By Sébastien Féré.
It’s been a while since I shared some tips my first CNCF certification exam. Meanwhile, I and several teammates at SoKube successfully passed the CK{AD,A,S} series, which makes SoKube a KCSP and KTP certified company. This makes totally sense as we – at SoKube – help other companies entering and maturing in the Container & Kubernetes ecosystem and more globally navigating in the entire Cloud-Native landscape!
Certified Kubernetes Security specialist
True at some point! CKS is still an online proctored exam composed of a bunch of labs or problems to solve. You can read many blogposts out there, presenting the curriculum and a few tips.
I thought I already knew a lot about Kubernetes with topics covered by the CKAD / CKA. I then realized CKS unveils a whole new dimension, that largely expands outside the boundaries of the Kubernetes cluster…
If you want to get details of the proctoring procedure, hands-on labs experience, time-boxed concerns, I suggest you to read my previous blogpost. Here I would like to emphasise on the important changes since 2020 and things that are really important for your CKS exam. Thus, you should already be accustomed to the protocol as CKA is mandatory to register the CKS exam.
Doing a copy-paste of the CKS curriculum doesn’t bring a lot of value. You can easily find it on the CNCF website or on Github. Instead I would rather highlight the Security topics within the Kubernetes documentation pages. These pages will be useful during the exam, unless you prefer using the "search" bar of the Kubernetes documentation site and remembering the key-words (AppArmor, Ingress, Security Context, …).
Cluster Setup & Networking
Container Runtime Security
Control-plane components
Kernel hardening
Kubernetes primitives
Policies & Security Context
Observability
Software Supply Chain
You might notice some minor improvements to the exam UI, but this is in the console that things happens 😃 It’s no more needed to learn and remember the commands to enable the "k" alias or the completion. These are by default enabled in the candidate session and on all Kubernetes control-plane and worker nodes!
You can still boost a little bit your shell experience with these two ones, but it makes a bit less sense for the CKS as you often have to connect to Kubernetes nodes.
# speed up imperative commands
export dy="--dry-run=client -o yaml"
# speed up pod termination
export now="--force --grace-period 0"
Imperative commands using Kubectl (or "k") are still very useful, however this is not the major area of interest for the CKS certification.
As a Security specialist, you will be able to detect undesired behaviors inside Kubernetes Clusters, including too permissive RBAC profiles, suspicious containers, etc.
As a matter of fact, you will have to delete some resources. What could possibly be worse than deleting the wrong Pod without any chance to recover its configuration? 😰
# backup a single resource configuration
k get po -n <ns> my-pod -o yaml > 13-pod.yaml
# backup several resources at once
k get deploy -n <ns> -o yaml > 8-deploy.yaml
These commands will ensure you to be able to recover any kind of mistake, either in edit or in delete operations, unless you forget the -o yaml 😥
As many security options are related to the Kube API server and are activated through the static manifest configuration files, being confident with any situation regarding the API server is your best asset ! This includes:
This is very likely you will make mistakes with the API server or Kubelet configurations, so you should be prepared to:
# check the API server is running
ps aux | grep api
# check the logs
tail -f /var/log/pods/...
The Kube API server Pod can take some time to be up & running again, the API Server port can also take some time to give a response, but the process usually starts in seconds…
Sometimes, the Kube API server will not restart automatically. Then you have to force the restart of the Kube API server:
# Option 1 - Move back... and forth
cd /etc/kubernetes/manifests
mv kube-apiserver.yaml ..
mv ../kube-apiserver.yaml .
# Option 2 - Restart the process
ps aux | grep api
kill -s HUP <pid>
# if no process spawns, then you need to double-check your changes
vi kube-apiserver.yaml
Even if you plan to pass the exam late… I mean the day before your voucher expires, or even a few hours before the deadline 🤨 Well, whenever you plan to pass the exam, make the registration at least two or three weeks before. That way you will be able to choose the schedule you want according to when you perform best!
Thus, if you’re not confident and possibly plan to use the "free retake", make arrangements to have enough time between exam sessions…
24 hours – this is the time you will have to wait before receiving a lovely email starting with "Congratulations! You have successfully …". This looks quite long, but it’s a huge improvement compared to the initial 36 hours a couple of months ago.
Why should you dive into Kubernetes Security? Why should you spend after-work night hours in learning and performing mock exams while you could relax watching the new trendy series on your preferred streaming platform?! To get another certification badge for your LinkedIn profile? There’s much better than !
Outside your comfort zone is where the magic happens
As stated in the course about Kubernetes Security Essentials from the Linux Foundation, cyber attackers have the advantage compared to the Internal Security Response Team – they can decide the:
In many companies, the Security Teams are often undersized in comparison to the IT Development capabilities. Kubernetes offers a wide range of security measures from prevention to detection that will help you:
CNCF landscape – Security & Compliance
Year 2021 comes to its end, so we can expect to be able to read the 2021 CNCF report in a couple of days. Figures from the previous CNCF 2020 annual report were just amazing – more than 55,000 enrollments for the CKA and CKAD exams. The launch of the CKS exam in November 2020, …
And I suspect figures for 2021 to be even more astonishing! Wait and see 😉
Far beyond the exam and certification concerns, I honestly learned a lot about security in Kubernetes clusters, besides what I was already aware of. The CKS will definitely give you an understanding and a toolbox to answer various security challenges in the Container space. However, this will not make you a seasoned security expert, this will not supersede long discussions and workshops with your Network, System and Security teams.
With all the topics covered in the CKS curriculum, you might think your Security Journey is over ?! Some important topics are eluded as they’re not directly related to Kubernetes:
Based on our experience at Sokube, I would state that Security concerns are equally shared between the Software Supply Chain and the Kubernetes Infrastructure.
A good thought as a final point – I often heard about a tradeoff between Convenience and Security – this sounds to me less true. While traditional security was a matter of a few experts, Cloud-Native Security tends to me more accessible.
Security should be a built-in capability of your Container Infrastructure and Software Supply Chain. Just remember that… if you don’t build Container Security from the very beginning, you will create a huge amount of debt that you might have to pay some day in Bitcoins!