├── .github
    ├── ISSUE_TEMPLATE
    │   └── add-or-modify-content-for-cks-exam.md
    └── workflows
    │   └── k8s-docs-link-check.yml
└── README.md


/.github/ISSUE_TEMPLATE/add-or-modify-content-for-cks-exam.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Add or Modify Content for CKS Exam
 3 | about: Please, describe what you want to add or modify.
 4 | title: "[CKS Content] - <Issue Title>"
 5 | labels: ''
 6 | assignees: leandrocostam
 7 | 
 8 | ---
 9 | 
10 | #### Action
11 | 
12 | - [ ] Add
13 | - [ ] Modify
14 | - [ ] Remove
15 | - [ ] Other
16 | 
17 | #### Section
18 | 
19 | - [ ] Introduction
20 | - [ ] Exam
21 | - [ ] CKS Curriculum
22 | - [ ] CKS Preparation Courses
23 | - [ ] kubectl Ninja
24 | - [ ] CKS Tips
25 | - [ ] Other
26 | 
27 | #### Describe
28 | 


--------------------------------------------------------------------------------
/.github/workflows/k8s-docs-link-check.yml:
--------------------------------------------------------------------------------
 1 | name: Check Kubernetes documentation links
 2 | 
 3 | on:
 4 |   push:
 5 |   schedule:
 6 |     - cron: '0 0 */15 * *'
 7 | 
 8 | jobs:
 9 |   markdown-link-check:
10 |     runs-on: ubuntu-latest
11 |     steps:
12 |     - uses: actions/checkout@master
13 |       with:
14 |         fetch-depth: 1
15 |     - uses: gaurav-nelson/github-action-markdown-link-check@v1
16 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | ![Check Kubernetes documentation links](https://github.com/leandrocostam/cks-preparation-guide/workflows/Check%20Kubernetes%20documentation%20links/badge.svg)
  2 | 
  3 | # Certified Kubernetes Security Specialist (CKS) - V1.26
  4 | 
  5 | The objective of this repository is help you for taking the Certified Kubernetes Security Specialist (CKS) exam using online resources, especially using resources from [Kubernetes Official Documentation](https://kubernetes.io).
  6 | 
  7 | The references were selected for the [Exam Curriculum 1.26](https://github.com/cncf/curriculum/blob/67ee7f261b1d92d0049799be11f1da278807d150/CKS_Curriculum_%20v1.26.pdf), and there are exclusive information for API objects and annotations. For more information, please see [CNCF Curriculum](https://github.com/cncf/curriculum/).
  8 | 
  9 | Please, feel free to place a pull request whether something is not up-to-date, should be added or contains wrong information/reference.
 10 | 
 11 | There are other Kubernetes certification exam preparation guides available:
 12 | 
 13 | - [Certified Kubernetes Administrator (CKA) - Preparation Guide](https://github.com/leandrocostam/cka-preparation-guide)
 14 | 
 15 | # Exam
 16 | 
 17 | The exam is kind of "put your hands on", where you have some problems to fix within 120 minutes.
 18 | 
 19 | My tip: Spend your time wisely. Use the Notebook feature (provided in exam's UI) to keep track of your progress, where you might take notes of each question, put some annotations in order to help you. Additionally, don't get stuck, move to the next problem, and take it back when you finish all the other problems.
 20 | 
 21 | Exam Cost: $375 and includes one free retake.
 22 | 
 23 | It's important to mention that you have access to [Kubernetes Official Documentation](https://kubernetes.io) during the exam. So get yourself familiar with Kubernetes online documentation, and know where to find all specific topics listed below. It might be helpful for you during the exam.
 24 | 
 25 | For information about the exam, please refer [Certified Kubernetes Security Specialist (CKS) Program](https://www.cncf.io/certification/cks/).
 26 | 
 27 | # CKS Curriculum
 28 | 
 29 | Exam objectives that outline of the knowledge, skills and abilities that a Certified Kubernetes Security Specialist (CKS) can be expected to demonstrate.
 30 | 
 31 | ## Cluster Setup (10%)
 32 | 
 33 | - Use Network security policies to restrict cluster level access
 34 | 
 35 |     - [Kubernetes Documentation > Concepts > Services, Load Balancing, and Networking > Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
 36 | 
 37 | - Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
 38 | 
 39 |     - [CIS Security > Securing Kubernetes](https://www.cisecurity.org/benchmark/kubernetes)
 40 |     - [Cloud Native Wiki - CIS Benchmark Best Practices](https://www.aquasec.com/cloud-native-academy/kubernetes-in-production/kubernetes-cis-benchmark-best-practices-in-brief/)
 41 |     - [GitHub > Aqua Security > kube-bench](https://github.com/aquasecurity/kube-bench)
 42 | 
 43 | - Properly set up Ingress objects with security control
 44 | 
 45 |     - [Kubernetes Documentation > Concepts > Services, Load Balancing, and Networking > Ingress > TLS](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls)
 46 | 
 47 | - Protect node metadata and endpoints
 48 | 
 49 |     - [Kubernetes Documentation > Tasks > Administer a Cluster > Securing a Cluster](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/#restricting-cloud-metadata-api-access)
 50 | 
 51 |         ```yaml
 52 |         # all pods in namespace cannot access metadata endpoint
 53 |         apiVersion: networking.k8s.io/v1
 54 |         kind: NetworkPolicy
 55 |         metadata:
 56 |         name: cloud-metadata-deny
 57 |         namespace: default
 58 |         spec:
 59 |         podSelector: {}
 60 |         policyTypes:
 61 |         - Egress
 62 |         egress:
 63 |         - to:
 64 |             - ipBlock:
 65 |                 cidr: 0.0.0.0/0
 66 |                 except:
 67 |                 - 169.254.169.254/32
 68 |         ```
 69 | 
 70 | - Minimize use of, and access to, GUI elements
 71 | 
 72 |     - [Kubernetes Documentation > Tasks > Access Applications in a Cluster > Deploy and Access the Kubernetes Dashboard](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/#accessing-the-dashboard-ui)
 73 | 
 74 | - Verify platform binaries before deploying
 75 | 
 76 |     - [Kubernetes Documentation > Tasks > Install Tools > Install and Set Up kubectl on Linux](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/)
 77 | 
 78 |         > Note: Check the step 2 - validate binary
 79 | 
 80 | ## Cluster Hardening (15%)
 81 | 
 82 | - Restrict access to Kubernetes API
 83 | 
 84 |     - [Kubernetes Documentation > Concepts > Security > Controlling Access to the Kubernetes API](https://kubernetes.io/docs/concepts/security/controlling-access/)
 85 | 
 86 | - Use Role Based Access Controls to minimize exposure
 87 | 
 88 |     - [Kubernetes Documentation > Reference > API Access Control > Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
 89 | 
 90 | - Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
 91 | 
 92 |     - [Kubernetes Documentation > Reference > API Access Control > Managing Service Accounts](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/)
 93 | 
 94 | - Update Kubernetes frequently
 95 | 
 96 |     - [Kubernetes Documentation > Tasks > Administer a Cluster > Upgrade A Cluster](https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/)
 97 | 
 98 | ## System Hardening (15%)
 99 | 
100 | - Minimize host OS footprint (reduce attack surface)
101 | 
102 |     - Remove unnecessary packages
103 |     - Identify and address open ports
104 |     - Shut down any unnecessary services
105 | 
106 | - Minimize IAM roles
107 | 
108 |     - [AWS > Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
109 |     - [GCP - Using IAM securely](https://cloud.google.com/iam/docs/using-iam-securely)
110 |     - [Azure > Best practices for Azure RBAC](https://docs.microsoft.com/en-us/azure/role-based-access-control/best-practices)
111 | 
112 | - Minimize external access to the network
113 | 
114 |     - [Kubernetes Documentation > Concepts > Services, Load Balancing, and Networking > Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
115 | 
116 | - Appropriately use kernel hardening tools such as AppArmor, seccomp
117 | 
118 |     - [Kubernetes Documentation > Tutorials > Security > Restrict a Container's Access to Resources with AppArmor](https://kubernetes.io/docs/tutorials/security/apparmor/)
119 |     - [Kubernetes Documentation > Tutorials > Security > Restrict a Container's Syscalls with seccomp](https://kubernetes.io/docs/tutorials/security/seccomp/)
120 |     - [AppArmor Documentation](https://gitlab.com/apparmor/apparmor/-/wikis/Documentation)
121 | 
122 | ## Minimize Microservice Vulnerabilities (20%)
123 | 
124 | - Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts
125 | 
126 |     - [Kubernetes Documentation > Concepts > Security > Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/#what-is-a-pod-security-policy)
127 |     - [Kubernetes Blog > OPA Gatekeeper: Policy and Governance for Kubernetes](https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/)
128 |     - [Kubernetes Documentation > Tasks > Configure Pods and > Containers > Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
129 | 
130 | - Manage kubernetes secrets
131 | 
132 |     - [Kubernetes Documentation > Concepts > Configuration > Secrets](https://kubernetes.io/docs/concepts/configuration/secret/)
133 | 
134 | - Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers
135 | 
136 |     - [Kubernetes Documentation > Concepts > Security > Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/#what-about-sandboxed-pods)
137 |     - [Kubernetes Documentation > Concepts > Containers > Runtime Class](https://kubernetes.io/docs/concepts/containers/runtime-class/)
138 |     - [gvisor](https://gvisor.dev/docs/user_guide/quick_start/kubernetes/)
139 |     - [kata containers](https://katacontainers.io/)
140 | 
141 | - Implement pod to pod encryption by use of mTLS
142 | 
143 |     - [Kubernetes Documentation > Concepts > Services, Load Balancing, and Networking > Ingress > TLS](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls)
144 | 
145 | ## Supply Chain Security (20%)
146 | 
147 | - Minimize base image footprint
148 | 
149 |     - Remove exploitable and non-sssential software
150 |     - Use multi-stage Dockerfiles to keep software compilation out of runtime images
151 |     - Never bake any secrets into your images
152 |     - Image scanning
153 | 
154 | - Secure your supply chain: whitelist allowed image registries, sign and validate images
155 | 
156 |     - [Kubernetes Documentation > Reference > API Access Control > Using Admission Controllers > ImagePolicyWebhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook)
157 | 
158 | - Use static analysis of user workloads (e.g. kubernetes resources, docker files)
159 | 
160 |     - Secure base images
161 |     - Remove unnecessary packages
162 |     - Stop containers from using elevated privileges
163 | 
164 | - Scan images for known vulnerabilities
165 | 
166 |     - [Trivy](https://github.com/aquasecurity/trivy)
167 | 
168 | ## Monitoring, Logging and Runtime Security (20%)
169 | 
170 | - Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
171 | 
172 |     - [Falco](https://falco.org/docs/)
173 | 
174 | - Detect threats within physical infrastructure, apps, networks, data, users and workloads
175 | 
176 | - Detect all phases of attack regardless where it occurs and how it spreads
177 | 
178 |     - [Protecting Kubernetes Against MITRE ATT&CK](https://cloud.redhat.com/blog/protecting-kubernetes-against-mitre-attck-initial-access)
179 | 
180 | - Perform deep analytical investigation and identification of bad actors within environment
181 | 
182 |     - [Kubernetes Documentation > Tasks > Monitoring, Logging, and Debugging >Auditing](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/)
183 | 
184 | - Ensure immutability of containers at runtime
185 | 
186 |     - [Kubernetes Documentation > Concepts > Containers](https://kubernetes.io/docs/concepts/containers/)
187 |     - [Kubernetes Documentation > Tasks > Configure Pods and > Containers > Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
188 | 
189 |         > `readOnlyRootFilesystem`: Mounts the container's root filesystem as read-only
190 | 
191 | - Use Audit Logs to monitor access
192 | 
193 |     - [Kubernetes Documentation > Tasks > Monitoring, Logging, and Debugging >Auditing](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/)
194 | 
195 | # CKS Preparation Courses
196 | 
197 | - [Certified Kubernetes Security Specialist (CKS) - A Cloud Guru (formerly Linux Academy)](https://acloudguru.com/course/certified-kubernetes-security-specialist-cks)
198 | - [KodeKloud - Certified Kubernetes Security Specialist (CKS)](https://kodekloud.com/courses/certified-kubernetes-security-specialist-cks/)
199 | 
200 | # kubectl Ninja
201 | 
202 | Tip: Use [kubectl Cheatsheet](https://kubernetes.io/docs/reference/kubectl/cheatsheet/) during the exam. You don't need to decorate everything.
203 | 
204 | # Practice
205 | 
206 | Practice a lot with Kubernetes:
207 | 
208 | - [Killer.sh - CKS Simulator](https://killer.sh/cks)
209 | 
210 | # CKS Tips
211 | 
212 | Some links that contain tips that might help you from different perspectives of the CKS exam.
213 | 
214 | - [CKS Exam Guide and Tips](https://devopscube.com/cks-exam-guide-tips/)
215 | - [How to pass CKS — Kubernetes Security Specialist exam](https://arekborucki.medium.com/how-to-pass-cks-certified-kubernetes-security-exam-part-1-347e0c48dd32)
216 | 


--------------------------------------------------------------------------------