Certified Kubernetes Security (CKS)

Description

This course emphasizes the skills and knowledge for securing container-based applications and Kubernetes platforms, during build, deployment and runtime.

As a security expert in the DevOps world, your role is to observe and track activity.

After completing this course, you will be able to understand Kubernetes processes without inserting secure systems or gatekeepers into the process and slowing it down, and observe rapidly progressing DevOps processes and pinpoint which container, process, or subsystem causes a security concern.

Essential skills that you will gain include:

• Cluster Setup
• Cluster Hardening
• System Hardening
• Minimizing Microservices Vulnerabilities

Prerequisites

• Working knowledge of Kubernetes and/or CKA
• Basic Linux skills are helpful
• Familiarity with a text editor like vi, vim, or nano is helpful 

Audience

• This course is ideal for anyone holding a CKA certification and interested in, or responsible for, cloud security.
  

Learning Objectives

• Cluster Setup
• Cluster Hardening
• System Hardening
• Minimizing Microservices Vulnerabilities
• Supply Chain Security
• Monitoring, Logging and Runtime Security
• AI LLM prompt engineering for generating configuration snippets and solutions

Course Outline

1: Cloud Security Primer

• Basic Principles
• Threat Analysis
• Approach
• CIS Benchmarks
• Hands-on Labs
  • CIS Benchmarks

2: Securing your Kubernetes Cluster

• Kubernetes Architecture
• Pods and the Control Plane
• Kubernetes Security Concepts

3: Install Kubernetes using kubeadm

• Configure Network Plugin Requirements
• Kubeadm Basic Cluster
• Join Node to Cluster
• Kubeadm Token
• Kubeadm Cluster Upgrade
• Hands-on Labs
  • Configure Network Plugin Requirements
  • Installing Kubeadm
  • Join Node to Cluster
  • Manage Kubeadm Tokens
  • Kubeadm Cluster Upgrade

4: Securing the kube-apiserver

• Configuring the kube-apiserver
• Falco
• Enable Pod Security Policies
• Encrypt Data at Rest
• Benchmark Cluster with Kube-Bench
• Hands-on Labs
  • Enable Audit Logging
  • Deploy Falco to Monitor System Calls
  • Encryption Configuration
  • Kube-Bench

5: Securing ETCD

• ETCD Isolation
• ETCD Disaster Recovery
• ETCD Snapshot and Restore
• Hands-on Labs
  • ETCD Snapshot and Restore

6: Purge Kubernetes

• Purge Kubeadm
• Hands-on Labs
  • Purge Kubeadm

7: Image Scanning

• Container Essentials
• Secure Containers
• Scanning with Trivy
• Snyk Security
• Hands-on Labs
  • Creating a Docker Image
  • Trivy

8: Manually Installing Kubernetes

• Kubernetes the Alta3 Way
• Lecture: Validate your Kubernetes Installation
• Hands-on Labs
  • Deploy Kubernetes the Alta3 Way
  • Sonobuoy K8s Validation Test

10: Kubectl (Optional)

• Kubectl get and sorting
• Hands-on Labs
  • kubectl get
  • kubectl describe

11: Labels (Optional)

• Labels
• Annotations
• Hands-on Labs
  • Labels and Selectors
  • Insert an Annotation

12: Securing your Application

• Scan a Running Container
• Security Contexts for Pods
• AppArmor Profiles
• Isolate Container Kernels
• Hands-on Labs
  • Tracee
  • Understanding Security Contexts
  • AppArmor
  • gVisor

13: User Administration

• Contexts
• Authentication and Authorization
• Role-Based Access Control
• Service Accounts
• Hands-on Labs
  • Contexts
  • Role-Based Access Control
  • RBAC Distributing Access
  • Limit Pod Service Accounts

14: Implementing Pod Policy

• Admission Controller
• Pod Security Standards
• Open Policy Agent
• Hands-on Labs
  • Create a LimitRange
  • Enable PSS
  • Deploy Gatekeeper

15: Securing Secrets

• Secrets
• Hashicorp Vault
• Hands-on Labs
  • Create and Consume Secrets

16: Securing the Network

• Networking Plugins
• NetworkPolicy
• mTLS
• Hands-on Labs
  • Deploy a NetworkPolicy
  • Namespace Network Policy
  • mTLS with Linkerd
  • Linkerd Dashboard

17: Threat Analysis and Detection

• Active Threat Analysis
• Host Intrusion Detection
• Network Intrusion Detection
• Physical Intrusion Detection