When searching for Kubernetes and Cloud Native Security Associate (KCSA) study materials, I couldn’t find any that were both free and high-quality. So, I’ve created this resource to guide you through the curriculum and provide free resources for your studies.
Overview
The Kubernetes and Cloud Native Security Associate (KCSA) exam demonstrates a user’s understanding of the baseline security configuration of Kubernetes clusters to meet compliance objectives, including the ability to harden security controls, test and monitor the security, and participate in assessing security threats and vulnerabilities.
The KCSA exam is fully remote and consists of 60 multiple-choice questions which have to be completed within 90 minutes.
This guide is a combination of my CKS notes and stuff I found online. See the sources for details.
If you find any inaccuracies or have suggestions for improvements, please reach out or open an issue in website-ref.
Study Guide
The KCSA curriculum can be found on the CNCF GitHub. I’ll be breaking up the guide into chunks based on the certs domains.
- Overview of Cloud Native Security
- Kubernetes Cluster Component Security
- Kubernetes Security Fundamentals
- Kubernetes Threat Model
- Platform Security
- Compliance and Security Frameworks
Overview of Cloud Native Security
This section makes up 14% of the exam
The 4Cs of Cloud Native Security
The four Cs of are Cloud, Cluster, Container, Code.
Cloud Provider and Infrastructure Security
Kubernetes | Cloud provider security
Controls and Frameworks
The OWASP Kubernetes Top Ten can be used to prioritize risk around Kubernetes.
Isolation Techniques
- Namespaces
- Network policies
- Policies
- RBAC
Artifact Repository and Image Security
Workload and Application Code Security
Kubernetes | Workload protection
OWASP | Vulnerability Scanning OWASP | Container Vulnerability Scanning
Security Contexts
Kubernetes, as the container orchestration engine, can apply additional configuration to increase container security. You do so by defining a security context. A security context defines privilege and access control settings for a Pod or a container.
- The user ID that should be used to run the Pod and/or container
- The group ID that should be used for filesystem access
- Granting a running process inside the container some privileges of the root user but not all of them
Kubernetes Cluster Component Security
This section makes up 22% of the exam
Kubernetes | Overview of Components
API Server
The core of Kubernetes’ control plane is the API server. The API server exposes an HTTP API that lets end users, different parts of your cluster, and external components communicate with one another.
Controller Manager
The Kubernetes controller manager is a daemon that embeds the core control loops shipped with Kubernetes. In applications of robotics and automation, a control loop is a non-terminating loop that regulates the state of the system.
Scheduler
The Kubernetes scheduler is a control plane process which assigns Pods to Nodes. The scheduler determines which Nodes are valid placements for each Pod in the scheduling queue according to constraints and available resources.
Kubelet
The kubelet is the primary “node agent” that runs on each node.
Container Runtime
The container runtime are installed on nodes and are what actually run containers.
Some of the common container runtimes are:
KubeProxy
The Kubernetes network proxy runs on each node. This reflects services as defined in the Kubernetes API on each node and can do simple TCP, UDP, and SCTP stream forwarding or round robin TCP, UDP, and SCTP forwarding across a set of backends.
Pod
A Pod is a group of one or more containers, with shared storage and network resources, and a specification for how to run the containers. A Pod’s contents are always co-located and co-scheduled, and run in a shared context.
Etcd
Etcd is a distributed, reliable key-value store for the most critical data of a distributed system and its used by Kubernetes.
Container Networking
Kubernetes nodes should not be publicly exposed to the internet and access to the control plane nodes should be restricted.
Client Security
Secure your kubeconfig file its used to authenticate to a cluster using the kubectl tool.
Storage
Kubernetes Security Fundamentals
This section makes up 22% of the exam
Pod Security Standards
The Pod Security Standards define three different policies to broadly cover the security spectrum. These policies are cumulative and range from highly-permissive to highly-restrictive. This guide outlines the requirements of each policy.
Level | Behavior |
---|---|
privileged | Fully unrestricted policy |
baseline | Minimally restrictive policy that covers crucial standards |
restricted | Heavily restricted policy following best practices for hardening Pods from a security perspective |
- Snyk | Understanding Kubernetes Pod Security Standards
- Kubernetes | Enforcing Pod Security Standards
Pod Security Admission
Older versions of Kubernetes shipped with a feature called Pod Security Policies (PSP). Pod Security Policies are a concept that help with enforcing security standards for Pod objects. Kubernetes 1.21 deprecated Pod Security Policies and introduced the replacement functionality Pod Security Admission. Kubernetes release 1.25 completely removed Pod Security Policies
Pod Security admission controller to enforce the Pod Security Standards. Pod security restrictions are applied at the namespace level when pods are created.
Mode | Behavior |
---|---|
enforce | Violations will cause the Pod to be rejected |
audit | Pod creation will be allowed. Violations will be appended to the audit log |
warn | Pod creation will be allowed. Violations will be rendered on the console |
You can configure namespaces to define the admission control mode you want to use for pod security in each namespace by adding the following label. A namespace can configure any or all modes, or even set a different level for different modes.
metadata:
labels:
pod-security.kubernetes.io/MODE: LEVEL
Kubernetes | Pod Security Admission
Authentication
Authentication is what grant you the ability to login (not do anything).
- Kubernetes | Authenticating
- DataDog | Kubernetes security fundamentals: Authentication
- Kubernetes | Hardening Authentication
Authorization
Authorization is what grants permissions. In Kubernetes there a Roles (namespaced) and ClusterRoles (cluster level) they can be granted to a target with RoleBinding and ClusterRoleBinding.
Here is an example creating a role and then attaching it the user johndoe.
kubectl create role developer \
--verb=create,get,list,update,delete \
--resource=pods
kubectl create rolebinding developer-binding-johndoe \
--role=developer \
--user=johndoe
Secrets
Any data stored in etcd exists in unencrypted key-value form, so access to the control plane node allows for reading Secrets in plain text. One way to mitigate the situation is by encrypting the data stored in etcd. Access to etcd, either using etcdctl or by reading the etcd data from the filesystem, would not expose human-readable, sensitive information anymore.
Service Accounts
Enforce mountable secrets
To limit what secrets can be passed into the container (mounted/env) the annotation kubernetes.io/enforce-mountable-secrets: "true"
can be added to the serviceAccount to restrict access.
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
kubernetes.io/enforce-mountable-secrets: "true"
name: <SERVICE_ACCOUNT>
secrets:
- name: <SECRET_NAME>
Isolation and Segmentation
- isolation-techniques
- Kubernetes | Multi-tenancy
- Namespaces logically isolate resources from one another.
- Pods can be assigned to specific nodes with node selectors and restricted from assignment with node taints.
Audit Logging
Entries in the audit log exist in JSON Lines format and can consist of, but aren’t limited to, the following information:
- What event occurred?
- Who triggered the event?
- When was it triggered?
- Which Kubernetes component handled the request?
Network Policy
Network policies are used to restrict ingress and egress traffic to pods.
Isovalent provides a nice online network policy editor.
Policies are namespaces, they target pod based on labels attached to the pods. Here is an example of a rule that denys ingress and egress to all (podSelector: {}
) pods in the namespace.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: NAMESPACE
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Another example that allows ingress to a backend service only from the frontend service in the same namespace.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend
namespace: NAMESPACE
spec:
podSelector:
matchLabels:
tier: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- port: 3000
Kubernetes Threat Model
This section makes up 16% of the exam
Kubernetes Trust Boundaries and Data Flow
Trust Boundary or Zone segregates different components in a Data Flow Diagram based on sensitivity and level of access to critical assets in the system.
Zone | Description |
---|---|
Internet | The externally facing, wider internet zone |
API Server | The master component, usually exposed to cluster users, needed for interaction with kubectl |
Master Components | Internal components of the master node that works via. callbacks and subscriptions to the API Server |
Master Data | The master data layer that stores the cluster state. Example: etcd |
Worker | The worker components that is required to add a node in the cluster and to run containers |
Container | The containers being orchestrated by the cluster |
Persistence
A malicious techniques that enable access to a system long after an initial compromise
RedHat | Kubernetes Persistence
Denial of Service
A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor.
CISA | Understanding Denial-of-Service Attacks
Malicious Code Execution and Compromised Applications in Containers
- Update software, containers and cluster
- Backups of key components (etcd, volumes, etc.)
Attacker on the Network
Network attacks are unauthorized actions on the digital assets within an organizational network.
HackTricks Cloud | Kubernetes Network Attacks
Access to Sensitive Data
Sensitive data is mainly access to the ectd data store which contains secrets, code (intellectual property) and volumes (like databases).
Privilege Escalation
Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
- BishopFox | Bad Pods: Kubernetes Pod Privilege Escalation
- HackTricks Cloud | Kubernetes Privilege Escalation Techniques
Platform Security
This section makes up 16% of the exam
Supply Chain Security
https://www.cncf.io/blog/2022/04/12/a-map-for-kubernetes-supply-chain-security/
Minimizing base images improves security by reducing the potential attack service by remove unneeded services. A cool project to checkout is distroless
Use multi-stage builds to separate build from runtime and only include the necessary packages to run the application.
Image Repository
Image repositories store container images and can offer features such as vulnerability scanning
Example solutions:
Kubernetes | Authenticating to Private Registry
Observability
Logs from containers can easily be viewed with the following command.
kubectl logs <POD> -c <CONTAINER>
Metrics can be retrieved from the cluster and pods with the Metrics API.
kubectl top node
kubectl top pod <POD>
Falco is a tool that monitors the nodes container runtimes for security related events.
Service Mesh
A service mesh is an infrastructure layer that gives applications capabilities like zero-trust security, observability, and advanced traffic management, without code changes.
PKI
Kubernetes uses Public Key Infrastructure to authenticate all components of the cluster. This allows each component to verify each other by verifying the certificate against the root certificate.
Kubernetes | Certificates Best Practices
Connectivity
Admission Control
An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.
Admission controllers may be validating, mutating, or both.
- Mutating controllers may modify objects related to the requests they admit
- Validating controllers validate the request.
View all admission controllers enabled by default
kubectl exec -it kube-apiserver -n kube-system -- kube-apiserver -h | grep admission-control
To add a new default plugin to the api server updated the manifest. --enable-admission-plugins=NodeRestriction,AlwaysPullImages,...
Compliance and Security Frameworks
This section makes up 10% of the exam
Compliance Frameworks
Red Hat | Kubernetes compliance considerations
Threat Modelling Frameworks
Supply Chain Compliance
Signing container images allows the source running the container to verify who published it.
Pinning images verifies that the image cannot change without resulting in an issue. A pinned image looks like the following:
gcr.io/kaniko-project/executor:v1.15.0@sha256:6aace7210ad8bf0da4b1aa707a1c0ea962d0e871bb1921504c1a5e690d5f6a2a
Automation and Tooling
Many free 3rd party solution are available to audit clusters, workloads and container images