Agenda: 1. Introduction 2. Shift-left and DevSecOps 3. General Security Concepts 4. The 4C’s of Cloud Native Security 5. Kubernetes Security Starter Kit 6. CKS Exam Overview and Tips Overview: A dive into Kubernetes Security Best Practices in addition to tips for the Certified Kubernetes Security Specialist (CKS) exam. The 1-3 sections are for everyone and they will cover the security in the container era. So it doesn’t matter what’s your title or background, they are a good start for anyone. The 4-6 sections will dive more into Kubernetes security, so probably DevOps engineers and SREs will find that more interesting. But in general anyone interested in Kubernetes security is more than welcome.

1. Kubernetes Security
Best Practices
With tips for the CKS exam
Ahmed AbouZaid, Sr. DevOps Engineer, Camunda
June 2022
1

2. About
2
Ahmed AbouZaid
Passionate about DevOps, Cloud/Kubernetes specialist,
Free/Open source geek, and an author.
• I believe in self CI/CD (Continuous Improvements/Development)
also that “The whole is greater than the sum of its parts”.
• DevOps transformation, automation, data, and metrics.
are my preferred areas.
• And I like to help both businesses and people to grow.
Find me at:
tech.aabouzaid.com | linkedin.com/in/aabouzaid

3. 3
Introduction
Agenda
Shift-left and DevSecOps
General Security Concepts
The 4C’s of Cloud Native Security
Kubernetes Security Starter Kit
1
5
4
3
2
CKS Exam Overview and Tips
6
For
Everyone
For
Kubernetes
Specialists

4. Introduction
4

5. Containers
Technology for packaging an application
along with its runtime dependencies
Container Runtime
A software that is responsible for running
containers (e.g. Docker Engine, containerd, etc.)
Kubernetes
A cloud-native platform to manage
and orchestrate containers workloads
Introduction
5

6. Shift-left and DevSecOps
6

7. Shift-left and DevSecOps
Shift-left
A practice of moving quality measures and development activities as early as possible
in the software lifecycle. Which reduces time and risk of issues before the release.
7
Image source: Devopedia

8. DevSecOps
(Development, Security, and Operations)
An approach that extends DevOps
to integrate security as a shared
responsibility throughout the entire
software lifecycle. DevSecOps relies
on iterative methodologies like Agile.
Shift-left and DevSecOps
8
Image source: Dynatrace

9. General Security Concepts
9

10. General Security Concepts
10
Reducing Attack Surface
Least Privilege Principle
Security by Design and Secure by Default
Updating Frequently
1
2
3
4

11. The 4C’s of Cloud Native Security
11

12. The 4C's of Cloud Native Security
12
Container
The security of Dockerfile/Containerfile, container
image, and container access and isolation.
Code
The security of actual programming language code
like implementation, 3rd party dependency.
Cluster
The Kubernetes cluster-level security like
configuration, access, and internal network.
Cloud
The security of cloud infrastructure, co-located servers,
or corporate datacenter like OS and external network.
1
2
3
4 Image source: EDB

13. ■ Cloud/Infrastructure Provider Security Best Practices
■ External Network Restriction
■ Operating System Hardening
■ Areas: Disabling root login, access control, firewall, SSH configuration, etc.
■ Tools: CIS Benchmarks
C1: Cloud
13

14. C2: Cluster
■ Overall Cluster Hardening
■ Areas: Authentication, authorization, etcd
■ Tools: RBAC, Kube-bench, Kube-hunt
■ Security Policies
■ Areas: Deployment specs, services access, admission controllers
■ Tools: Network Policy, Pod Security Admission, Open Policy Agent
■ Auditing
■ Tools: Built-in Audit Policy, Falco, Tracee
■ Container Runtime Sandbox
■ Tools: Kata containers, gVisor
14

15. ■ Static Code Analysis
■ Areas: Kubernetes resources, Docker/container files
■ Tools: Kubesec, Checkov
■ Container Image Supply Chain
■ Areas: Trusted container registry, container image vulnerability
■ Tools: Trivy, Snyk, ImagePolicyWebhook
■ Container Access
■ Areas: Container user, container filesystem access, privileged container
■ Tools: Built-in SecurityContext, Seccomp, AppArmor, SElinux
C3: Container
15

16. C4: Code
■ Programming Language Security Best Practices
■ Static Code Analysis
■ Tools: SonarQube, Snyk
■ Penetration Testing
■ 3rd Party Dependency Security
16

17. Kubernetes Security Starter Kit
17

18. 4 Kubernetes security tools that everyone should have:
■ Kube-linter
Use it to lint and unify your Kubernetes manifests to apply
best practices. (Also check Conftest for more powerful options)
■ Kubesec
Use it to analyze Kubernetes manifests either statically
in the CI or dynamically as an admission webhook.
■ Snyk
Use it to scan programming code and Docker/container image
for vulnerabilities.
■ Kube-hunter
Use it to spot and identify the weaknesses in Kubernetes
clusters. Try first the “passive mode”, and be careful with
the “active mode” (it could be dangerous).
18

19. CKS Exam Overview and Tips
19

20. Overview
■ Certified Kubernetes Security Specialist (CKS) was introduced in 2020 which is
the 3rd certificate after CKA and CKAD.
■ A valid CKA certification is required as a prerequisite.
■ The CKS certificate is valid for 2 years.
■ The exam available in a remote setup (you can make it from your home)
and it costs 300$ (but could get up to 50% discount around the year).
■ The exam has 12 months eligibility and 1-time free retake.
■ CKS is a hands-on exam that takes 2 hours, 15-20 tasks with different weights.
CKS Exam Overview and Tips
20

21. Tips
■ Practices a lot! It’s a hands-on exam! Especially Killer.sh exam simulator.
■ Time management is the key. 2 hours are not much for all those questions.
■ Track the questions. Use the embedded notepad or flags in the exam.
■ Familiarize yourself with official documentation. You can open 1 extra tab.
■ Get familiar with the web terminal. It has different shortcuts for copy/paste.
■ Get a bigger screen! The laptop or small screen will limit you a lot.
■ Disable "Ctrl + w" shortcut! This shortcut is used almost everywhere! And it will
close your exam tab if you hit it unintentionally.
More details at my blog: Certified Kubernetes Security Specialist exam tips
CKS Exam Overview and Tips
21

22. Thank You :-)
linkedin.com/in/aabouzaid
tech.aabouzaid.com
22
Questions?

23. Resources
23
■ Overview of Cloud Native Security - Kubernetes
■ Kubernetes Security Cheat Sheet - OWASP
■ Shift Left - Devopedia
■ Shift-Left Security: The Basics of Threat Modeling - Iterasec
■ What is DevSecOps? And what you need to do it well - Dynatrace
■ How DevSecOps brings security into the development process - Red Hat Developer