Certified Kubernetes Security Specialist Training Notes

These are the notes I’ve taken while taking the Certified Kubernetes Security Specialist course on KodeKloud.

These notes are not meant to be a complete record of the training but to be used as a training aid. I’m not going to be recording those things I already know really well.

Table of Contents

Quick Reference

• Cliff Notes
• The 4C’s of Cloud Native Security

01 - Cluster Setup and Hardening

• 01 CIS Benchmarks
• 02 Kubernetes Security Primitives
• 03 Authentication
• 04 Service Accounts
• 05 TLS
• 06 API Groups
• 07 Authorization
• 08 Securing the Kubelet
• 09 Kubectl Proxy
• 10 Kubernetes Dashboard
• 11 Verify Platform Binaries Before Deploying
• 12 Kubernetes Software Versions
• 13 Cluster Upgrade Process
• 14 Network Policy
• 15 Ingress
• 16 Docker Service

02 - System Hardening

• 01 Intro
• 02 Limit Node Access
• 03 SSH Hardening
• 04 Privilege Escalation
• 05 Remove Unwanted Packages and Services
• 06 Restrict Kernel Modules
• 07 Disable Open Ports
• 08 Minimize IAM Policies and Roles
• 09 Restrict Network Access To Servers
• 10 Linux Syscalls
• 11 AppArmor
• 12 Add and Drop Linux Capabilities

03 - Minimize Microservice Vulnerabilities

• 01 Security Contexts
• 02 Admission Controllers
• 03 Validating and Mutating Admission Controllers
• 04 Open Policy Agent
• 05 Container Sandboxing
• 06 Mutual TLS Between Pods

04 - Supply Chain Security

• 01 Minimize Base Image Footprint
• 02 Image Security
• 03 Whitelist Allowed Registries
• 04 Use Static Analysis of User Workloads
• 05 Scan Images for Known Vulnerabilities

05 - Monitoring, Logging and Runtime Security

• 01 Falco
• 02 Immutable Infrastructure
• 03 Kubernetes Auditing