├── .gitignore
├── README.md
├── Resources.md
├── Scenarios.md
├── cluster-setup
    ├── latest
    │   ├── install_master.sh
    │   └── install_worker.sh
    ├── previous
    │   ├── install_master.sh
    │   └── install_worker.sh
    └── weave.yaml
└── course-content
    ├── cluster-setup
        ├── network-policies
        │   ├── default-deny
        │   │   ├── default-deny-allow-dns.yaml
        │   │   └── default-deny.yaml
        │   ├── frontend-backend-database
        │   │   ├── backend.yaml
        │   │   ├── cassandra-deny.yaml
        │   │   ├── cassandra.yaml
        │   │   └── frontend.yaml
        │   ├── frontend-backend
        │   │   ├── backend.yaml
        │   │   └── frontend.yaml
        │   └── merge-multiple
        │   │   └── merged.yaml
        ├── protect-node-metadata
        │   ├── np_cloud_metadata_allow.yaml
        │   └── np_cloud_metadata_deny.yaml
        └── secure-ingress
        │   ├── nginx-ingress-controller.yaml
        │   ├── secure-ingress-step1.yaml
        │   └── secure-ingress-step2.yaml
    ├── microservice-vulnerabilities
        └── container-runtimes
        │   └── gvisor
        │       ├── example.yaml
        │       └── install_gvisor.sh
    ├── opa
        ├── deny-all
        │   ├── all_pod_always_deny.yaml
        │   └── alwaysdeny_template.yaml
        ├── deployment-replica-count
        │   ├── all_deployment_must_have_min_replicacount.yaml
        │   └── k8sminreplicacount_template.yaml
        ├── gatekeeper.yaml
        └── namespace-labels
        │   ├── all_ns_must_have_cks.yaml
        │   ├── all_pod_must_have_cks.yaml
        │   └── k8srequiredlabels_template.yaml
    ├── runtime-security
        └── auditing
        │   ├── kube-apiserver_enable_auditing.yaml
        │   ├── policy_RequestReponse_of_secrets.yaml
        │   ├── policy_not_that_noisy.yaml
        │   └── policy_simple_everything.yaml
    ├── supply-chain-security
        ├── image-footprint
        │   ├── Dockerfile
        │   ├── app.go
        │   └── solution
        │   │   ├── Dockerfile1_multi_stage
        │   │   ├── Dockerfile2_package_versions
        │   │   ├── Dockerfile3_no_root
        │   │   ├── Dockerfile4_read_only_fs
        │   │   ├── Dockerfile5_no_shell_access
        │   │   └── app.go
        ├── scan-images-for-vulnerabilities
        │   └── clair
        │   │   └── clair_deploy.yaml
        ├── secure-the-supply-chain
        │   └── whitelist-registries
        │   │   ├── ImagePolicyWebhook
        │   │       ├── admission_config.yaml
        │   │       ├── apiserver-client-cert.pem
        │   │       ├── apiserver-client-key.pem
        │   │       ├── external-cert.pem
        │   │       ├── external-key.pem
        │   │       └── kubeconf
        │   │   └── opa
        │   │       ├── all_pod_must_have_trusted_images.yaml
        │   │       └── k8strustedimages_template.yaml
        └── static-analysis
        │   └── conftest
        │       ├── docker
        │           ├── Dockerfile
        │           ├── policy
        │           │   ├── base.rego
        │           │   └── commands.rego
        │           └── run.sh
        │       └── kubernetes
        │           ├── deploy.yaml
        │           ├── policy
        │               └── deployment.rego
        │           └── run.sh
    └── system-hardening
        └── kernel-hardening-tools
            ├── apparmor
                └── profile-docker-nginx
            └── seccomp
                └── profile-docker-nginx.json


/.gitignore:
--------------------------------------------------------------------------------
1 | .idea
2 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/README.md


--------------------------------------------------------------------------------
/Resources.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/Resources.md


--------------------------------------------------------------------------------
/Scenarios.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/Scenarios.md


--------------------------------------------------------------------------------
/cluster-setup/latest/install_master.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/cluster-setup/latest/install_master.sh


--------------------------------------------------------------------------------
/cluster-setup/latest/install_worker.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/cluster-setup/latest/install_worker.sh


--------------------------------------------------------------------------------
/cluster-setup/previous/install_master.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/cluster-setup/previous/install_master.sh


--------------------------------------------------------------------------------
/cluster-setup/previous/install_worker.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/cluster-setup/previous/install_worker.sh


--------------------------------------------------------------------------------
/cluster-setup/weave.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/cluster-setup/weave.yaml


--------------------------------------------------------------------------------
/course-content/cluster-setup/network-policies/default-deny/default-deny-allow-dns.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/cluster-setup/network-policies/default-deny/default-deny-allow-dns.yaml


--------------------------------------------------------------------------------
/course-content/cluster-setup/network-policies/default-deny/default-deny.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/cluster-setup/network-policies/default-deny/default-deny.yaml


--------------------------------------------------------------------------------
/course-content/cluster-setup/network-policies/frontend-backend-database/backend.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/cluster-setup/network-policies/frontend-backend-database/backend.yaml


--------------------------------------------------------------------------------
/course-content/cluster-setup/network-policies/frontend-backend-database/cassandra-deny.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/cluster-setup/network-policies/frontend-backend-database/cassandra-deny.yaml


--------------------------------------------------------------------------------
/course-content/cluster-setup/network-policies/frontend-backend-database/cassandra.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/cluster-setup/network-policies/frontend-backend-database/cassandra.yaml


--------------------------------------------------------------------------------
/course-content/cluster-setup/network-policies/frontend-backend-database/frontend.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/cluster-setup/network-policies/frontend-backend-database/frontend.yaml


--------------------------------------------------------------------------------
/course-content/cluster-setup/network-policies/frontend-backend/backend.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/cluster-setup/network-policies/frontend-backend/backend.yaml


--------------------------------------------------------------------------------
/course-content/cluster-setup/network-policies/frontend-backend/frontend.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/cluster-setup/network-policies/frontend-backend/frontend.yaml


--------------------------------------------------------------------------------
/course-content/cluster-setup/network-policies/merge-multiple/merged.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/cluster-setup/network-policies/merge-multiple/merged.yaml


--------------------------------------------------------------------------------
/course-content/cluster-setup/protect-node-metadata/np_cloud_metadata_allow.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/cluster-setup/protect-node-metadata/np_cloud_metadata_allow.yaml


--------------------------------------------------------------------------------
/course-content/cluster-setup/protect-node-metadata/np_cloud_metadata_deny.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/cluster-setup/protect-node-metadata/np_cloud_metadata_deny.yaml


--------------------------------------------------------------------------------
/course-content/cluster-setup/secure-ingress/nginx-ingress-controller.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/cluster-setup/secure-ingress/nginx-ingress-controller.yaml


--------------------------------------------------------------------------------
/course-content/cluster-setup/secure-ingress/secure-ingress-step1.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/cluster-setup/secure-ingress/secure-ingress-step1.yaml


--------------------------------------------------------------------------------
/course-content/cluster-setup/secure-ingress/secure-ingress-step2.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/cluster-setup/secure-ingress/secure-ingress-step2.yaml


--------------------------------------------------------------------------------
/course-content/microservice-vulnerabilities/container-runtimes/gvisor/example.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/microservice-vulnerabilities/container-runtimes/gvisor/example.yaml


--------------------------------------------------------------------------------
/course-content/microservice-vulnerabilities/container-runtimes/gvisor/install_gvisor.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/microservice-vulnerabilities/container-runtimes/gvisor/install_gvisor.sh


--------------------------------------------------------------------------------
/course-content/opa/deny-all/all_pod_always_deny.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/opa/deny-all/all_pod_always_deny.yaml


--------------------------------------------------------------------------------
/course-content/opa/deny-all/alwaysdeny_template.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/opa/deny-all/alwaysdeny_template.yaml


--------------------------------------------------------------------------------
/course-content/opa/deployment-replica-count/all_deployment_must_have_min_replicacount.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/opa/deployment-replica-count/all_deployment_must_have_min_replicacount.yaml


--------------------------------------------------------------------------------
/course-content/opa/deployment-replica-count/k8sminreplicacount_template.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/opa/deployment-replica-count/k8sminreplicacount_template.yaml


--------------------------------------------------------------------------------
/course-content/opa/gatekeeper.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/opa/gatekeeper.yaml


--------------------------------------------------------------------------------
/course-content/opa/namespace-labels/all_ns_must_have_cks.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/opa/namespace-labels/all_ns_must_have_cks.yaml


--------------------------------------------------------------------------------
/course-content/opa/namespace-labels/all_pod_must_have_cks.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/opa/namespace-labels/all_pod_must_have_cks.yaml


--------------------------------------------------------------------------------
/course-content/opa/namespace-labels/k8srequiredlabels_template.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/opa/namespace-labels/k8srequiredlabels_template.yaml


--------------------------------------------------------------------------------
/course-content/runtime-security/auditing/kube-apiserver_enable_auditing.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/runtime-security/auditing/kube-apiserver_enable_auditing.yaml


--------------------------------------------------------------------------------
/course-content/runtime-security/auditing/policy_RequestReponse_of_secrets.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/runtime-security/auditing/policy_RequestReponse_of_secrets.yaml


--------------------------------------------------------------------------------
/course-content/runtime-security/auditing/policy_not_that_noisy.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/runtime-security/auditing/policy_not_that_noisy.yaml


--------------------------------------------------------------------------------
/course-content/runtime-security/auditing/policy_simple_everything.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: audit.k8s.io/v1
2 | kind: Policy
3 | rules:
4 | - level: Metadata
5 | 


--------------------------------------------------------------------------------
/course-content/supply-chain-security/image-footprint/Dockerfile:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/image-footprint/Dockerfile


--------------------------------------------------------------------------------
/course-content/supply-chain-security/image-footprint/app.go:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/image-footprint/app.go


--------------------------------------------------------------------------------
/course-content/supply-chain-security/image-footprint/solution/Dockerfile1_multi_stage:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/image-footprint/solution/Dockerfile1_multi_stage


--------------------------------------------------------------------------------
/course-content/supply-chain-security/image-footprint/solution/Dockerfile2_package_versions:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/image-footprint/solution/Dockerfile2_package_versions


--------------------------------------------------------------------------------
/course-content/supply-chain-security/image-footprint/solution/Dockerfile3_no_root:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/image-footprint/solution/Dockerfile3_no_root


--------------------------------------------------------------------------------
/course-content/supply-chain-security/image-footprint/solution/Dockerfile4_read_only_fs:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/image-footprint/solution/Dockerfile4_read_only_fs


--------------------------------------------------------------------------------
/course-content/supply-chain-security/image-footprint/solution/Dockerfile5_no_shell_access:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/image-footprint/solution/Dockerfile5_no_shell_access


--------------------------------------------------------------------------------
/course-content/supply-chain-security/image-footprint/solution/app.go:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/image-footprint/solution/app.go


--------------------------------------------------------------------------------
/course-content/supply-chain-security/scan-images-for-vulnerabilities/clair/clair_deploy.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/scan-images-for-vulnerabilities/clair/clair_deploy.yaml


--------------------------------------------------------------------------------
/course-content/supply-chain-security/secure-the-supply-chain/whitelist-registries/ImagePolicyWebhook/admission_config.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/secure-the-supply-chain/whitelist-registries/ImagePolicyWebhook/admission_config.yaml


--------------------------------------------------------------------------------
/course-content/supply-chain-security/secure-the-supply-chain/whitelist-registries/ImagePolicyWebhook/apiserver-client-cert.pem:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/secure-the-supply-chain/whitelist-registries/ImagePolicyWebhook/apiserver-client-cert.pem


--------------------------------------------------------------------------------
/course-content/supply-chain-security/secure-the-supply-chain/whitelist-registries/ImagePolicyWebhook/apiserver-client-key.pem:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/secure-the-supply-chain/whitelist-registries/ImagePolicyWebhook/apiserver-client-key.pem


--------------------------------------------------------------------------------
/course-content/supply-chain-security/secure-the-supply-chain/whitelist-registries/ImagePolicyWebhook/external-cert.pem:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/secure-the-supply-chain/whitelist-registries/ImagePolicyWebhook/external-cert.pem


--------------------------------------------------------------------------------
/course-content/supply-chain-security/secure-the-supply-chain/whitelist-registries/ImagePolicyWebhook/external-key.pem:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/secure-the-supply-chain/whitelist-registries/ImagePolicyWebhook/external-key.pem


--------------------------------------------------------------------------------
/course-content/supply-chain-security/secure-the-supply-chain/whitelist-registries/ImagePolicyWebhook/kubeconf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/secure-the-supply-chain/whitelist-registries/ImagePolicyWebhook/kubeconf


--------------------------------------------------------------------------------
/course-content/supply-chain-security/secure-the-supply-chain/whitelist-registries/opa/all_pod_must_have_trusted_images.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/secure-the-supply-chain/whitelist-registries/opa/all_pod_must_have_trusted_images.yaml


--------------------------------------------------------------------------------
/course-content/supply-chain-security/secure-the-supply-chain/whitelist-registries/opa/k8strustedimages_template.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/secure-the-supply-chain/whitelist-registries/opa/k8strustedimages_template.yaml


--------------------------------------------------------------------------------
/course-content/supply-chain-security/static-analysis/conftest/docker/Dockerfile:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/static-analysis/conftest/docker/Dockerfile


--------------------------------------------------------------------------------
/course-content/supply-chain-security/static-analysis/conftest/docker/policy/base.rego:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/static-analysis/conftest/docker/policy/base.rego


--------------------------------------------------------------------------------
/course-content/supply-chain-security/static-analysis/conftest/docker/policy/commands.rego:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/static-analysis/conftest/docker/policy/commands.rego


--------------------------------------------------------------------------------
/course-content/supply-chain-security/static-analysis/conftest/docker/run.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/static-analysis/conftest/docker/run.sh


--------------------------------------------------------------------------------
/course-content/supply-chain-security/static-analysis/conftest/kubernetes/deploy.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/static-analysis/conftest/kubernetes/deploy.yaml


--------------------------------------------------------------------------------
/course-content/supply-chain-security/static-analysis/conftest/kubernetes/policy/deployment.rego:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/static-analysis/conftest/kubernetes/policy/deployment.rego


--------------------------------------------------------------------------------
/course-content/supply-chain-security/static-analysis/conftest/kubernetes/run.sh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/supply-chain-security/static-analysis/conftest/kubernetes/run.sh


--------------------------------------------------------------------------------
/course-content/system-hardening/kernel-hardening-tools/apparmor/profile-docker-nginx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/system-hardening/kernel-hardening-tools/apparmor/profile-docker-nginx


--------------------------------------------------------------------------------
/course-content/system-hardening/kernel-hardening-tools/seccomp/profile-docker-nginx.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/killer-sh/cks-course-environment/HEAD/course-content/system-hardening/kernel-hardening-tools/seccomp/profile-docker-nginx.json


--------------------------------------------------------------------------------