Kubernetes CKS

Cluster Setup - 10% #

Securing a Cluster #
  1. 使用网络安全策略来限制集群级别的访问 Use Network security policies to restrict cluster level access
  2. 使用CIS基准检查Kubernetes组件(etcd, kubelet, kubedns, kubeapi)的安全配置 Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
    • Kube-bench - Checks whether Kubernetes is deployed securely by running the checks documented ain the CIS Kubernetes Benchmark.
  3. 正确设置带有安全控制的Ingress对象 Properly set up Ingress objects with security control
  4. 保护节点元数据和端点 Protect node metadata and endpoints
Using Kubernetes network policy to restrict pods access to cloud metadata
  • This example assumes AWS cloud, and metadata IP address is 169.254.169.254 should be blocked while all other external addresses are not.
     apiVersion: networking.k8s.io/v1
     kind: NetworkPolicy
     metadata:
       name: deny-only-cloud-metadata-access
     spec:
       podSelector: {}
       policyTypes:
       - Egress
       egress:
       - to:
         - ipBlock:
           cidr: 0.0.0.0/0
           except:
           - 169.254.169.254/32
  1. 最小化GUI元素的使用和访问 Minimize use of, and access to, GUI elements

  2. 在部署之前验证平台二进制文件 Verify platform binaries before deploying

Kubernetes binaries can be verified by their digest **sha512 hash**
  • Checking the Kubernetes release page for the specific release
  • Checking the change log for the images and their digests

Cluster Hardening - 15% #

  1. 限制访问Kubernetes API Restrict access to Kubernetes API
  1. 使用基于角色的访问控制来最小化暴露 Use Role-Based Access Controls to minimize exposure
  2. 谨慎使用服务帐户,例如禁用默认设置,减少新创建帐户的权限 Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
Opt out of automounting API credentials for a service account

Opt out at service account scope #

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-robot
automountServiceAccountToken: false

Opt out at pod scope #

apiVersion: v1
kind: Pod
metadata:
  name: cks-pod
spec:
  serviceAccountName: default
  automountServiceAccountToken: false
  1. 经常更新Kubernetes Update Kubernetes frequently

System Hardening - 15% #

  1. 最小化主机操作系统的大小(减少攻击面) Minimize host OS footprint (reduce attack surface)
Reduce host attack surface
  1. 最小化IAM角色 Minimize IAM roles
  2. 最小化对网络的外部访问 Minimize external access to the network
if it means deny external traffic to outside the cluster?!!
  • not tested, however, the thinking is that all pods can talk to all pods in all name spaces but not to the outside of the cluster!!!
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-external-egress
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
    to:
    - namespaceSelector: {}
  1. 适当使用内核强化工具,如AppArmor, seccomp Appropriately use kernel hardening tools such as AppArmor, seccomp

Minimize Microservice Vulnerabilities - 20% #

  1. 设置适当的OS级安全域,例如使用PSP, OPA,安全上下文 Setup appropriate OS-level security domains e.g. using PSP, OPA, security contexts
  2. 管理Kubernetes机密 Manage kubernetes secrets
  3. 在多租户环境中使用容器运行时 (例如gvisor, kata容器) Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
  4. 使用mTLS实现Pod对Pod加密 Implement pod to pod encryption by use of mTLS
  • check if service mesh is part of the CKS exam

Supply Chain Security - 20% #

  1. 最小化基本镜像大小 Minimize base image footprint

    Minimize base Image
  2. 保护您的供应链:将允许的注册表列入白名单,对镜像进行签名和验证 Secure your supply chain: whitelist allowed image registries, sign and validate images

  1. 使用用户工作负载的静态分析(例如kubernetes资源,Docker文件) Use static analysis of user workloads (e.g. kubernetes resources, docker files)
  2. 扫描镜像,找出已知的漏洞 Scan images for known vulnerabilities

Monitoring, Logging and Runtime Security - 20% #

  1. 在主机和容器级别执行系统调用进程和文件活动的行为分析,以检测恶意活动 Perform behavioural analytics of syscall process and file activities at the host and container level to detect malicious activities

  2. 检测物理基础架构,应用程序,网络,数据,用户和工作负载中的威胁 Detect threats within a physical infrastructure, apps, networks, data, users and workloads

  3. 检测攻击的所有阶段,无论它发生在哪里,如何扩散 Detect all phases of attack regardless where it occurs and how it spreads

    Attack Phases
  4. 对环境中的不良行为者进行深入的分析调查和识别 Perform deep analytical investigation and identification of bad actors within the environment

  5. 确保容器在运行时不变 Ensure immutability of containers at runtime

  6. 使用审计日志来监视访问 Use Audit Logs to monitor access