skip to main content

Dec 16, 2020

CKS Certification Study Guide: Cluster Hardening

By: Michael Foster

Other Sections

This is the second installment in our six-part CKS Certification series. Don’t forget to check out all the posts in the series:

This blog references tools to set up a Kubernetes version 1.19 cluster and review the CKS — Cluster Setup section. There is the ability to create a Kubernetes cluster from our GitHub repository using Terraform and Rancher Kubernetes Engine (RKE) in Google Cloud Platform (GCP) or Amazon Web Services (AWS). This cluster environment will help to simulate a real Kubernetes environment instead of a local cluster. To get the cluster up and running, follow the readme.md that outlines what applications you will need and the repository’s general structure.

Section 2: Cluster Hardening

The second section focuses on controlling access to the Kubernetes Cluster environment. The Linux Foundation course outline highlights the following core concepts in their course outline.

  1. Restrict access to Kubernetes API
  2. Use Role-Based Access Control (RBAC) to minimize exposure
  3. Exercise caution in using service accounts, e.g., disable defaults, minimize permissions on newly created ones
  4. Update Kubernetes frequently

Knowing that this section takes up 15% of the total point total, it is reasonable to assume 3–4 questions revolving around cluster hardening. Each of the questions will also need to be completed in about 5–6 minutes on average. Below is an overview of the various cluster hardening concepts that the CKS will highlight.

Core Concepts and Topics

Restrict Access to Kubernetes API

Restricting access to the API server is about three things:

The Kubernetes documentation outlines these topics well, and they are a recommended place to bookmark for the test.

Restricting access to the Kubernetes API server is, and will remain, a pervasive topic that will re-emerge in various concepts throughout the test.

Starting with authentication, the CKS may contain a question on user and service account creation and may include creating user certifications or service accounts for deployments. The bootstrap tokens feature probably won’t be utilized due to the limitations of the environment setup.

When it comes to authorization, the CKS will mostly focus on RBAC configuration within the cluster as it is enabled by default today. However, there are other authorization modes to be aware of, including:

With the time limitation, the questions around authorization will most likely focus on implementing RBAC policies and using auth can-i to determine API access.

Lastly, admission control will continuously be in use throughout various CKS exam topics. An admission controller intercepts requests to the Kubernetes API after the request is authenticated and authorized but before the object is saved in the key-value store.

In the current version, here is the default admission controllers section, and we recommend bookmarking and getting to know each controller intimately. A significant amount of this exam will be working with various admission controllers to secure the cluster. They will be highlighted as the study guide moves through the six sections.

Use RBAC to minimize exposure

This section is somewhat of a repeat of the previous concept, except this section focuses exclusively on RBAC. The concepts will include:

This concept will also highlight the binding of roles to “subjects” such as users, groups, and service accounts. Expect questions focused on binding service accounts and users to specific access within the cluster.

Exercise caution in using service accounts, e.g. disable defaults, minimize permissions on newly created ones

This concept expands on the previous one and focuses on the proper implementation of subjects. This includes setting default service accounts with the lowest permissions and removing unnecessary service account permissions, and using the auth can-i functionality to assess API access.

Update Kubernetes frequently

The last topic was added during the detailed CKS announcement and is ambiguous about how this will be tested. There may be an upgrade question as the documentation about upgrading with kubeadm has been significantly better in recent releases. For instance, a student must upgrade from version 1.18 to 1.19 or possibly drain and update a single node on the cluster. This topic addition is most likely due to version 1.15 being the average cluster version in production today and, in parallel, the community’s desire to get users to take advantage of the updated security features in the last few releases.

Learn More

The StackRox CKS study guide contains a list of more resources and the ability to create a Kubernetes 1.19 cluster. In the GitHub repository, six folders contain mock exam questions and answers. Make sure to star and watch the repository for new updates as you begin your quest to becoming a Certified Kubernetes Security Specialist.