As we continue the study guide for the Certified Kubernetes Security Specialist (CKS) program, be sure to check out the information and content breakdown from our previous CKS posts:
- CKS CNCF Announcement and Exam Study
- CKS Certification Study Guide: Cluster Setup in Kubernetes
- CKS Certification Study Guide: Cluster Hardening
- CKS Certification Study Guide: System Hardening
- CKS Certification Study Guide: Minimizing Microservice Vulnerabilities
- CKS Certification Study Guide: Supply Chain Security
This blog references tools to set up a Kubernetes version 1.19 cluster and review the CKS - Cluster Setup section. There is the ability to create a Kubernetes cluster from our GitHub repository using Terraform and Rancher Kubernetes Engine (RKE) in Google Cloud Platform (GCP) or Amazon Web Services (AWS). This cluster environment will help to simulate a real Kubernetes environment instead of a local cluster. To get the cluster up and running, follow the readme.md that outlines what applications you will need and the repository’s general structure.
Section 6: Monitoring, Logging, and Runtime Security
- Perform behavioral analytics on syscall process and file activities at the host and container level to detect malicious activities
- Detect threats within a physical infrastructure, apps, networks, data, users, and workloads
- Detect all phases of attack regardless of where it occurs and how it spreads
- Perform deep analytical investigation and identification of bad actors within the environment
- Ensure immutability of containers at runtime
- Use audit logging to monitor access
This section takes up 20% of the point total, and it is reasonable to assume 3-5 questions revolving around monitoring, logging, and runtime security. Each of the questions will also need to be completed in about 5-6 minutes on average during the exam. Below is an overview of the various concepts that the CKS will highlight in the monitoring, logging, and runtime security.
Core Concepts and Topics
Perform behavioral analytics on syscall process and file activities at the host and container level to detect malicious activities
To perform behavioral analysis of syscall and file activities, you will need to implement a tool to detect threats. Falco is a CNCF incubating project listed in the course documentation as a resource available during the exam. I assume that you will have to use Falco to detect some malicious activity and output it to a file, similar to questions from the CKA.
Detect threats within a physical infrastructure, apps, networks, data, users, and workloads
This concept generalizes a lot of previous topics that we have covered in past blogs. Assuming that each of the questions takes an average of 5-6 minutes, it is doubtful the exam will have complicated problems that cannot be solved relatively quickly. One possibility might require you to fully assess a deployment in the cluster and write any vulnerabilities that are found in a file. The exam seeks to determine your knowledge of Kubernetes security threats and how to mitigate them. This concept seems overly broad to narrow down any specific topic.
Detect all phases of attack regardless of where it occurs and how it spreads
Another somewhat broad concept, however, does highlight various methods of exploitation. Mounted volumes, downloading packages, or using malicious running containers on the host show a significant attack surface that you need to be aware of. There is an excellent blog series focused on the MITRE ATT&CK Framework, which is a great resource for reviewing relevant threats for various attack phases.
Perform deep analytical investigation and identification of bad actors within the environment
This is another vague concept that encompasses a variety of techniques and topics that have been covered in previous blogs. Anticipate questions that give you actionable information that you will have to correct. These questions may call for you to changed config files, remove any misconfigurations, or protecting secrets. Audit logging will help to identify bad actors and changes in Kubernetes environments as well.
Ensure immutability of containers at runtime
The principle of container immutability means that the containers you have deployed are never changed once they are running - only their images are updated. You want to ensure that the cluster’s containers do not execute malicious code added through a download or mounted volume. Students should also be aware of the sidecar pattern and how a volume can be mounted to both containers simultaneously.
Use audit logging to monitor access
Audit logging will make up a significant amount of this section points. The audit policy feature in Kubernetes is another admission controller that allows users to specify what events should be recorded and what data is included. You will most likely need to set up an audit policy during the exam. This question may also tie into identifying bad actors as an audit policy is a helpful way to discover users who are making malicious or unqualified requests in the cluster. Lastly, the log backend might be utilized to output the audit logs to a specific file location.
The StackRox CKS study guide contains a list of more resources and the ability to create a Kubernetes 1.19 cluster. In the GitHub repository, six folders contain mock exam questions and answers. Make sure to star and watch the repository for new updates as you begin your quest to becoming a Certified Kubernetes Security Specialist.