Agenda:
1. Introduction
2. Shift-left and DevSecOps
3. General Security Concepts
4. The 4C’s of Cloud Native Security
5. Kubernetes Security Starter Kit
6. CKS Exam Overview and Tips
Overview:
A dive into Kubernetes Security Best Practices in addition to tips for the Certified Kubernetes Security Specialist (CKS) exam.
The 1-3 sections are for everyone and they will cover the security in the container era. So it doesn’t matter what’s your title or background, they are a good start for anyone.
The 4-6 sections will dive more into Kubernetes security, so probably DevOps engineers and SREs will find that more interesting. But in general anyone interested in Kubernetes security is more than welcome.
2. About
2
Ahmed AbouZaid
Passionate about DevOps, Cloud/Kubernetes specialist,
Free/Open source geek, and an author.
• I believe in self CI/CD (Continuous Improvements/Development)
also that “The whole is greater than the sum of its parts”.
• DevOps transformation, automation, data, and metrics.
are my preferred areas.
• And I like to help both businesses and people to grow.
Find me at:
tech.aabouzaid.com | linkedin.com/in/aabouzaid
3. 3
Introduction
Agenda
Shift-left and DevSecOps
General Security Concepts
The 4C’s of Cloud Native Security
Kubernetes Security Starter Kit
1
5
4
3
2
CKS Exam Overview and Tips
6
For
Everyone
For
Kubernetes
Specialists
5. Containers
Technology for packaging an application
along with its runtime dependencies
Container Runtime
A software that is responsible for running
containers (e.g. Docker Engine, containerd, etc.)
Kubernetes
A cloud-native platform to manage
and orchestrate containers workloads
Introduction
5
7. Shift-left and DevSecOps
Shift-left
A practice of moving quality measures and development activities as early as possible
in the software lifecycle. Which reduces time and risk of issues before the release.
7
Image source: Devopedia
8. DevSecOps
(Development, Security, and Operations)
An approach that extends DevOps
to integrate security as a shared
responsibility throughout the entire
software lifecycle. DevSecOps relies
on iterative methodologies like Agile.
Shift-left and DevSecOps
8
Image source: Dynatrace
12. The 4C's of Cloud Native Security
12
Container
The security of Dockerfile/Containerfile, container
image, and container access and isolation.
Code
The security of actual programming language code
like implementation, 3rd party dependency.
Cluster
The Kubernetes cluster-level security like
configuration, access, and internal network.
Cloud
The security of cloud infrastructure, co-located servers,
or corporate datacenter like OS and external network.
1
2
3
4 Image source: EDB
18. 4 Kubernetes security tools that everyone should have:
■ Kube-linter
Use it to lint and unify your Kubernetes manifests to apply
best practices. (Also check Conftest for more powerful options)
■ Kubesec
Use it to analyze Kubernetes manifests either statically
in the CI or dynamically as an admission webhook.
■ Snyk
Use it to scan programming code and Docker/container image
for vulnerabilities.
■ Kube-hunter
Use it to spot and identify the weaknesses in Kubernetes
clusters. Try first the “passive mode”, and be careful with
the “active mode” (it could be dangerous).
18
20. Overview
■ Certified Kubernetes Security Specialist (CKS) was introduced in 2020 which is
the 3rd certificate after CKA and CKAD.
■ A valid CKA certification is required as a prerequisite.
■ The CKS certificate is valid for 2 years.
■ The exam available in a remote setup (you can make it from your home)
and it costs 300$ (but could get up to 50% discount around the year).
■ The exam has 12 months eligibility and 1-time free retake.
■ CKS is a hands-on exam that takes 2 hours, 15-20 tasks with different weights.
CKS Exam Overview and Tips
20
21. Tips
■ Practices a lot! It’s a hands-on exam! Especially Killer.sh exam simulator.
■ Time management is the key. 2 hours are not much for all those questions.
■ Track the questions. Use the embedded notepad or flags in the exam.
■ Familiarize yourself with official documentation. You can open 1 extra tab.
■ Get familiar with the web terminal. It has different shortcuts for copy/paste.
■ Get a bigger screen! The laptop or small screen will limit you a lot.
■ Disable "Ctrl + w" shortcut! This shortcut is used almost everywhere! And it will
close your exam tab if you hit it unintentionally.
More details at my blog: Certified Kubernetes Security Specialist exam tips
CKS Exam Overview and Tips
21
23. Resources
23
■ Overview of Cloud Native Security - Kubernetes
■ Kubernetes Security Cheat Sheet - OWASP
■ Shift Left - Devopedia
■ Shift-Left Security: The Basics of Threat Modeling - Iterasec
■ What is DevSecOps? And what you need to do it well - Dynatrace
■ How DevSecOps brings security into the development process - Red Hat Developer