{"id":18702528,"url":"https://github.com/mayocream/kubestronaut","last_synced_at":"2026-02-16T14:09:33.171Z","repository":{"id":245212718,"uuid":"817557575","full_name":"mayocream/Kubestronaut","owner":"mayocream","description":"Kubestronaut Cheat Sheet","archived":false,"fork":false,"pushed_at":"2025-01-08T05:46:08.000Z","size":20,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-11T17:18:35.675Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mayocream.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-06-20T01:33:35.000Z","updated_at":"2025-01-08T07:41:26.000Z","dependencies_parsed_at":"2025-05-19T04:42:31.499Z","dependency_job_id":null,"html_url":"https://github.com/mayocream/Kubestronaut","commit_stats":null,"previous_names":["mayocream/kubestronaut"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/mayocream/Kubestronaut","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mayocream%2FKubestronaut","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mayocream%2FKubestronaut/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mayocream%2FKubestronaut/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mayocream%2FKubestronaut/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mayocream","download_url":"https://codeload.github.com/mayocream/Kubestronaut/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mayocream%2FKubestronaut/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29509405,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-16T09:05:14.864Z","status":"ssl_error","status_checked_at":"2026-02-16T08:55:59.364Z","response_time":115,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-07T11:46:09.256Z","updated_at":"2026-02-16T14:09:33.140Z","avatar_url":"https://github.com/mayocream.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kubestronaut\n\nHands-on Kubernetes learning resources.\n\n## CKA \u0026 CKAD\n\n- [Bookmarks](https://gist.github.com/mayocream/0022fcf2235b5acaedec0333a73b6ea9)\n- [Blogpost](https://mayo.rocks/2021/10/cka-ckad-journey/)\n\n## CKS\n\n### Requirements\n\nReference: [CKS Environment](https://docs.linuxfoundation.org/tc-docs/certification/important-instructions-cks#cks-environment)\n\n- One active monitor (either built in or external)  (NOTE: Dual Monitors are NOT supported).\n- The CKS environment is currently running etcd v3.5\n- The CKS environment is currently running Kubernetes v1.30\n\n### Training\n\n- [Killer Shell CKS](https://killercoda.com/killer-shell-cks)\n\n### Simulator\n\n- [killer.sh](https://killer.sh/)\n\n### References\n\n#### Pre Setup\n\n- [kubectl Quick Reference](https://kubernetes.io/docs/reference/kubectl/quick-reference/#interacting-with-running-pods)\n\nShell:\n\n```bash\nexport do=\"--dry-run=client -o yaml\"    # k create deploy nginx --image=nginx $do\nexport now=\"--force --grace-period 0\"   # k delete pod x $now\n```\n\n#### Basic\n\nBase64:\n\n```bash\necho -n \"admin\" | base64 -w0\necho -n \"YWRtaW4=\" | base64 -d\n```\n\nFind pod by container id:\n\n```bash\ncrictl ps -id \u003ccontainer-id\u003e\ncrictl pods -id \u003cpod-id\u003e\n```\n\n#### Falco\n\n- [Supported Fields for Conditions and Outputs](https://falco.org/docs/reference/rules/supported-fields/)\n- edit `/etc/falco/falco_rules.local.yaml`\n- `cat /opt/course/2/falco.log.dirty | cut -d\" \" -f 9 \u003e /opt/course/2/falco.log`\n- The tool cut will split input into fields using space as the delimiter (-d\"\"). We then only select the 9th field using -f 9.\n\n#### API Server\n\napi-server as static pod: `/etc/kubernetes/manifests/kube-apiserver.yaml`.\n\nAPI server:\n\n```bash\n- kube-apiserver\n- --authorization-mode=Node,RBAC\n- --etcd-servers=https://127.0.0.1:2379\n- --enable-admission-plugins=NodeRestriction\n# Enable audit logs\n- --audit-policy-file=/etc/kubernetes/audit-policy/policy.yaml\n- --audit-log-path=/etc/kubernetes/audit-logs/audit.log\n- --audit-log-maxsize=7\n- --audit-log-maxbackup=2\n# expose\n- --kubernetes-service-node-port=31000\n# CIS benchmark\n- --profiling=false\n```\n\n#### Pod Security\n\n- [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline)\n- [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/)\n- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n\n\n```yaml\n# MODE must be one of `enforce`, `audit`, or `warn`.\n# LEVEL must be one of `privileged`, `baseline`, or `restricted`.\npod-security.kubernetes.io/\u003cMODE\u003e: \u003cLEVEL\u003e\n```\n\n#### CIS Benchmark\n\n```bash\nkube-bench run --targets=master\nkube-bench run --targets=node\n```\n\n#### Verify Binaries\n\n```bash\nsha512sum /usr/bin/kubelet\ncat compare | uniq\n```\n\n#### Open Policy Agent\n\n```bash\nk edit blacklistimages pod-trusted-images\nk edit constrainttemplates blacklistimages\n```\n\n#### Secure Kubernetes Dashboard\n\n- https://github.com/kubernetes/dashboard/tree/master/docs\n- `k -n kubernetes-dashboard get pod,svc`\n\n```bash\nk -n kubernetes-dashboard edit deploy kubernetes-dashboard\n```\n\n```yaml\n  template:\n    spec:\n      containers:\n      - args:\n        - --namespace=kubernetes-dashboard\n        - --authentication-mode=token        # change or delete, \"token\" is default\n        - --auto-generate-certificates       # add\n        #- --enable-skip-login=true          # delete or set to false\n        #- --enable-insecure-login           # delete\n        image: kubernetesui/dashboard:v2.0.3\n        imagePullPolicy: Always\n        name: kubernetes-dashboard\n```\n\n#### AppArmor\n\n- [AppArmor](https://kubernetes.io/docs/tutorials/security/apparmor/)\n  - `apparmor_parser`\n  - `aa-status`\n- [nodeSelector](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/#create-a-pod-that-gets-scheduled-to-your-chosen-node)\n\n\n#### gVisor\n\n- [RuntimeClasses](https://kubernetes.io/docs/concepts/containers/runtime-class)\n\n```yaml\napiVersion: node.k8s.io/v1\nkind: RuntimeClass\nmetadata:\n  name: gvisor\nhandler: runsc\n```\n\nPod:\n\n```yaml\napiVersion: v1\nkind: Pod\nmetadata:\n  creationTimestamp: null\n  labels:\n    run: gvisor-test\n  name: gvisor-test\n  namespace: team-purple\nspec:\n  nodeName: cluster1-node2 # add\n  runtimeClassName: gvisor   # add\n  containers:\n  - image: nginx:1.19.2\n    name: gvisor-test\n    resources: {}\n  dnsPolicy: ClusterFirst\n  restartPolicy: Always\nstatus: {}\n```\n\n#### ETCD\n\n- [etcdctl](https://etcd.io/docs/v3.5/op-guide/etcdctl/)\n\n```bash\ncat /etc/kubernetes/manifests/kube-apiserver.yaml | grep etcd\nETCDCTL_API=3 etcdctl \\\n--cert /etc/kubernetes/pki/apiserver-etcd-client.crt \\\n--key /etc/kubernetes/pki/apiserver-etcd-client.key \\\n--cacert /etc/kubernetes/pki/etcd/ca.crt get /registry/{type}/{namespace}/{name}\n```\n\n#### Permission escalation\n\n```bash\nk -n restricted get role,rolebinding,clusterrole,clusterrolebinding\nk -n restricted get secrets -o yaml\n\nk -n restricted get pod -o yaml | grep -i secret\n\n# via volume\nk -n restricted exec pod1-fd5d64b9c-pcx6q -- cat /etc/secret-volume/password\n\n# via env\nk -n restricted exec pod2-6494f7699b-4hks5 -- env | grep PASS\n\n# via API\nk -n restricted exec -it pod3-748b48594-24s76 -- sh\ncurl https://kubernetes.default/api/v1/namespaces/restricted/secrets -H \"Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)\" -k\n```\n\n#### Network Policies\n\n- [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)\n\n```yaml\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n  name: metadata-deny\n  namespace: metadata-access\nspec:\n  podSelector: {}\n  policyTypes:\n  - Egress\n  egress:\n  - to:\n    - ipBlock:\n        cidr: 0.0.0.0/0\n        except:\n        - 192.168.100.21/32\n```\n\n```yaml\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n  name: metadata-allow\n  namespace: metadata-access\nspec:\n  podSelector:\n    matchLabels:\n      role: metadata-accessor\n  policyTypes:\n  - Egress\n  egress:\n  - to:\n    - ipBlock:\n        cidr: 192.168.100.21/32\n```\n\n#### Syscall\n\n```bash\nstrace -p \u003cpid\u003e\n```\n\n#### Ingress TLS\n\n```bash\nk -n \u003cnamespace\u003e create secret tls tls-secret --key tls.key --cert tls.crt\n```\n\n#### Audit log\n\n- [Audit log](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/)\n\n```yaml\n# /etc/kubernetes/audit/policy.yaml\napiVersion: audit.k8s.io/v1\nkind: Policy\nrules:\n\n# log Secret resources audits, level Metadata\n- level: Metadata\n  resources:\n  - group: \"\"\n    resources: [\"secrets\"]\n\n# log node related audits, level RequestResponse\n- level: RequestResponse\n  userGroups: [\"system:nodes\"]\n\n# for everything else don't log anything\n- level: None\n```\n\n#### Other\n\n[Securing a Cluster](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/):\n- [NodeRestriction](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction)\n- [Audit logs](https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#log-backend)\n- [CSR](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user)\n  - [openssl](https://kubernetes.io/docs/tasks/administer-cluster/certificates/#openssl)\n- [EncryptionConfiguration](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#understanding-the-encryption-at-rest-configuration)\n  - `kubectl -n one get secrets -o json | kubectl replace -f -` recreate secrets\n- [ImagePolicyWebhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook)\n\nNotes:\n\nSet client credentials:\n\n```bash\nk config set-credentials 60099@internal.users --client-key=60099.key --client-certificate=60099.crt\nk config set-context 60099@internal.users --cluster=kubernetes --user=60099@internal.users\nk config get-contexts\nk config use-context 60099@internal.users\n```\n\nLogs:\n\n```bash\ncrictl logs \u003ccontainer-id\u003e\ncat /var/log/pods/\u003cpod-id\u003e/\u003ccontainer-name\u003e/0.log\n```\n\nCommon:\n\n```bash\nwatch crictl ps\n\n# We can contact the Apiserver as the Kubelet by using the Kubelet kubeconfig\nexport KUBECONFIG=/etc/kubernetes/kubelet.conf\n```\n\nDocker:\n\n```bash\n# shared PID namespace\ndocker run --name nginx -d --pid=container:app1 nginx\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmayocream%2Fkubestronaut","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmayocream%2Fkubestronaut","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmayocream%2Fkubestronaut/lists"}