References for CKS Exam Objectives - Certified Kubernetes Security Specialist
# install kube-bench in the current host dir
docker run --rm -it -v `pwd`:/host aquasec/kube-bench:latest install
# benchmarking your cluster ( verify the curren kubeconfig before)
./kube-bench <name-of-node>
CIS benchmark dedicated for each distribution
π "Container Security" by Liz Rice which covers AppArmor, Seccomp, SELinux and the whole gang.
PSP : https://kubernetes.io/docs/concepts/policy/pod-security-policy/
OPA : https://www.openpolicyagent.org/docs/latest/kubernetes-primer/
Security Context : https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
πΉ TGIK - Advanced k8s secret management : https://www.youtube.com/watch?v=IznsHhKL428&ab_channel=VMwareCloudNativeApps
π¬ Sealed Secrets : https://github.com/bitnami-labs/sealed-secrets
secrets-store-csi-driver : https://github.com/kubernetes-sigs/secrets-store-csi-driver
π¬ Hands-on Kata : https://github.com/abdennour/abdennour.github.io/blob/master/_posts/2018-06-09-successfully-running-kata-containers-in-the-cloud.markdown
https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
Using istio , https://developer.ibm.com/technologies/containers/tutorials/istio-security-mtls/
Using linkerd, https://linkerd.io/2/features/automatic-mtls/
7 best practices for build containers.
Docker Way : https://docs.docker.com/engine/security/trust/content_trust/
Tools for manage supply chain and artifacts:
tools for siging container image Cryptographically:
example - restrict pulling images from registries
Related also with https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/
Tools around dynamic container image scan :
Firecracker for multi-tenancy, Bottlerocket to reduce the attack surface, audit2rbac for generating RBAC roles
The given links are our assumptions and ideas - we neither have insights into the exam requirements, nor do we know how exactly it will look like. We are guessing about possibilities and try to collect resources.