Code Monkey home page Code Monkey logo

cks-exam-tips's Introduction

CKS Exam Hints

Useful Links

Labs Practice

  • KodeKloud Mock Exams
  • ACloudGuru Labs

CKS KodeKloud Mock Exam solution video

Useful Bookmarks

kubectl Cheat Sheet -- https://kubernetes.io/docs/reference/kubectl/cheatsheet/

Kubectl Commands -- https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands

Network Policies -- https://kubernetes.io/docs/concepts/services-networking/network-policies/

Security Context -- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

Secrets -- https://kubernetes.io/docs/concepts/configuration/secret/

RBAC -- https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Seccomp -- https://kubernetes.io/docs/tutorials/clusters/seccomp/

Apparmor -- https://kubernetes.io/docs/tutorials/clusters/apparmor/

ImageWebhookPolicy -- https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/

Audit Policy -- https://kubernetes.io/docs/tasks/debug-application-cluster/audit/

PodSecurityPolicy -- https://kubernetes.io/docs/concepts/policy/pod-security-policy/

Kubelet Config -- https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/

RuntimeClaas -- https://kubernetes.io/docs/concepts/containers/runtime-class/

Admission Controllers -- https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy

automountServiceAccountToken -- https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

Pod Volumes -- https://kubernetes.io/docs/concepts/storage/volumes/

PV PVC -- https://kubernetes.io/docs/tasks/configure-pod-container/configure-persistent-volume-storage/

Ingress -- https://kubernetes.io/docs/concepts/services-networking/ingress/

Useful Commands

crictl -r /var/run/containerd/containerd.sock pods

crictl -r /var/run/containerd/containerd.sock ps

crictl -r /var/run/containerd/containerd.sock logs -f ef86e6ecf0bcb

Fix CIS Benchmark Issues

show

kubelet

vim /var/lib/kubelet/config.yaml
authentication:
  anonymous:
    enabled: false
  webhook:
    enabled: true
authorization:
  mode: Webhook
protectKernelDefaults: true

systemctl restart kubelet.service
systemctl status kubelet.service

kube-apiserver

vim /etc/kubernetes/manifests/kube-apiserver.yaml
- --authorization-mode=Node,RBAC
- --profiling=false

etcd

mv /etc/kubernetes/manifests/etcd.yaml /etc/kubernetes/
vim /etc/kubernetes/etcd.yaml
- --client-cert-auth=true

Configure Admission Control | ImageWebhookPolicy

show

admission-control.conf

vim /etc/kubernetes/admission-control/admission-control.conf
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: ImagePolicyWebhook
  path: imagepolicy.conf

imagepolicy.conf | imagepolicy.json

vim /etc/kubernetes/admission-control/imagepolicy.conf
{
   "imagePolicy": {
      "kubeConfigFile": "/etc/kubernetes/admission-control/imagepolicy_backend.kubeconfig",
      "allowTTL": 50,
      "denyTTL": 50,
      "retryBackoff": 500,
      "defaultAllow": false 
   }
}
Note: Change true to false and Take note of kubeConfigFile

imagepolicy_backend.kubeconfig

vim /etc/kubernetes/admission-control/imagepolicy_backend.kubeconfig
apiVersion: v1
kind: Config
clusters:
- name: trivy-k8s-webhook
  cluster:
    certificate-authority: /etc/kubernetes/admission-control/imagepolicywebhook-ca.crt
    server: https://acg.trivy.k8s.webhook:8090/scan
contexts:
- name: trivy-k8s-webhook
  context:
    cluster: trivy-k8s-webhook
    user: api-server
current-context: trivy-k8s-webhook
preferences: {}
users:
- name: api-server
  user:
    client-certificate: /etc/kubernetes/admission-control/api-server-client.crt
    client-key: /etc/kubernetes/admission-control/api-server-client.key
# Note: Edit server value

kube-apiserver

vim /etc/kubernetes/manifests/kube-apiserver.yaml
- --admission-control-config-file=/etc/kubernetes/admission-control/admission-control.conf
- --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook

Audit Policy

show

audit-policy.yaml

apiVersion: audit.k8s.io/v1
kind: Policy
omitStages:
  - "RequestReceived"
rules:
  - level: None
    resources:
    - group: ""
      resources: ["pods/log", "pods/status"]
  - level: RequestResponse
    resources:
    - group: ""
      resources: ["configmaps"]
  - level: Request
    resources:
    - group: ""
      resources: ["services", "pods"]
    namespaces: ["web"]
  - level: Metadata
    resources:
    - group: ""
      resources: ["secrets"]
  - level: Metadata

kube-apiserver.yaml

vim /etc/kubernetes/manifests/kube-apiserver.yaml
- --audit-policy-file=/etc/kubernetes/audit-policy.yaml
- --audit-log-path=/var/log/kubernetes/audit.log
- --audit-log-maxage=10
- --audit-log-maxbackup=1

PodSecurityPolicy

show 

vim  nopriv-psp.yml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: nopriv-psp
spec:
  privileged: false
  runAsUser:
    rule: "RunAsAny"
  fsGroup:
    rule: "RunAsAny"
  seLinux:
    rule: "RunAsAny"
  supplementalGroups:
    rule: "RunAsAny"
k apply -f nopriv-psp.yml
/home/cloud_user/use-nopriv-psp.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: use-nopriv-psp
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - nopriv-psp
k apply -f /home/cloud_user/use-nopriv-psp.yml
/home/cloud_user/hoth-sa-use-nopriv-psp.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: hoth-sa-use-nopriv-psp
roleRef:
  kind: ClusterRole
  name: use-nopriv-psp
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: hoth-sa
  namespace: hoth
k apply -f /home/cloud_user/hoth-sa-use-nopriv-psp.yml

RuntimeClass | gVisor

show

RuntimeClass

vim /home/cloud_user/sandbox.yml
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: sandbox
handler: runsc
k apply -f /home/cloud_user/sandbox.yml

Edit deployment

k -n sunnydale edit deployments.apps buffy # runtimeClassName: sandbox
k -n sunnydale edit deployments.apps giles
k -n sunnydale edit deployments.apps spike

Verification

k -n sunnydale exec buffy-7bdbdfc554-ls5q5 -- dmesg

[   0.000000] Starting gVisor...
[   0.453650] Forking spaghetti code...
[   0.939306] Conjuring /dev/null black hole...
[   1.162591] Searching for socket adapter...
[   1.450979] Generating random numbers by fair dice roll...
[   1.907884] Waiting for children...
[   2.063679] Checking naughty and nice process list...
[   2.554570] Recruiting cron-ies...
[   3.023213] Gathering forks...
[   3.300373] Synthesizing system calls...
[   3.401099] Searching for needles in stacks...
[   3.521588] Setting up VFS2...
[   3.938928] Ready!

Security Best Practices

show

  • Fixing issues in Dockerfile
  • Fixing issues in Deployment

Ensure Containers Are Static and Immutable

show

  • runAsUser: 0
  • readOnlyRootFilesystem: false
  • priveledged: true

Trivy Commands

show 

k -n development get pods
k -n development get pods --output=custom-columns="NAME:.metadata.name,IMAGE:.spec.containers[*].image"
NAME       IMAGE
work1      busybox:1.33.1
work2      nginx:1.14.2
work3      amazonlinux:2
work4      amazonlinux:1
work5      centos:7
trivy image -s HIGH,CRITICAL busybox:1.33.1
trivy image -s HIGH,CRITICAL nginx:1.14.2 #HIGH and CRITICAL
trivy image -s HIGH,CRITICAL amazonlinux:2
trivy image -s HIGH,CRITICAL amazonlinux:1
trivy image -s HIGH,CRITICAL centos:7 #HIGH and CRITICAL

Falco rules

show 

sudo falco -M 45 -r /home/cloud_user/monitor_rules.yml > /home/cloud_user/falco_output.log
- /etc/falco/falco_rules.local.yaml
- /etc/falco/falco_rules.yaml
- /etc/falco/falco.yaml
systemctl restart falco.service

AppArmor Profile

show 

cat k8s-deny-write
#include <tunables/global>
profile k8s-deny-write flags=(attach_disconnected) {
  #include <abstractions/base>
  file,
  # Deny all file writes.
  deny /** w,
}
sudo aa-status | grep k8s-deny-write

sudo apparmor_parser k8s-deny-write

sudo aa-status | grep k8s-deny-write
   k8s-deny-write
vim ~/writedeny.yml
apiVersion: v1
kind: Pod
metadata:
  name: writedeny
  namespace: dev
  annotations:
    container.apparmor.security.beta.kubernetes.io/busybox: localhost/k8s-deny-write
spec:
  containers:
  - name: busybox
    image: busybox:1.33.1
    command: ['sh', '-c', 'while true; do echo writedeny > password.txt; sleep 5; done']
# Note: annotations, container and apparmor profile to be edited
# container.apparmor.security.beta.kubernetes.io/<<container name>>: localhost/<<profile name>>

Other topics

  • Seccomp Profile
  • Fix a Pod's Service Account That Has Too Many Permissions
  • Create a Network Policy
  • Get a Username, Password from an Existing Secret. Create a Secret and Mount It to a Pod
  • automountServiceAccountToken: false

cks-exam-tips's People

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.