /app-a/ch06/container-image-footprint/before/package.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch06/container-image-footprint/before/package.json -------------------------------------------------------------------------------- /app-a/ch06/image-validation/pod-validate-image.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch06/image-validation/pod-validate-image.yaml -------------------------------------------------------------------------------- /app-a/ch06/kubesec/after/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch06/kubesec/after/pod.yaml -------------------------------------------------------------------------------- /app-a/ch06/kubesec/before/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch06/kubesec/before/pod.yaml -------------------------------------------------------------------------------- /app-a/ch06/kyverno/restrict-image-registries.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch06/kyverno/restrict-image-registries.yaml -------------------------------------------------------------------------------- /app-a/ch06/trivy/setup.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch06/trivy/setup.yaml -------------------------------------------------------------------------------- /app-a/ch07/audit-log/Vagrantfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch07/audit-log/Vagrantfile -------------------------------------------------------------------------------- /app-a/ch07/audit-log/audit-policy-setup.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch07/audit-log/audit-policy-setup.sh -------------------------------------------------------------------------------- /app-a/ch07/audit-log/audit-policy.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch07/audit-log/audit-policy.yaml -------------------------------------------------------------------------------- /app-a/ch07/falco/Vagrantfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch07/falco/Vagrantfile -------------------------------------------------------------------------------- /app-a/ch07/falco/falco-install.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch07/falco/falco-install.sh -------------------------------------------------------------------------------- /app-a/ch07/falco/pod-setup.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch07/falco/pod-setup.sh -------------------------------------------------------------------------------- /app-a/ch07/immutable-container/immutable.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch07/immutable-container/immutable.yaml -------------------------------------------------------------------------------- /app-a/ch07/immutable-container/setup.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/ch07/immutable-container/setup.yaml -------------------------------------------------------------------------------- /app-a/vagrant-scripts/common.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/vagrant-scripts/common.sh -------------------------------------------------------------------------------- /app-a/vagrant-scripts/control-plane.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/vagrant-scripts/control-plane.sh -------------------------------------------------------------------------------- /app-a/vagrant-scripts/worker.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-a/vagrant-scripts/worker.sh -------------------------------------------------------------------------------- /app-b/exam-review-guide.adoc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/app-b/exam-review-guide.adoc -------------------------------------------------------------------------------- /ch02/dashboard/admin-user-clusterolebinding.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch02/dashboard/admin-user-clusterolebinding.yaml -------------------------------------------------------------------------------- /ch02/dashboard/admin-user-serviceaccount.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch02/dashboard/admin-user-serviceaccount.yaml -------------------------------------------------------------------------------- /ch02/dashboard/restricted-user-clusterrole.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch02/dashboard/restricted-user-clusterrole.yaml -------------------------------------------------------------------------------- /ch02/dashboard/restricted-user-clusterrolebinding.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch02/dashboard/restricted-user-clusterrolebinding.yaml -------------------------------------------------------------------------------- /ch02/dashboard/restricted-user-serviceaccount.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch02/dashboard/restricted-user-serviceaccount.yaml -------------------------------------------------------------------------------- /ch02/ingress/ingress.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch02/ingress/ingress.yaml -------------------------------------------------------------------------------- /ch02/ingress/secret-tls.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch02/ingress/secret-tls.yaml -------------------------------------------------------------------------------- /ch02/ingress/setup.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch02/ingress/setup.yaml -------------------------------------------------------------------------------- /ch02/metadata-server/network-policy.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch02/metadata-server/network-policy.yaml -------------------------------------------------------------------------------- /ch02/network-policy/backend-ingress-network-policy.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch02/network-policy/backend-ingress-network-policy.yaml -------------------------------------------------------------------------------- /ch02/network-policy/deny-all-ingress-network-policy.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch02/network-policy/deny-all-ingress-network-policy.yaml -------------------------------------------------------------------------------- /ch02/network-policy/setup.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch02/network-policy/setup.yaml -------------------------------------------------------------------------------- /ch03/rbac-serviceaccount/clusterrole.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch03/rbac-serviceaccount/clusterrole.yaml -------------------------------------------------------------------------------- /ch03/rbac-serviceaccount/rolebinding.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch03/rbac-serviceaccount/rolebinding.yaml -------------------------------------------------------------------------------- /ch03/rbac-serviceaccount/setup.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch03/rbac-serviceaccount/setup.yaml -------------------------------------------------------------------------------- /ch03/serviceaccount-disable-automount/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch03/serviceaccount-disable-automount/pod.yaml -------------------------------------------------------------------------------- /ch03/serviceaccount-disable-automount/serviceaccount.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch03/serviceaccount-disable-automount/serviceaccount.yaml -------------------------------------------------------------------------------- /ch04/apparmor/k8s-deny-write: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch04/apparmor/k8s-deny-write -------------------------------------------------------------------------------- /ch04/apparmor/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch04/apparmor/pod.yaml -------------------------------------------------------------------------------- /ch04/seccomp/custom-profile/mkdir-violation.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch04/seccomp/custom-profile/mkdir-violation.json -------------------------------------------------------------------------------- /ch04/seccomp/custom-profile/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch04/seccomp/custom-profile/pod.yaml -------------------------------------------------------------------------------- /ch04/seccomp/runtime-default-profile/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch04/seccomp/runtime-default-profile/pod.yaml -------------------------------------------------------------------------------- /ch05/gatekeeper/constraint-ns-labels.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch05/gatekeeper/constraint-ns-labels.yaml -------------------------------------------------------------------------------- /ch05/gatekeeper/constraint-template-labels.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch05/gatekeeper/constraint-template-labels.yaml -------------------------------------------------------------------------------- /ch05/gatekeeper/namespace-app-label.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch05/gatekeeper/namespace-app-label.yaml -------------------------------------------------------------------------------- /ch05/gvisor/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch05/gvisor/pod.yaml -------------------------------------------------------------------------------- /ch05/gvisor/runtimeclass.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch05/gvisor/runtimeclass.yaml -------------------------------------------------------------------------------- /ch05/psa/psa-namespace.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch05/psa/psa-namespace.yaml -------------------------------------------------------------------------------- /ch05/psa/psa-non-violating-pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch05/psa/psa-non-violating-pod.yaml -------------------------------------------------------------------------------- /ch05/psa/psa-violating-pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch05/psa/psa-violating-pod.yaml -------------------------------------------------------------------------------- /ch05/secrets/enc.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch05/secrets/enc.yaml -------------------------------------------------------------------------------- /ch05/securitycontext/container-non-root-user-error.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch05/securitycontext/container-non-root-user-error.yaml -------------------------------------------------------------------------------- /ch05/securitycontext/container-non-root-user-success.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch05/securitycontext/container-non-root-user-success.yaml -------------------------------------------------------------------------------- /ch05/securitycontext/container-user-id.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch05/securitycontext/container-user-id.yaml -------------------------------------------------------------------------------- /ch05/securitycontext/non-privileged.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch05/securitycontext/non-privileged.yaml -------------------------------------------------------------------------------- /ch05/securitycontext/privileged.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch05/securitycontext/privileged.yaml -------------------------------------------------------------------------------- /ch06/base-image-footprint/multi-stage-dockerfile/after/Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/base-image-footprint/multi-stage-dockerfile/after/Dockerfile -------------------------------------------------------------------------------- /ch06/base-image-footprint/multi-stage-dockerfile/after/calc/calc.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/base-image-footprint/multi-stage-dockerfile/after/calc/calc.go -------------------------------------------------------------------------------- /ch06/base-image-footprint/multi-stage-dockerfile/after/calc/calc_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/base-image-footprint/multi-stage-dockerfile/after/calc/calc_test.go -------------------------------------------------------------------------------- /ch06/base-image-footprint/multi-stage-dockerfile/after/go.mod: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/base-image-footprint/multi-stage-dockerfile/after/go.mod -------------------------------------------------------------------------------- /ch06/base-image-footprint/multi-stage-dockerfile/after/go.sum: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/base-image-footprint/multi-stage-dockerfile/after/go.sum -------------------------------------------------------------------------------- /ch06/base-image-footprint/multi-stage-dockerfile/after/main.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/base-image-footprint/multi-stage-dockerfile/after/main.go -------------------------------------------------------------------------------- /ch06/base-image-footprint/multi-stage-dockerfile/before/Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/base-image-footprint/multi-stage-dockerfile/before/Dockerfile -------------------------------------------------------------------------------- /ch06/base-image-footprint/multi-stage-dockerfile/before/calc/calc.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/base-image-footprint/multi-stage-dockerfile/before/calc/calc.go -------------------------------------------------------------------------------- /ch06/base-image-footprint/multi-stage-dockerfile/before/calc/calc_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/base-image-footprint/multi-stage-dockerfile/before/calc/calc_test.go -------------------------------------------------------------------------------- /ch06/base-image-footprint/multi-stage-dockerfile/before/go.mod: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/base-image-footprint/multi-stage-dockerfile/before/go.mod -------------------------------------------------------------------------------- /ch06/base-image-footprint/multi-stage-dockerfile/before/go.sum: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/base-image-footprint/multi-stage-dockerfile/before/go.sum -------------------------------------------------------------------------------- /ch06/base-image-footprint/multi-stage-dockerfile/before/main.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/base-image-footprint/multi-stage-dockerfile/before/main.go -------------------------------------------------------------------------------- /ch06/base-image-footprint/run-instruction-dockerfile/after/Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/base-image-footprint/run-instruction-dockerfile/after/Dockerfile -------------------------------------------------------------------------------- /ch06/base-image-footprint/run-instruction-dockerfile/before/Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/base-image-footprint/run-instruction-dockerfile/before/Dockerfile -------------------------------------------------------------------------------- /ch06/image-validation-webhook/Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/image-validation-webhook/Dockerfile -------------------------------------------------------------------------------- /ch06/image-validation-webhook/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/image-validation-webhook/README.md -------------------------------------------------------------------------------- /ch06/image-validation-webhook/certs/api-server-client.crt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/image-validation-webhook/certs/api-server-client.crt -------------------------------------------------------------------------------- /ch06/image-validation-webhook/certs/api-server-client.csr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/image-validation-webhook/certs/api-server-client.csr -------------------------------------------------------------------------------- /ch06/image-validation-webhook/certs/api-server-client.key: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/image-validation-webhook/certs/api-server-client.key -------------------------------------------------------------------------------- /ch06/image-validation-webhook/certs/ca.crt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/image-validation-webhook/certs/ca.crt -------------------------------------------------------------------------------- /ch06/image-validation-webhook/certs/ca.key: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/image-validation-webhook/certs/ca.key -------------------------------------------------------------------------------- /ch06/image-validation-webhook/certs/ca.srl: -------------------------------------------------------------------------------- 1 | CF3215B4542354AD 2 | -------------------------------------------------------------------------------- /ch06/image-validation-webhook/certs/extfile.cnf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/image-validation-webhook/certs/extfile.cnf -------------------------------------------------------------------------------- /ch06/image-validation-webhook/certs/image-validation-webhook.crt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/image-validation-webhook/certs/image-validation-webhook.crt -------------------------------------------------------------------------------- /ch06/image-validation-webhook/certs/image-validation-webhook.csr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/image-validation-webhook/certs/image-validation-webhook.csr -------------------------------------------------------------------------------- /ch06/image-validation-webhook/certs/image-validation-webhook.key: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/image-validation-webhook/certs/image-validation-webhook.key -------------------------------------------------------------------------------- /ch06/image-validation-webhook/gen-certs.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/image-validation-webhook/gen-certs.sh -------------------------------------------------------------------------------- /ch06/image-validation-webhook/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/bmuschko/image-validation-webhook 2 | 3 | go 1.19 4 | -------------------------------------------------------------------------------- /ch06/image-validation-webhook/main.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/image-validation-webhook/main.go -------------------------------------------------------------------------------- /ch06/image-validation-webhook/pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/image-validation-webhook/pod.yaml -------------------------------------------------------------------------------- /ch06/static-analysis/dockerfile/optimized/Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/static-analysis/dockerfile/optimized/Dockerfile -------------------------------------------------------------------------------- /ch06/static-analysis/dockerfile/optimized/main.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/static-analysis/dockerfile/optimized/main.go -------------------------------------------------------------------------------- /ch06/static-analysis/dockerfile/unoptimized/Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/static-analysis/dockerfile/unoptimized/Dockerfile -------------------------------------------------------------------------------- /ch06/static-analysis/dockerfile/unoptimized/main.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/static-analysis/dockerfile/unoptimized/main.go -------------------------------------------------------------------------------- /ch06/static-analysis/kubernetes/pod-improved-kubesec-test.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/static-analysis/kubernetes/pod-improved-kubesec-test.yaml -------------------------------------------------------------------------------- /ch06/static-analysis/kubernetes/pod-initial-kubesec-test.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/static-analysis/kubernetes/pod-initial-kubesec-test.yaml -------------------------------------------------------------------------------- /ch06/supply-chain/image-digest/pod-invalid-image-digest.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/supply-chain/image-digest/pod-invalid-image-digest.yaml -------------------------------------------------------------------------------- /ch06/supply-chain/image-digest/pod-valid-image-digest.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/supply-chain/image-digest/pod-valid-image-digest.yaml -------------------------------------------------------------------------------- /ch06/supply-chain/whitelisting-registries/gatekeeper/allowed-repos-constraint-template.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/supply-chain/whitelisting-registries/gatekeeper/allowed-repos-constraint-template.yaml -------------------------------------------------------------------------------- /ch06/supply-chain/whitelisting-registries/gatekeeper/gcr-allowed-repos-constraint.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/supply-chain/whitelisting-registries/gatekeeper/gcr-allowed-repos-constraint.yaml -------------------------------------------------------------------------------- /ch06/supply-chain/whitelisting-registries/imagepolicywebhook/image-policy-webhook-admission-configuration.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/supply-chain/whitelisting-registries/imagepolicywebhook/image-policy-webhook-admission-configuration.yaml -------------------------------------------------------------------------------- /ch06/supply-chain/whitelisting-registries/imagepolicywebhook/imagepolicywebhook.kubeconfig: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch06/supply-chain/whitelisting-registries/imagepolicywebhook/imagepolicywebhook.kubeconfig -------------------------------------------------------------------------------- /ch07/audit-log/audit-policy.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch07/audit-log/audit-policy.yaml -------------------------------------------------------------------------------- /ch07/falco/falco_rules.local.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch07/falco/falco_rules.local.yaml -------------------------------------------------------------------------------- /ch07/falco/falco_rules.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch07/falco/falco_rules.yaml -------------------------------------------------------------------------------- /ch07/immutable-container/read-only-filesystem-pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bmuschko/cks-study-guide/HEAD/ch07/immutable-container/read-only-filesystem-pod.yaml --------------------------------------------------------------------------------