skip to main content

Dec 20, 2020

CKS Certification Study Guide: System Hardening in Kubernetes

By: Michael Foster

Other Sections

This is the third installment in our six-part CKS Certification series. Don’t forget to check out all the posts in the series:

This blog references tools to set up a Kubernetes version 1.19 cluster and review the CKS - Cluster Setup section. There is the ability to create a Kubernetes cluster from our GitHub repository using Terraform and Rancher Kubernetes Engine (RKE) in Google Cloud Platform (GCP) or Amazon Web Services (AWS). This cluster environment will help to simulate a real Kubernetes environment instead of a local cluster. To get the cluster up and running, follow the readme.md that outlines what applications you will need and the repository’s general structure.

Section 3: System Hardening

The third section of our study guide focuses on minimizing the attack surface in the cluster as well as kernel access. The Linux Foundation course outline highlights the following core concepts in their course outline:

  1. Minimize host OS footprint (reduce attack surface)
  2. Minimize Identity and Access Management (IAM) roles
  3. Minimize external access to the network
  4. Appropriately use kernel hardening tools such as AppArmor or seccomp

This section takes up 15% of the total point total, and it is reasonable to assume 3–4 questions revolving around system hardening. Each of the questions will also need to be completed in about 5–6 minutes on average during the exam. Below is an overview of the various system hardening concepts that the CKS will highlight.

Core Concepts and Topics

Minimize host OS footprint (reduce attack surface)

Minimizing the surface area of attack on your workloads is always an important task. There are three main aspects of reducing the attack surface of your machines:

  • Remove unnecessary packages
  • Identify and address open ports
  • Shut down any unnecessary services

When applying this to the CKS exam, let’s review what is reasonable to expect as questions. It is improbable that a student will have to navigate the Ubuntu OS and remove packages during the exam. Instead, the CKS may ask a student to stop containers running with privileged permissions in the cluster. Also, CronJob and container exploitation are serious threats that the CKS may be trying to highlight.

Network Policies are the default network segmentation tool in Kubernetes. It is unlikely that students will have to use a tool like ufw to secure the host, although do not rule it out. Most likely, students will have to shut down exposed services and set up default deny rules inside Kubernetes namespaces to minimize network access.

The exam may also ask you to use admission controllers to limit what can and cannot be run in the cluster. Security contexts are used for multiple security aspects, such as setting process UIDs and not allowing write access to the container filesystem. Controllers such as SecurityContextDeny are useful tools for limiting the scope of pod processes as well.

Minimize IAM roles

Typically, IAM roles are referenced when talking about cloud providers. Although it is not apparent how this concept will manifest during the exam, students can be sure that minimizing access through role-based access control (RBAC) will be a consistent theme.

Minimize external access to the network

Minimizing external access is a small repetition of the first concept. Students may see the network policy implementation expand to include IP blocks and specific ingress and egress rules. Also, students may be required to investigate PodSecurityPolicies (PSP) that allow access to the host network or other privileges that may give a container elevated access. However, implementing PSPs during the exam is unlikely, considering that the feature will most likely be deprecated in version 1.21.

Appropriately use kernel hardening tools such as AppArmor and seccomp

The documentation for the CKS has changed in the past month, and it now allows students to access App Armor documentation during the exam. There is no link to seccomp documentation, but seccomp profiles have been a GA feature since 1.19.

There is concern over how these concepts will be implemented during the exam. There is a lot of documentation to sift through, and a question on AppArmor implementation may be a time sink if students are not careful. Most likely, there will be a question where students will implement a pre-configured AppArmor profile on the host or using an annotation.

Learn More

The StackRox CKS study guide contains a list of more resources and the ability to create a Kubernetes 1.19 cluster. In the GitHub repository, six folders contain mock exam questions and answers. Make sure to star and watch the repository for new updates as you begin your quest to becoming a Certified Kubernetes Security Specialist.