My Notes (Cheatsheet)
This section includes rough notes (mainly those that I need to remember) from videos, official docs and other materials I used in reviewing for KCSA certification. Understanding the concepts below also helps me in clearing majority of the exam questions - but please do read first all the references provided in the previous sections especially those that are coming from CNCF and Kubernetes official documentation.
Security Overview
Security Principles
Defense in Depth
Least Privilege
Limiting the Attack Surface
4Cs of Cloud Native Security
Cloud -> Cluster -> Container -> Code
Kubernetes Security Categories
Host Operating System
Restrict SSH access
Kubernetes Cluster
Componenets are running secure and up-to-date:
API Server
Kubelet
ETCD
Restrict (external) access
Use AuthN → AuthZ -> Admission Controller
Admission Controllers
Node Restriction
Custom Policies (OPA)
Enable Audit Logging
Security Benchmarking
Application
Use Secrets / no hard-coded creds
RBAC
Container Sandboxing
Container Hardening
Run as User
Vulnerability Scanning
mTLS / Service Mesh
Containers
Containers and Images
Image - multi-layer binary
Container - running instance of an image
Linux Kernel Namespaces
Namespace isolate processes
PID | Mount | Network | User
namespaces- restrict what process can see (Users, Filesystem, Other Processes)cgroups- restricts resource usage of processes (CPU, RAM, Disk)
Container Tools
Docker
Containerd
Crictl
Podman
Network Security Policies
Network Policies
Firewall rules in Kubernetes
Implemented by Network Plugins CNI (e.g. Calico, Weave)
Namespace Level
Restrict ingress/egress based on certain rules and conditions
By default every pod can access every pod (Pod are not isolated)
Selectors
podSelector
namespaceSelector
ipBlock
If pod has multiple network policy, then the union of all policies is applied - order of the policies doesn’t affect policy.
Create default deny is a best practice
Allow DNS resolution
Access Controls
Principle of Least Privilege
Kubernetes has namespaced and non-namespaced resources
kubectl api-resources --namespaced=truekubectl api-resources --namespaced=false
Roles and ClusterRoles - set of permissions
RoleBinding and ClusterRoleBinding - association of roles to something
Permissions are additive
Testing of permission
kubectl auth can-iAccounts
Service Accounts
Normal Users
Cluster Hardening - Upgrade Kubernetes
First upgrade the masters components
apiserver, controller-manager, scheduler
Then the worker components
kubelet, kube-proxy
Components same minor version as apiserver
OS Level Security Domains
Security Context
Define privilege and access control for pod
userIDandgroupIDRun privileged or unprivileged
Linux capabilities
Force container to run as non-root
- name: pod
...
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
...Privilegedmeans that the container user 0 (root) is directly mapped to host user 0 (root)PrivilegeEscalationcontrols whether a process can gain more privileges than its parent process
Service Mesh & Mutual TLS (mTLS)
Service Mesh / Proxy
Provide secure communication features such as mutual TLS (mTLS) encryption, authentication, and authorization.
Examples: Istio, Linkerd
mTLS
Mutual authentication
Two-way (bilateral) authentication
Open Policy Agent
OPA is an open source, general-purpose policy engine that enables unified context-aware policy enforcement across the entire attack.
Not Kubernetes specific
Easy implementation of policies using Rego langiage
Works with JSON/YAML
In Kubernetes, it uses Admission Controllers
OPA - Gatekeeper
Uses CRDS to implement OPA
Kinds:
ConstraintTemplate
K8sRequiredLabels
Auditing
Audit Policy Rule Levels
None
Metadata
Request
RequestResponse
Isolation Techniques
Namespace
Access Controls
Quotas
Network
Storage
Node
Compliance & Security Frameworks
Center for Internet Security (CIS) Kubernetes Benchmark
NIST Application Container Security for Kubernetes
NSA & CISA Kubernetes Hardening Guidance
PCI DSS Compliance for Kubernetes
Last updated