When searching for Kubernetes and Cloud Native Security Associate (KCSA) study materials, I couldn’t find any that were both free and high-quality. So, I’ve created this resource to guide you through the curriculum and provide free resources for your studies.

Overview

The Kubernetes and Cloud Native Security Associate (KCSA) exam demonstrates a user’s understanding of the baseline security configuration of Kubernetes clusters to meet compliance objectives, including the ability to harden security controls, test and monitor the security, and participate in assessing security threats and vulnerabilities.

The KCSA exam is fully remote and consists of 60 multiple-choice questions which have to be completed within 90 minutes.

This guide is a combination of my CKS notes and stuff I found online. See the sources for details.

If you find any inaccuracies or have suggestions for improvements, please reach out or open an issue in website-ref.

Study Guide

The KCSA curriculum can be found on the CNCF GitHub. I’ll be breaking up the guide into chunks based on the certs domains.

Overview of Cloud Native Security

This section makes up 14% of the exam

The 4Cs of Cloud Native Security

The four Cs of are Cloud, Cluster, Container, Code.

Cloud Provider and Infrastructure Security

Kubernetes | Cloud provider security

Controls and Frameworks

The OWASP Kubernetes Top Ten can be used to prioritize risk around Kubernetes.

Isolation Techniques

Artifact Repository and Image Security

Kubernetes | Images

Workload and Application Code Security

Kubernetes | Workload protection

OWASP | Vulnerability Scanning OWASP | Container Vulnerability Scanning

Security Contexts

Kubernetes, as the container orchestration engine, can apply additional configuration to increase container security. You do so by defining a security context. A security context defines privilege and access control settings for a Pod or a container.

  • The user ID that should be used to run the Pod and/or container
  • The group ID that should be used for filesystem access
  • Granting a running process inside the container some privileges of the root user but not all of them

Kubernetes Cluster Component Security

This section makes up 22% of the exam

Kubernetes | Overview of Components

API Server

The core of Kubernetes’ control plane is the API server. The API server exposes an HTTP API that lets end users, different parts of your cluster, and external components communicate with one another.

Controller Manager

The Kubernetes controller manager is a daemon that embeds the core control loops shipped with Kubernetes. In applications of robotics and automation, a control loop is a non-terminating loop that regulates the state of the system.

kube-controller-manager

Scheduler

The Kubernetes scheduler is a control plane process which assigns Pods to Nodes. The scheduler determines which Nodes are valid placements for each Pod in the scheduling queue according to constraints and available resources.

Kubernetes | kube-scheduler

Kubelet

The kubelet is the primary “node agent” that runs on each node.

Container Runtime

The container runtime are installed on nodes and are what actually run containers.

Some of the common container runtimes are:

Kubernetes | Container socket

KubeProxy

The Kubernetes network proxy runs on each node. This reflects services as defined in the Kubernetes API on each node and can do simple TCP, UDP, and SCTP stream forwarding or round robin TCP, UDP, and SCTP forwarding across a set of backends.

Pod

A Pod is a group of one or more containers, with shared storage and network resources, and a specification for how to run the containers. A Pod’s contents are always co-located and co-scheduled, and run in a shared context.

Etcd

Etcd is a distributed, reliable key-value store for the most critical data of a distributed system and its used by Kubernetes.

Container Networking

Kubernetes nodes should not be publicly exposed to the internet and access to the control plane nodes should be restricted.

https://www.tkng.io/

Client Security

Secure your kubeconfig file its used to authenticate to a cluster using the kubectl tool.

Storage

Kubernetes | Storage

Kubernetes Security Fundamentals

This section makes up 22% of the exam

Pod Security Standards

The Pod Security Standards define three different policies to broadly cover the security spectrum. These policies are cumulative and range from highly-permissive to highly-restrictive. This guide outlines the requirements of each policy.

Level Behavior
privileged Fully unrestricted policy
baseline Minimally restrictive policy that covers crucial standards
restricted Heavily restricted policy following best practices for hardening Pods from a security perspective

Pod Security Admission

Older versions of Kubernetes shipped with a feature called Pod Security Policies (PSP). Pod Security Policies are a concept that help with enforcing security standards for Pod objects. Kubernetes 1.21 deprecated Pod Security Policies and introduced the replacement functionality Pod Security Admission. Kubernetes release 1.25 completely removed Pod Security Policies

Pod Security admission controller to enforce the Pod Security Standards. Pod security restrictions are applied at the namespace level when pods are created.

Mode Behavior
enforce Violations will cause the Pod to be rejected
audit Pod creation will be allowed. Violations will be appended to the audit log
warn Pod creation will be allowed. Violations will be rendered on the console

You can configure namespaces to define the admission control mode you want to use for pod security in each namespace by adding the following label. A namespace can configure any or all modes, or even set a different level for different modes.

metadata:
  labels:
    pod-security.kubernetes.io/MODE: LEVEL

Kubernetes | Pod Security Admission

Authentication

Authentication is what grant you the ability to login (not do anything).

Kubernetes authz authn flow

Authorization

Authorization is what grants permissions. In Kubernetes there a Roles (namespaced) and ClusterRoles (cluster level) they can be granted to a target with RoleBinding and ClusterRoleBinding.

Here is an example creating a role and then attaching it the user johndoe.

kubectl create role developer \
    --verb=create,get,list,update,delete \
    --resource=pods

kubectl create rolebinding developer-binding-johndoe \
    --role=developer \
    --user=johndoe

Secrets

Any data stored in etcd exists in unencrypted key-value form, so access to the control plane node allows for reading Secrets in plain text. One way to mitigate the situation is by encrypting the data stored in etcd. Access to etcd, either using etcdctl or by reading the etcd data from the filesystem, would not expose human-readable, sensitive information anymore.

Service Accounts

Enforce mountable secrets To limit what secrets can be passed into the container (mounted/env) the annotation kubernetes.io/enforce-mountable-secrets: "true" can be added to the serviceAccount to restrict access.

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    kubernetes.io/enforce-mountable-secrets: "true"
  name: <SERVICE_ACCOUNT>
secrets:
  - name: <SECRET_NAME>

Isolation and Segmentation

Audit Logging

Kubernetes | Auditing

Entries in the audit log exist in JSON Lines format and can consist of, but aren’t limited to, the following information:

  • What event occurred?
  • Who triggered the event?
  • When was it triggered?
  • Which Kubernetes component handled the request?

Network Policy

Network policies are used to restrict ingress and egress traffic to pods.

Isovalent provides a nice online network policy editor.

Policies are namespaces, they target pod based on labels attached to the pods. Here is an example of a rule that denys ingress and egress to all (podSelector: {}) pods in the namespace.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: NAMESPACE
spec:
    podSelector: {}
    policyTypes:
      - Ingress
      - Egress

Another example that allows ingress to a backend service only from the frontend service in the same namespace.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: backend
  namespace: NAMESPACE
spec:
  podSelector:
    matchLabels:
      tier: backend
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: frontend
      ports:
        - port: 3000

Kubernetes Threat Model

This section makes up 16% of the exam

Kubernetes Trust Boundaries and Data Flow

Trust Boundary or Zone segregates different components in a Data Flow Diagram based on sensitivity and level of access to critical assets in the system.

Zone Description
Internet The externally facing, wider internet zone
API Server The master component, usually exposed to cluster users, needed for interaction with kubectl
Master Components Internal components of the master node that works via. callbacks and subscriptions to the API Server
Master Data The master data layer that stores the cluster state. Example: etcd
Worker The worker components that is required to add a node in the cluster and to run containers
Container The containers being orchestrated by the cluster

Persistence

A malicious techniques that enable access to a system long after an initial compromise

RedHat | Kubernetes Persistence

Denial of Service

A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor.

CISA | Understanding Denial-of-Service Attacks

Malicious Code Execution and Compromised Applications in Containers

  • Update software, containers and cluster
  • Backups of key components (etcd, volumes, etc.)

Attacker on the Network

Network attacks are unauthorized actions on the digital assets within an organizational network.

HackTricks Cloud | Kubernetes Network Attacks

Access to Sensitive Data

Sensitive data is mainly access to the ectd data store which contains secrets, code (intellectual property) and volumes (like databases).

Privilege Escalation

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

Platform Security

This section makes up 16% of the exam

Supply Chain Security

https://www.cncf.io/blog/2022/04/12/a-map-for-kubernetes-supply-chain-security/

Minimizing base images improves security by reducing the potential attack service by remove unneeded services. A cool project to checkout is distroless

Use multi-stage builds to separate build from runtime and only include the necessary packages to run the application.

Image Repository

Image repositories store container images and can offer features such as vulnerability scanning

Example solutions:

Kubernetes | Authenticating to Private Registry

Observability

Logs from containers can easily be viewed with the following command.

kubectl logs <POD> -c <CONTAINER>

Metrics can be retrieved from the cluster and pods with the Metrics API.

kubectl top node

kubectl top pod <POD>

Falco is a tool that monitors the nodes container runtimes for security related events.

Service Mesh

A service mesh is an infrastructure layer that gives applications capabilities like zero-trust security, observability, and advanced traffic management, without code changes.

OWASP | Securing Service Mesh

PKI

Kubernetes uses Public Key Infrastructure to authenticate all components of the cluster. This allows each component to verify each other by verifying the certificate against the root certificate.

cluster certificate usage

Kubernetes | Certificates Best Practices

Connectivity

Kubernetes pod networking

Admission Control

An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.

Admission controllers may be validating, mutating, or both.

  • Mutating controllers may modify objects related to the requests they admit
  • Validating controllers validate the request.

View all admission controllers enabled by default

kubectl exec -it kube-apiserver -n kube-system -- kube-apiserver -h | grep admission-control

To add a new default plugin to the api server updated the manifest. --enable-admission-plugins=NodeRestriction,AlwaysPullImages,...

Compliance and Security Frameworks

This section makes up 10% of the exam

Compliance Frameworks

Red Hat | Kubernetes compliance considerations

Threat Modelling Frameworks

Threat Modeling Process

Supply Chain Compliance

Signing container images allows the source running the container to verify who published it.

Pinning images verifies that the image cannot change without resulting in an issue. A pinned image looks like the following:

gcr.io/kaniko-project/executor:v1.15.0@sha256:6aace7210ad8bf0da4b1aa707a1c0ea962d0e871bb1921504c1a5e690d5f6a2a

Automation and Tooling

Many free 3rd party solution are available to audit clusters, workloads and container images

Sources