- https://kubernetes.io/docs/concepts/services-networking/network-policies/
- π¬ https://github.com/ahmetb/kubernetes-network-policy-recipes
- https://medium.com/@reuvenharrison/an-introduction-to-kubernetes-network-policies-for-security-people-ba92dd4c809d
- https://github.com/Tufin/test-network-policies
Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
- https://www.cisecurity.org/benchmark/kubernetes/
- https://github.com/dev-sec/cis-kubernetes-benchmark
- https://github.com/aquasecurity/kube-bench
- https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks
-
Retrieve Node Metadata .e.g: AWS : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
-
e.g: Restricting access to Amazon EC2 instance profile credentials or its UserData could be part of the exam.
- Controlling Access to the Kubernetes API : https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- https://github.com/David-VTUK/CKA-StudyGuide/blob/master/RevisionTopics/Part-5-Security.md
Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
- https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
-
CIS benchmark dedicated for each distribution
- https://www.cisecurity.org/benchmark/red_hat_linux/
- https://www.cisecurity.org/benchmark/ubuntu_linux/
- https://www.cisecurity.org/benchmark/centos_linux/
- https://www.cisecurity.org/benchmark/debian_linux/
- https://www.cisecurity.org/benchmark/suse_linux/
- https://www.cisecurity.org/benchmark/oracle_linux/
- Least privilege pincipal is generally the way to go!
- ACL at the level of subnet : https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
- Security Group at the level of machine : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
- Firewall at the level of OS ( ufw, firewall-cmd ) : https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw/
-
π "Container Security" by Liz Rice which covers AppArmor, Seccomp, SELinux and the whole gang.
-
PSP : https://kubernetes.io/docs/concepts/policy/pod-security-policy/
-
OPA : https://www.openpolicyagent.org/docs/latest/kubernetes-primer/
-
Security Context : https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
πΉ TGIK - Advanced k8s secret management : https://www.youtube.com/watch?v=IznsHhKL428&ab_channel=VMwareCloudNativeApps
-
π¬ Sealed Secrets : https://github.com/bitnami-labs/sealed-secrets
-
secrets-store-csi-driver : https://github.com/kubernetes-sigs/secrets-store-csi-driver
-
π¬ Hands-on Kata : https://github.com/abdennour/abdennour.github.io/blob/master/_posts/2018-06-09-successfully-running-kata-containers-in-the-cloud.markdown
-
https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
-
Using istio , https://developer.ibm.com/technologies/containers/tutorials/istio-security-mtls/
-
Using linkerd, https://linkerd.io/2/features/automatic-mtls/
-
7 best practices for build containers.
-
Docker Way : https://docs.docker.com/engine/security/trust/content_trust/
-
tools for siging container image Cryptographically:
-
example - restrict pulling images from registries
-
Related also with https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/
- kubehunter: https://github.com/aquasecurity/kube-hunter
- Tools around static container image scan:
-
Tools around dynamic container image scan :
Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
- Get the General Concept : https://www.dnvgl.com/article/the-seven-phases-of-a-cyber-attack-118270
- Falco might help ?
Firecracker for multi-tenancy, Bottlerocket to reduce the attack surface, audit2rbac for generating RBAC roles
The given links are our assumptions and ideas - we neither have insights into the exam requirements, nor do we know how exactly it will look like. We are guessing about possibilities and try to collect resources.