Cluster Setup - 10% #
Securing a Cluster #
- 使用网络安全策略来限制集群级别的访问 Use Network security policies to restrict cluster level access
- 使用CIS基准检查Kubernetes组件(etcd, kubelet, kubedns, kubeapi)的安全配置
Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
- Kube-bench - Checks whether Kubernetes is deployed securely by running the checks documented ain the CIS Kubernetes Benchmark.
- 正确设置带有安全控制的Ingress对象 Properly set up Ingress objects with security control
- 保护节点元数据和端点 Protect node metadata and endpoints
Using Kubernetes network policy to restrict pods access to cloud metadata
- This example assumes AWS cloud, and metadata IP address is 169.254.169.254 should be blocked while all other external addresses are not.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-only-cloud-metadata-access
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 169.254.169.254/32
-
最小化GUI元素的使用和访问 Minimize use of, and access to, GUI elements
-
在部署之前验证平台二进制文件 Verify platform binaries before deploying
Kubernetes binaries can be verified by their digest **sha512 hash**
- Checking the Kubernetes release page for the specific release
- Checking the change log for the images and their digests
Cluster Hardening - 15% #
- 限制访问Kubernetes API Restrict access to Kubernetes API
- 使用基于角色的访问控制来最小化暴露 Use Role-Based Access Controls to minimize exposure
- 谨慎使用服务帐户,例如禁用默认设置,减少新创建帐户的权限 Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
Opt out of automounting API credentials for a service account
Opt out at service account scope #
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-robot
automountServiceAccountToken: false
Opt out at pod scope #
apiVersion: v1
kind: Pod
metadata:
name: cks-pod
spec:
serviceAccountName: default
automountServiceAccountToken: false
- 经常更新Kubernetes Update Kubernetes frequently
System Hardening - 15% #
- 最小化主机操作系统的大小(减少攻击面) Minimize host OS footprint (reduce attack surface)
Reduce host attack surface
- seccomp which stands for secure computing was originally intended as a means of safely running untrusted compute-bound programs
- AppArmor can be configured for any application to reduce its potential host attack surface and provide greater in-depth defense.
- PSP enforces PodSecurityPolicy is deprecated as of Kubernetes v1.21, and will be removed in v1.25. We recommend migrating to Pod Security Admission.
- Apply host updates
- Install minimal required OS fingerprint
- Identify and address open ports
- Remove unnecessary packages
- Protect access to data with permissions
- 最小化IAM角色 Minimize IAM roles
- 最小化对网络的外部访问 Minimize external access to the network
if it means deny external traffic to outside the cluster?!!
- not tested, however, the thinking is that all pods can talk to all pods in all name spaces but not to the outside of the cluster!!!
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-external-egress
spec:
podSelector: {}
policyTypes:
- Egress
egress:
to:
- namespaceSelector: {}
- 适当使用内核强化工具,如AppArmor, seccomp Appropriately use kernel hardening tools such as AppArmor, seccomp
Minimize Microservice Vulnerabilities - 20% #
- 设置适当的OS级安全域,例如使用PSP, OPA,安全上下文 Setup appropriate OS-level security domains e.g. using PSP, OPA, security contexts
- 管理Kubernetes机密 Manage kubernetes secrets
- 在多租户环境中使用容器运行时 (例如gvisor, kata容器) Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
- 使用mTLS实现Pod对Pod加密 Implement pod to pod encryption by use of mTLS
- check if service mesh is part of the CKS exam
Supply Chain Security - 20% #
-
最小化基本镜像大小 Minimize base image footprint
Minimize base Image
- Use distroless, UBI minimal, Alpine, or relavent to your app nodejs, python but the minimal build.
- Do not include uncessary software not required for container during runtime e.g build tools and utilities, troubleshooting and debug binaries.
-
保护您的供应链:将允许的注册表列入白名单,对镜像进行签名和验证 Secure your supply chain: whitelist allowed image registries, sign and validate images
- 使用用户工作负载的静态分析(例如kubernetes资源,Docker文件) Use static analysis of user workloads (e.g. kubernetes resources, docker files)
- 扫描镜像,找出已知的漏洞 Scan images for known vulnerabilities
Monitoring, Logging and Runtime Security - 20% #
-
在主机和容器级别执行系统调用进程和文件活动的行为分析,以检测恶意活动 Perform behavioural analytics of syscall process and file activities at the host and container level to detect malicious activities
-
检测物理基础架构,应用程序,网络,数据,用户和工作负载中的威胁 Detect threats within a physical infrastructure, apps, networks, data, users and workloads
-
检测攻击的所有阶段,无论它发生在哪里,如何扩散 Detect all phases of attack regardless where it occurs and how it spreads
-
对环境中的不良行为者进行深入的分析调查和识别 Perform deep analytical investigation and identification of bad actors within the environment
-
确保容器在运行时不变 Ensure immutability of containers at runtime
-
使用审计日志来监视访问 Use Audit Logs to monitor access