Beta

Certified Kubernetes Security Specialist (CKS)

Introduction

Course Introduction

Kubernetes has rapidly become a cornerstone of modern cloud computing, often hailed as the "Linux of the future." Today’s cutting-edge AI technologies, including ChatGPT and OpenAI, run on Kubernetes clusters. With the rapid growth in the AI industry, the demand for Kubernetes expertise is soaring. In fact, a recent survey by Indeed revealed that job searches for Kubernetes surged by over 173% compared to the previous year.

This article introduces the Certified Kubernetes Security Specialist (CKS) exam preparation course. My name is Mumshad Mannambeth and, together with Vijin Palazhi, we will be your guides throughout this course.

Kubernetes security is crucial since it manages containers distributed across multiple systems, making it an attractive target for attacks. By implementing robust security practices, you safeguard both your applications and operational integrity in dynamic cloud environments.

This course kicks off with engaging lectures that break down essential Kubernetes security concepts, supported by visual aids and animations:

The image outlines Kubernetes security best practices, featuring elements like code, containers, authentication, and network policy, with a person in the bottom right corner.

You will also gain hands-on experience through interactive labs, reinforcing your learning with real-life scenarios that simulate the actual CKS exam environment. Our AI assistants act as expert guides in the labs—tracking your progress, clarifying questions, and providing actionable feedback. For instance, one lab task involves working with the directive:

pod-security.kubernetes.io/warn-baseline

Throughout the course, you'll encounter quizzes, enjoy the support of a dedicated Discord channel for Q&A, and receive valuable exam tips at every stage.

Pre-requisite

Before you dive into this course, please note that the CKS exam requires you to be a Certified Kubernetes Administrator (CKA). If you haven't completed that course or need to strengthen your foundational skills, consider starting with our beginner courses such as Kubernetes for the Absolute Beginners - Hands-on Tutorial, Docker Training Course for the Absolute Beginner, or DevOps Pre-Requisite Course.

Course Structure and Key Topics

This course is meticulously structured to align with the CKS exam objectives, emphasizing both theoretical knowledge and practical security measures through real-world scenarios.

1. Exploring the Kubernetes Attack Surface

We begin by examining how various components of Kubernetes clusters can be exploited. This section introduces the four C’s of cloud-native security: cloud, clusters, containers, and code—providing a narrative that sets the stage for deeper exploration into security challenges.

2. Hardening Your Kubernetes Cluster

In this segment, you will discover essential strategies to secure your Kubernetes clusters. Topics include:

  • Implementing CIS Benchmarks
  • Configuring Kubernetes authentication and authorization
  • Managing Service Accounts effectively
  • Utilizing TLS certificates and safeguarding node metadata
  • Securing the Kubernetes dashboard
  • Enforcing network policies
  • Conducting secure cluster upgrades

3. Securing the Underlying System

Securing the host system is as important as securing Kubernetes itself. This section covers methods such as:

  • Minimizing the OS footprint and restricting unauthorized access

  • Implementing SSH hardening and managing Linux privilege escalation

  • Editing SSH configurations:

    vi /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no

apt install nginx
E: Could not open lock file /var/lib/dpkg/lock-frontend - open (13: Permission denied)
E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), are you root?

sudo apt install nginx
[sudo] password for michael:

  • Restricting kernel modules and securing open ports

  • Using firewalls, enforcing Seccomp for system call restrictions, and leveraging tools like AppArmor for historical security reinforcement:

    cat /sys/module/apparmor/parameters/enabled
Y

cat /sys/kernel/security/apparmor/profiles
docker-default (enforce)
/usr/sbin/tcpdump (enforce)
/usr/sbin/ntpd (enforce)
/usr/lib/snapd/snap-confine (enforce)
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper (enforce)
/usr/lib/conman/scripts/dhclient-script (enforce)
/usr/lib/NetworkManager/nm-dhcp-helper (enforce)
/usr/lib/NetworkManager/nm-dhcp-client.action (enforce)
/sbin/dhclient (enforce)
man_groff (enforce)
man_filter (enforce)
/usr/bin/man (enforce)

4. Reducing Vulnerabilities in Microservices

This section outlines techniques to protect microservices, including:

  • Managing Admission Controllers
  • Implementing Pod Security Standards
  • Utilizing tools like the Open Policy Agent (OPA)

You’ll work with example configurations such as:

# pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: sample-pod
spec:
  containers:
    - name: ubuntu
      image: ubuntu
      command: ["sleep", "3600"]
      securityContext:
        privileged: True
        runAsUser: 0
        capabilities:
          add: ["CAP_SYS_BOOT"]
  volumes:
    - name: data-volume
      hostPath:
        path: /data
        type: Directory

# psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example-psp
spec:
  privileged: false
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny

Additional topics in this module include managing Kubernetes secrets, using container runtime sandboxes, and implementing mTLS for secure pod-to-pod encryption.

5. Securing the Software Supply Chain

Securing your software supply chain is critical for maintaining a robust security posture. In this module, you will learn best practices such as:

  • Minimizing base image sizes
  • Scanning container images for vulnerabilities
  • Analyzing workloads to ensure safe deployments

6. Runtime Security

The final section is dedicated to runtime security, focusing on behavioral analytics used to detect suspicious activity at both the host and container levels. You will explore tools like Falco that help establish a defense-in-depth strategy through threat detection and activity logging.

The image illustrates a system call flow in a containerized environment using Falco, showing interactions between containers, the Linux kernel, and hardware.

Hands-On Labs, Examples, and Exam Preparation

Every module of this course includes comprehensive hands-on labs and real-world examples to bolster your practical skills. The course concludes with a realistic mock exam designed to build your confidence and ensure you are exam-ready. Since the CKS exam is hands-on and permits referencing the official Kubernetes documentation, we also teach you how to navigate these resources efficiently to quickly locate critical information during the exam.

About KodeKloud

KodeKloud is a CNCF Silver member, a Certified Kubernetes Training Partner, and a CNCF Endorsed Content Provider. This certification is a significant milestone in your journey to become a true "KubeAstronaut."

Let's get started—I'll see you in the first lecture.

Watch Video

Watch video content

Next
Exam Information