Certified Kubernetes Security Specialist (CKS) Study Guide - Helion
ebook
Autor: Benjamin MuschkoISBN: 9781098132934
stron: 214, Format: ebook
Data wydania: 2023-06-08
Księgarnia: Helion
Cena książki: 177,65 zł (poprzednio: 206,57 zł)
Oszczędzasz: 14% (-28,92 zł)
Vulnerabilities in software and IT infrastructure pose a major threat to organizations. In response, the Cloud Native Computing Foundation (CNCF) developed the Certified Kubernetes Security Specialist (CKS) certification to verify an administrator's proficiency to protect Kubernetes clusters and the cloud native software they contain. This practical book helps you fully prepare for the certification exam by walking you through all of the topics covered.
Different from typical multiple-choice formats used by other certifications, this performance-based exam requires deep knowledge of the tasks it covers under intense time pressure. If you want to pass the CKS exam on the first go, author Benjamin Muschko shares his personal experience to help you learn the objectives, abilities, and tips and tricks you need to pass on the first attempt.
- Identify, mitigate, and/or minimize threats to cloud native applications and Kubernetes clusters
- Learn the ins and outs of Kubernetes's security features, and external tools for security detection and mitigation purposes
- Demonstrate competency to perform the responsibilities of a Kubernetes administrator or application developer with a security viewpoint
- Solve real-world Kubernetes problems in a hands-on, command-line environment
- Effectively navigate and solve questions during the CKS exam
Osoby które kupowały "Certified Kubernetes Security Specialist (CKS) Study Guide", wybierały także:
- Windows Media Center. Domowe centrum rozrywki 66,67 zł, (8,00 zł -88%)
- Ruby on Rails. Ćwiczenia 18,75 zł, (3,00 zł -84%)
- DevOps w praktyce. Kurs video. Jenkins, Ansible, Terraform i Docker 190,00 zł, (39,90 zł -79%)
- Przywództwo w świecie VUCA. Jak być skutecznym liderem w niepewnym środowisku 58,64 zł, (12,90 zł -78%)
- Scrum. O zwinnym zarządzaniu projektami. Wydanie II rozszerzone 58,64 zł, (12,90 zł -78%)
Spis treści
Certified Kubernetes Security Specialist (CKS) Study Guide eBook -- spis treści
- Preface
- Who This Book Is For
- What You Will Learn
- Structure of This Book
- Conventions Used in This Book
- Using Code Examples
- OReilly Online Learning
- How to Contact Us
- Acknowledgments
- 1. Exam Details and Resources
- Kubernetes Certification Learning Path
- Kubernetes and Cloud Native Associate (KCNA)
- Kubernetes and Cloud Native Security Associate (KCSA)
- Certified Kubernetes Application Developer (CKAD)
- Certified Kubernetes Administrator (CKA)
- Certified Kubernetes Security Specialist (CKS)
- Exam Objectives
- Curriculum
- Cluster Setup
- Cluster Hardening
- System Hardening
- Minimize Microservice Vulnerabilities
- Supply Chain Security
- Monitoring, Logging, and Runtime Security
- Involved Kubernetes Primitives
- Involved External Tools
- Documentation
- Candidate Skills
- Practicing and Practice Exams
- Summary
- Kubernetes Certification Learning Path
- 2. Cluster Setup
- Using Network Policies to Restrict Pod-to-Pod Communication
- Scenario: Attacker Gains Access to a Pod
- Observing the Default Behavior
- Denying Directional Network Traffic
- Allowing Fine-Grained Incoming Traffic
- Applying Kubernetes Component Security Best Practices
- Using kube-bench
- The kube-bench Verification Result
- Fixing Detected Security Issues
- Creating an Ingress with TLS Termination
- Setting Up the Ingress Backend
- Creating the TLS Certificate and Key
- Creating the TLS-Typed Secret
- Creating the Ingress
- Calling the Ingress
- Protecting Node Metadata and Endpoints
- Scenario: A Compromised Pod Can Access the Metadata Server
- Protecting Metadata Server Access with Network Policies
- Protecting GUI Elements
- Scenario: An Attacker Gains Access to the Dashboard Functionality
- Installing the Kubernetes Dashboard
- Accessing the Kubernetes Dashboard
- Creating a User with Administration Privileges
- Creating a User with Restricted Privileges
- Avoiding Insecure Configuration Arguments
- Verifying Kubernetes Platform Binaries
- Scenario: An Attacker Injected Malicious Code into Binary
- Verifying a Binary Against Hash
- Summary
- Exam Essentials
- Sample Exercises
- Using Network Policies to Restrict Pod-to-Pod Communication
- 3. Cluster Hardening
- Interacting with the Kubernetes API
- Processing a Request
- Connecting to the API Server
- Using the kubernetes Service
- Anonymous access
- Access with a client certificate
- Restricting Access to the API Server
- Scenario: An Attacker Can Call the API Server from the Internet
- Restricting User Permissions
- Creating a private key
- Creating and approving a CertificateSigningRequest
- Creating a Role and a RoleBinding
- Adding the user to the kubeconfig file
- Verifying the permissions
- Scenario: An Attacker Can Call the API Server from a Service Account
- Minimizing Permissions for a Service Account
- Binding the service account to a Pod
- Verifying the default permissions
- Creating the ClusterRole
- Creating the RoleBinding
- Verifying the granted permissions
- Disabling automounting of a service account token
- Generating a service account token
- Creating a Secret for a service account
- Updating Kubernetes Frequently
- Versioning Scheme
- Release Cadence
- Performing the Upgrade Process
- Summary
- Exam Essentials
- Sample Exercises
- Interacting with the Kubernetes API
- 4. System Hardening
- Minimizing the Host OS Footprint
- Scenario: An Attacker Exploits a Package Vulnerability
- Disabling Services
- Removing Unwanted Packages
- Minimizing IAM Roles
- Scenario: An Attacker Uses Credentials to Gain File Access
- Understanding User Management
- Listing users
- Adding a user
- Switching to a user
- Deleting a user
- Understanding Group Management
- Listing groups
- Adding a group
- Assigning a user to a group
- Deleting a group
- Understanding File Permissions and Ownership
- Viewing file permissions and ownership
- Changing file ownership
- Changing file permissions
- Minimizing External Access to the Network
- Identifying and Disabling Open Ports
- Setting Up Firewall Rules
- Using Kernel Hardening Tools
- Using AppArmor
- Understanding profiles
- Setting a custom profile
- Applying a profile to a container
- Using seccomp
- Applying the default container runtime profile to a container
- Setting a custom profile
- Applying the custom profile to a container
- Using AppArmor
- Summary
- Exam Essentials
- Sample Exercises
- Minimizing the Host OS Footprint
- 5. Minimizing Microservice Vulnerabilities
- Setting Appropriate OS-Level Security Domains
- Scenario: An Attacker Misuses root User Container Access
- Understanding Security Contexts
- Enforcing the Usage of a Non-Root User
- Setting a Specific User and Group ID
- Avoiding Privileged Containers
- Scenario: A Developer Doesnt Follow Pod Security Best Practices
- Understanding Pod Security Admission (PSA)
- Enforcing Pod Security Standards for a Namespace
- Understanding Open Policy Agent (OPA) and Gatekeeper
- Installing Gatekeeper
- Implementing an OPA Policy
- Managing Secrets
- Scenario: An Attacker Gains Access to the Node Running etcd
- Accessing etcd Data
- Encrypting etcd Data
- Understanding Container Runtime Sandboxes
- Scenario: An Attacker Gains Access to Another Container
- Available Container Runtime Sandbox Implementations
- Installing and Configuring gVisor
- Creating and Using a Runtime Class
- Understanding Pod-to-Pod Encryption with mTLS
- Scenario: An Attacker Listens to the Communication Between Two Pods
- Adopting mTLS in Kubernetes
- Summary
- Exam Essentials
- Sample Exercises
- Setting Appropriate OS-Level Security Domains
- 6. Supply Chain Security
- Minimizing the Base Image Footprint
- Scenario: An Attacker Exploits Container Vulnerabilities
- Picking a Base Image Small in Size
- Using a Multi-Stage Approach for Building Container Images
- Reducing the Number of Layers
- Using Container Image Optimization Tools
- Securing the Supply Chain
- Signing Container Images
- Scenario: An Attacker Injects Malicious Code into a Container Image
- Validating Container Images
- Using Public Image Registries
- Scenario: An Attacker Uploads a Malicious Container Image
- Whitelisting Allowed Image Registries with OPA GateKeeper
- Whitelisting Allowed Image Registries with the ImagePolicyWebhook Admission Controller Plugin
- Implementing the Backend Application
- Configuring the ImagePolicyWebhook Admission Controller Plugin
- Static Analysis of Workload
- Using Hadolint for Analyzing Dockerfiles
- Using Kubesec for Analyzing Kubernetes Manifests
- Scanning Images for Known Vulnerabilities
- Summary
- Exam Essentials
- Sample Exercises
- Minimizing the Base Image Footprint
- 7. Monitoring, Logging, and Runtime Security
- Performing Behavior Analytics
- Scenario: A Kubernetes Administrator Can Observe Actions Taken by an Attacker
- Understanding Falco
- Installing Falco
- Configuring Falco
- Falco configuration file
- Default rules
- Custom rules
- Kubernetes-specific rules
- Applying configuration changes
- Generating Events and Inspecting Falco Logs
- Understanding Falco Rule File Basics
- Rule
- Macro
- List
- Dissecting an existing rule
- Overriding Existing Rules
- Ensuring Container Immutability
- Scenario: An Attacker Installs Malicious Software
- Using a Distroless Container Image
- Configuring a Container with a ConfigMap or Secret
- Configuring a Read-Only Container Root Filesystem
- Using Audit Logs to Monitor Access
- Scenario: An Administrator Can Monitor Malicious Events in Real Time
- Understanding Audit Logs
- Creating the Audit Policy File
- Configuring a Log Backend
- Configuring a Webhook Backend
- Summary
- Exam Essentials
- Sample Exercises
- Performing Behavior Analytics
- A. Answers to Review Questions
- Chapter 2, Cluster Setup
- Chapter 3, Cluster Hardening
- Chapter 4, System Hardening
- Chapter 5, Minimize Microservice Vulnerabilities
- Chapter 6, Supply Chain Security
- Chapter 7, Monitoring, Logging, and Runtime Security
- Index