CKS Certification Study Guide: Supply Chain Security

Previous Sections

This is the fifth installment in our six-part CKS Certification series. Don’t forget to check out all the posts in the series:

This blog references tools to set up a Kubernetes version 1.19 cluster and review the CKS - Cluster Setup section. There is the ability to create a Kubernetes cluster from our GitHub repository using Terraform and Rancher Kubernetes Engine (RKE) in Google Cloud Platform (GCP) or Amazon Web Services (AWS). This cluster environment will help to simulate a real Kubernetes environment instead of a local cluster. To get the cluster up and running, follow the readme.md that outlines what applications you will need and the repository’s general structure.

Section 5: Supply Chain Security

The fifth section of our study guide focuses on supply chain security. The Linux Foundation course outline highlights the following core concepts in its course outline.

  1. Minimize base image footprint
  2. Secure your supply chain: whitelist allowed registries, sign and validate images
  3. Use static analysis of user workloads (e.g. Kubernetes resources, Dockerfiles)
  4. Scan images for known vulnerabilities

This section takes up 20% of the overall point total, and it is reasonable to assume 3-5 questions revolving around supply chain security. Each of the questions will also need to be completed in about 5-6 minutes on average during the exam. Below is an overview of the various concepts that the CKS will highlight in the supply chain security section.

CKS_StudyGuide

Certified Kubernetes Security Specialist Study Guide

Download your guide now, designed to give you a starting point to understand the exam structure, topics, and exam-taking best practices.

Download Now

Core Concepts and Topics

Minimize base image footprint

Regardless of how this is implemented in the test, minimizing your base images is always a good idea to decrease the attack surface for your containers. Always make sure only to include the packages that are necessary for each containerized application. When choosing a base image, note how well maintained the image is and its default installed software. In the exam, I expect you will have the option of selecting from a range of base images and choosing their defaults. There may be a question that requires using Trivy to view CVEs related to a base image and then prioritizing image selection accordingly. As a core concept, image scanning and minimizing your images is a handy way to lower the attack surface within your cluster.

Secure your supply chain: whitelist allowed registries, sign and validate images

Securing the images that are allowed to run in your cluster is essential. Also, you will need to verify that the pulled image is from the correct source. The ImagePolicyWebhook admission controller will allow you to set up rules around what images should be allowed within the cluster. An example rule the admission controller could monitor is not allowing any image with the tag `latest`. You will most likely have to connect the ImagePolicyWebhook with a previously setup webhook server during the exam.

Use static analysis of user workloads (e.g. Kubernetes resources, Dockerfiles)

Static analysis might be the most straightforward concept outline in this course. You will need to vet the configuration of Kubernetes YAML files and Dockerfiles and fix any security issues. This includes setting secure base images, removing unnecessary packages, stopping containers from using elevated privileges, and removing the ability to ssh into a container. When hardening Kubernetes resources, look for elevated privileges, security contexts that allow for a UID of 0, and host volumes that should not be mounted.

Scan images for known vulnerabilities

I mentioned container scanning in the previous section, and it would seem there is some crossover between these two topics. Out of the open-source tools that are allowed, Trivy is the only one focused on container scanning. You are also allowed to use the GitHub documentation during the exam, so it’s worth bookmarking the quick start documentation.

Learn More

The StackRox CKS study guide contains a list of more resources and the ability to create a Kubernetes 1.19 cluster. In the GitHub repository, six folders contain mock exam questions and answers. Make sure to star and watch the repository for new updates as you begin your quest to becoming a Certified Kubernetes Security Specialist.