Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ibrahimjelliti/CKSS-Certified-Kubernetes-Security-Specialist
This repository is a collection of resources to prepare for the Certified Kubernetes Security Specialist (CKSS) exam.
https://github.com/ibrahimjelliti/CKSS-Certified-Kubernetes-Security-Specialist
certification cks cks-exam ckss cloud-native cluster cluster-hardening cncf golang hardening kubernetes kubernetes-platforms logging monitoring securing-kubernetes security vulnerabilities
Last synced: 14 days ago
JSON representation
This repository is a collection of resources to prepare for the Certified Kubernetes Security Specialist (CKSS) exam.
- Host: GitHub
- URL: https://github.com/ibrahimjelliti/CKSS-Certified-Kubernetes-Security-Specialist
- Owner: ibrahimjelliti
- License: mit
- Created: 2020-08-17T23:05:09.000Z (about 4 years ago)
- Default Branch: master
- Last Pushed: 2022-11-09T17:08:08.000Z (about 2 years ago)
- Last Synced: 2024-08-29T02:02:12.646Z (2 months ago)
- Topics: certification, cks, cks-exam, ckss, cloud-native, cluster, cluster-hardening, cncf, golang, hardening, kubernetes, kubernetes-platforms, logging, monitoring, securing-kubernetes, security, vulnerabilities
- Language: HTML
- Homepage:
- Size: 224 KB
- Stars: 473
- Watchers: 57
- Forks: 136
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
Awesome Lists containing this project
- awesome-k8s-security - CKSS-Certified-Kubernetes-Security-Specialist
README
# Certified Kubernetes Security Specialist - CKSS
This repository is a collection of resources to prepare for the Certified Kubernetes Security Specialist (CKSS) exam.
> The given references and links below are just assumptions and ideas around the [CKSS curriculum](https://github.com/cncf/curriculum/blob/master/CKS_Curriculum_%20v1.19.pdf).## CKS Overview
The Kubernetes Security Specialist (CKS) certification ensure that the holder has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.The certification is generally available to take from [here](https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/) as anounced during the KubeCon NA20
## CKS Outline
The CKS test will be online, proctored and performance-based with 15-20 hands-on performance based tasks, and candidates have 2 hours to complete the exam tasks.From the CKS Exam Curriculum repository, The exam will test domains and competencies including:
1. **Cluster Setup (10%)**: Best practice configuration to control the environment's access, rights and platform conformity.
2. **Cluster Hardening (15%)**: Protecting K8s API and utilize RBAC.
3. **System Hardening (15%)**: Improve the security of OS & Network; restrict access through IAM
4. **Minimize Microservice Vulnerabilities (20%)**: Utilizing on K8s various mechanisms to isolate, protect and control workload.
5. **Supply Chain Security (20%)**: Container oriented security, trusted resources, optimized container images, CVE scanning.
6. **Monitoring, Logging, and Runtime Security (20%)**: Analyse and detect threads.# CKS Exam Preparation
In order to take the CKS exam, you must have **Valid CKA certification** prior to attempting the CKS exam to demonstrate you possess sufficient Kubernetes expertise.
A first good starting point for securing Kubernetes is the Task section [**Securing a Cluster**](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/) of the official K8s documentation.
The exam will be based on **Kubernetes v1.19 documentation** as of November general availability announcement.
# Allowed resources to access during my CKS exam:
According to the LF docs, during the CKS exam the candidates may:
- review the Exam content instructions that are presented in the command line terminal.
- review Documents installed by the distribution (i.e. /usr/share and its subdirectories)
- use their Chrome or Chromium browser to open **one additional tab** in order to access
- **Kubernetes Documentation:**
- https://kubernetes.io/docs/ and their subdomains
- https://github.com/kubernetes/ and their subdomains
- https://kubernetes.io/blog/ and their subdomains
This includes all available language translations of these pages (e.g. https://kubernetes.io/zh/docs/)
- **Tools**:
- Trivy documentation https://github.com/aquasecurity/trivy
- Sysdig documentation https://docs.sysdig.com/
- Falco documentation https://falco.org/docs/
- **App Armor:**
- Documentation [https://gitlab.com/apparmor/apparmor/-/wikis/Documentation](https://gitlab.com/apparmor/apparmor/-/wikis/Documentation)
The allowed sites above may contain links that point to external sites. It is the responsibility of the candidate not to click any links to navigate to a domain that is not allowed## Cluster Setup (10%)
Use Network security policies to restrict cluster level access
#### Allowed Ressources
* [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies)
* [Securing a Cluster](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/)
* [Declare Network Policy](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/)
* [Enforcing Network Policies in Kubernetes](https://kubernetes.io/blog/2017/10/enforcing-network-policies-in-kubernetes/)
#### 3rd Party Ressources
* [Get started with Kubernetes network policy](https://docs.projectcalico.org/security/kubernetes-network-policy)
* [kubernetes-network-policy-recipes](https://github.com/ahmetb/kubernetes-network-policy-recipes)
* [Kubernetes Network Policies Best Practices](https://blog.alcide.io/kubernetes-network-policies-best-practices)
* [Exploring Network Policies in Kubernetes](https://banzaicloud.com/blog/network-policy/)Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
#### 3rd Party Ressources
* [CIS benchmark for Kubernetes](https://www.cisecurity.org/benchmark/kubernetes/)
* The benchmark is not yet available for `Kubernetes 1.19`, but it gives great understanding.
* [What is Center for Internet Security (CIS) Benchmarks](https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-cis-benchmark)
* [Kube-bench](https://github.com/aquasecurity/kube-bench#running-kube-bench): A tool for running Kubernetes CIS Benchmark tests
* [GKE: CIS Benchmarks for etcd & kubelet](https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#default-values)Properly set up Ingress objects with security control
#### Allowed Ressources
* [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/)
* [Ingress Controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/)
* [Set up Ingress on Minikube with the NGINX Ingress Controller](https://kubernetes.io/docs/tasks/access-application-cluster/ingress-minikube/)
* [secure an Ingress by specifying a Secret that contains a TLS private key and certificate](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls)
* [How to deploy NGINX Ingress Controller](https://github.com/kubernetes/ingress-nginx/blob/master/docs/deploy/index.md)
* [TLS/HTTPS](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/tls.md)Protect node metadata and endpoints
#### Allowed Ressources
* [Restricting cloud metadata API access](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/#restricting-cloud-metadata-api-access)
* [Kubelet authentication/authorization](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/)
#### 3rd Party Ressources
* [Kubelet API](https://www.deepnetwork.com/blog/kubernetes/2020/01/13/kubelet-api.html)
* [Setting up secure endpoints in Kubernetes](https://blog.cloud66.com/setting-up-secure-endpoints-in-kubernetes/)
* [GKE Protecting cluster metadata](https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata)
* [Retrieving EC2 instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html)
* [EC2 Instance user data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)Minimize use of, and access to, GUI elements
#### Allowed Ressources
* [Web-based Kubernetes User Interface](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/)
* [Dashboard Access control](https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/README.md)
* [Dashboard Auth](https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md)
#### 3rd Party Ressources
* [On Securing the Kubernetes Dashboard](https://blog.heptio.com/on-securing-the-kubernetes-dashboard-16b09b1b7aca)Verify platform binaries before deploying
#### Allowed Ressources
* [Kubernetes platform binaries](https://github.com/kubernetes/kubernetes/releases)## Cluster Hardening (15%)
Restrict access to Kubernetes API#### Allowed Ressources
* [Controlling Access to the Kubernetes API](https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/)
* [Certificate Signing Requests: Create Normal User](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user)
* [Generate cluster certificates (easyrsa, openssl or cfssl)](https://kubernetes.io/docs/concepts/cluster-administration/certificates/)
#### 3rd Party Ressources
* [GKE: Hardening your cluster's security](https://cloud.google.com/anthos/gke/docs/on-prem/how-to/hardening-your-cluster)
* [Kubernetes RBAC and TLS certificates – Kubernetes security guide](https://sysdig.com/blog/kubernetes-security-rbac-tls/)
* [Securing Your Kubernetes API Server](https://tufin.medium.com/protecting-your-kubernetes-api-server-5eefeea4cf8a)Use Role Based Access Controls to minimize exposure
#### Allowed Ressources
* [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
* [Authorization modes for Kubernetes API server](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#authorization-modules)
#### 3rd Party Ressources
* [Site for Kubernetes RBAC](https://rbac.dev/)
* [Understand Role-Based Access Control in Kubernetes](https://www.youtube.com/watch?v=G3R24JSlGjY)
* [RBAC Study Guide](https://github.com/David-VTUK/CKA-StudyGuide/blob/master/RevisionTopics/Part-5-Security.md)Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
#### Allowed Ressources
* [Managing Service Accounts](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/)
* [Default roles and role bindings](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings)
* [Authorization Modes](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#authorization-modules)
* [Configure Service Accounts for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/)
* [Kubernetes should not mount default service account credentials by default](https://github.com/kubernetes/kubernetes/issues/57601)
#### 3rd Party Ressources
* [Kubernetes: Creating Service Accounts and Kubeconfigs](https://docs.armory.io/docs/armory-admin/manual-service-account/)
* [Kubernetes Access Control: Exploring Service Accounts](https://thenewstack.io/kubernetes-access-control-exploring-service-accounts/)
* [Disable default service account by deployments in Kubernetes](https://stackoverflow.com/questions/52583497/how-to-disable-the-use-of-a-default-service-account-by-a-statefulset-deployments)
* [Securing Kubernetes Clusters by Eliminating Risky Permissions](https://www.cyberark.com/resources/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions)
* [Understand Role Based Access Control in Kubernetes](https://www.youtube.com/watch?v=G3R24JSlGjY)Update Cluster frequently
#### Allowed Ressources
* [Update Kubernetes frequently](https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/)## System Hardening (15%)
Minimize host OS footprint (reduce attack surface)#### Allowed Ressources
* [Preventing containers from loading unwanted kernel modules](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/#preventing-containers-from-loading-unwanted-kernel-modules)
#### 3rd Party Ressources
* [Reduce Kubernetes Attack Surfaces](https://blog.sonatype.com/kubesecops-kubernetes-security-practices-you-should-follow#:~:text=Reduce%20Kubernetes%20Attack%20Surfaces)
* [distribution independent linux](https://www.cisecurity.org/benchmark/distribution_independent_linux/)
* [CIS Benchmark Ubuntu Linux](https://www.cisecurity.org/benchmark/ubuntu_linux/)
* [CIS Benchmark RedHat](https://www.cisecurity.org/benchmark/red_hat_linux/)
* [CIS Benchmark Debian](https://www.cisecurity.org/benchmark/debian_linux/)
* [CIS Benchmark Centos](https://www.cisecurity.org/benchmark/centos_linux/)
* [CIS Benchmark SUSE](https://www.cisecurity.org/benchmark/suse_linux/)
* [CIS Benchmark Oracle](https://www.cisecurity.org/benchmark/oracle_linux/)Minimize IAM roles
#### 3rd Party Ressources
* [What is the Principle of Least Privilege (POLP)?](https://digitalguardian.com/blog/what-principle-least-privilege-polp-best-practice-information-security-and-compliance)
* [IAM Grant least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege)Minimize external access to the network
#### Allowed Ressources
* [K8s quotas (services.loadbalancers)](https://kubernetes.io/docs/concepts/policy/resource-quotas/)
* [Restrict Access For LoadBalancer Service](https://v1-17.docs.kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service)
* [Admission control plugin: ResourceQuota](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/resource-management/admission_control_resource_quota.md)
#### 3rd Party Ressources
* [Secure hosts with OS-level firewall (ufw)](https://help.replicated.com/community/t/managing-firewalls-with-ufw-on-kubernetes/230)
* [Configure firewall with ufw](https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw/)
* [Use security groups to secure network (Azure)](https://docs.microsoft.com/en-us/azure/aks/concepts-security#azure-network-security-groups)
* [Amazon EKS security group considerations](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html)
* [Amazon EC2 security groups for Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html)Appropriately use kernel hardening tools such as AppArmor, seccomp
#### Allowed Ressources
* [Restrict a Container's Access to Resources with AppArmor](https://kubernetes.io/docs/tutorials/clusters/apparmor/)
* [Restrict a Container's Syscalls with Seccomp](https://kubernetes.io/docs/tutorials/clusters/seccomp/)
#### 3rd Party Ressources
* [Kubernetes Hardening Best Practices](https://www.sumologic.com/kubernetes/security/#security-best-practices)
* [Container Security: Fundamental Technology Concepts that Protect Containerized Application by Liz Rice](https://cdn2.hubspot.net/hubfs/1665891/Assets/Container%20Security%20by%20Liz%20Rice%20-%20OReilly%20Apr%202020.pdf)## Minimize Microservice Vulnerabilities (20%)
Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts#### Allowed Ressources
* [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)
* [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
* [OPA Gatekeeper: Policy and Governance for Kubernetes](https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/)
* [Kubernetes security context, security policy, and network policy – Kubernetes security guide (part 2)](https://sysdig.com/blog/kubernetes-security-psp-network-policy/)#### 3rd Party Ressources
* [Open Policy Agent Introduction](https://www.youtube.com/watch?v=Yup1FUc2Qn0)
* [Enforce policies on Kubernetes objects with OPA](https://www.openpolicyagent.org/docs/v0.12.2/kubernetes-admission-control/)
* [Pod Security Policy](https://blog.alcide.io/pod-security-policy)Manage kubernetes secrets
#### Allowed Ressources
* [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/)
* [Encrypting Secret Data at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/)
* [Using a KMS provider for data encryption](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/)
#### 3rd Party Ressources
* [katacoda lab around Secrets](https://www.katacoda.com/courses/kubernetes/managing-secrets)
* [Managing Secrets in Kubernetes](https://www.weave.works/blog/managing-secrets-in-kubernetes)
* [Secrets Store CSI driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver)
* [How to Manage Secrets in Kubernetes](https://spacelift.io/blog/kubernetes-secrets)Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
#### Allowed Ressources
* [container runtime](https://kubernetes.io/docs/concepts/containers/runtime-class/)
* [container runtime sandboxes examples](https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/585-runtime-class/README.md#examples)
* [Enforce tenant isolation (Limit Ranges, Quotas, PSPs) with Policies](https://kubernetes.io/docs/concepts/policy/)
* [Affinity and anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
#### 3rd Party Ressources
* [What is gVisor?](https://gvisor.dev/docs/)
* [Cluster multi-tenancy](https://cloud.google.com/kubernetes-engine/docs/concepts/multitenancy-overview)
* [Use gVisor to run Kubernetes pods](https://gvisor.dev/docs/user_guide/quick_start/kubernetes/)
* [Implementing secure Containers using Google’s gVisor](https://thenewstack.io/how-to-implement-secure-containers-using-googles-gvisor/)
* [Kata containers and Kubernetes: How they fit together?](https://platform9.com/blog/kata-containers-docker-and-kubernetes-how-they-all-fit-together/)
* [How to use Kata Containers with Kubernetes?](https://github.com/kata-containers/documentation/blob/master/how-to/how-to-use-k8s-with-cri-containerd-and-kata.md)Implement pod to pod encryption by use of mTLS
#### Allowed Ressources
* [Manage TLS Certificates in a Cluster](https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/)
#### 3rd Party Ressources
* [Secure communication between services in Istio with mutual TLS](https://developer.ibm.com/technologies/containers/tutorials/istio-security-mtls/)
* [Mutual TLS Authentication (mTLS) De-Mystified](https://codeburst.io/mutual-tls-authentication-mtls-de-mystified-11fa2a52e9cf)
* [Traffic encryption using mTLS](https://www.istioworkshop.io/11-security/01-mtls/)
* [Using Istio to improve end-to-end security](https://istio.io/latest/blog/2017/0.1-auth/)
* [Linerd: automatic mtls](https://linkerd.io/2/features/automatic-mtls/)## Supply Chain Security (20%)
Minimize base image footprint
#### 3rd Party Ressources
* [Why build small container images in Kubernetes](https://cloud.google.com/blog/products/gcp/kubernetes-best-practices-how-and-why-to-build-small-container-images)
* [Use the smallest base image possible](https://cloud.google.com/solutions/best-practices-for-building-containers#build-the-smallest-image-possible)
* [7 best practices for building containers](https://cloud.google.com/blog/products/gcp/7-best-practices-for-building-containers)
* [distroless containers](https://github.com/GoogleContainerTools/distroless)
* [Docker multi-stage builds](https://docs.docker.com/develop/develop-images/multistage-build/)
* [Tips to Reduce Docker Image Sizes](https://hackernoon.com/tips-to-reduce-docker-image-sizes-876095da3b34)
* [3 simple tricks for smaller Docker images](https://learnk8s.io/blog/smaller-docker-images)Secure your supply chain: whitelist allowed image registries, sign and validate images
#### Allowed Ressources
* [Using Admission Controllers](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/)
* [Dynamic Admission Control](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/)
* [A Guide to Kubernetes Admission Controllers](https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/)
* [Ensure images only from approved sources are run](https://github.com/kubernetes/kubernetes/issues/22888)
#### 3rd Party Ressources
* [Content trust in Docker](https://docs.docker.com/engine/security/trust/content_trust/)
* [How to reject docker registries in Kubernetes?](https://stackoverflow.com/questions/54463125/how-to-reject-docker-registries-in-kubernetes)
* [Restrict pulling images from Registry](https://www.openpolicyagent.org/docs/latest/kubernetes-primer/)
* [Container image signatures in Kubernetes](https://medium.com/sse-blog/container-image-signatures-in-kubernetes-19264ac5d8ce)Use static analysis of user workloads (e.g. kubernetes resources, docker files)
#### Allowed Ressources
* [11 Ways (Not) to Get Hacked: statically-analyse-yaml](https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/#7-statically-analyse-yaml)#### 3rd Party Ressources
* [Trivy](https://github.com/aquasecurity/trivy)
* [Static analysis with Clair](https://github.com/quay/clair)
* [Static analysis with Kube-score](https://kube-score.com/)
* [kubehunter](https://github.com/aquasecurity/kube-hunter)
* [kubesec](https://kubesec.io/)
* [Kubernetes static code analysis with Checkov](https://bridgecrew.io/blog/kubernetes-static-code-analysis-with-checkov/)Scan images for known vulnerabilities
#### 3rd Party Ressources
* [Trivy](https://github.com/aquasecurity/trivy)## Monitoring, Logging and Runtime Security (20%)
Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
#### Allowed Ressources
* [Restrict a Container's Syscalls with Seccomp](https://kubernetes.io/docs/tutorials/clusters/seccomp/)
* [Auditing with Falco (Obsoledted)](https://v1-16.docs.kubernetes.io/docs/tasks/debug-application-cluster/falco/)
* [How to detect a Kubernetes vulnerability using Falco](https://sysdig.com/blog/how-to-detect-kubernetes-vulnerability-cve-2019-11246-using-falco/)
#### 3rd Party Ressources
* [Kubernetes Security monitoring at scale](https://medium.com/@SkyscannerEng/kubernetes-security-monitoring-at-scale-with-sysdig-falco-a60cfdb0f67a)Detect threats within physical infrastructure, apps, networks, data, users and workloads
#### 3rd Party Ressources
* [Common Kubernetes config security threats](https://www.cncf.io/blog/2020/08/07/common-kubernetes-config-security-threats/)
* [A guidance on Kubernetes threat modeling](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/guidance-on-kubernetes-threat-modeling)
* [Threat matrix for Kubernetes](https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/)Detect all phases of attack regardless where it occurs and how it spreads
#### 3rd Party Ressources
* [Investigating Kubernetes attack scenarios in Threat Stack](https://www.threatstack.com/blog/kubernetes-attack-scenarios-part-1)
* [Anatomy of a Kubernetes attack – How untrusted Docker images fails us](https://www.optiv.com/explore-optiv-insights/source-zero/anatomy-kubernetes-attack-how-untrusted-docker-images-fail-us)
* [Investigating Kubernetes Attack Scenarios in Threat Stack (part 1)](https://www.threatstack.com/blog/kubernetes-attack-scenarios-part-1)
* [The seven phases of a cyber attack](https://www.dnvgl.com/article/the-seven-phases-of-a-cyber-attack-118270)
* [Threat matrix for Kubernetes](https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/)
* [MITRE ATT&CK framework for container runtime security with Falco](https://sysdig.com/blog/mitre-attck-framework-for-container-runtime-security-with-sysdig-falco/)
* [Mitigating Kubernetes attacks](https://www.youtube.com/watch?v=HWv8ZKLCawM)Perform deep analytical investigation and identification of bad actors within environment
#### 3rd Party Ressources
* [Kubernetes security 101: Risks and Best practices](https://www.stackrox.com/post/2020/05/kubernetes-security-101/)Ensure immutability of containers at runtime
#### Allowed Ressources
* ["ReadOnlyRootFilesystem" (securityContext, PSP)](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems)
* ["readOnly" volume mount](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems)
* [Principles of Container-based Application Design](https://kubernetes.io/blog/2018/03/principles-of-container-app-design/)
#### 3rd Party Ressources
* [Leverage Kubernetes to ensure that containers are immutable](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/keeping_containers_fresh_and_updateable#leveraging_kubernetes_and_openshift_to_ensure_that_containers_are_immutable)
* [Why I think we should all use immutable Docker images](https://medium.com/sroze/why-i-think-we-should-all-use-immutable-docker-images-9f4fdcb5212f)
* [With immutable infrastructure, your systems can rise from the dead](https://techbeacon.com/enterprise-it/immutable-infrastructure-your-systems-can-rise-dead)Use Audit Logs to monitor access
#### Allowed Ressources
* [Kubernetes Audit](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/)
* [Kubernetes Audit logging](https://docs.sysdig.com/en/kubernetes-audit-logging.html)#### 3rd Party Ressources
* [How to monitor Kubernetes audit logs?](https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/)
* [Kubernetes Audit: Making Log Auditing a Viable Practice Again](https://blog.alcide.io/kubernetes-audit-making-log-auditing-a-viable-practice-again)# Related Kubernetes security resources
* [Kubernetes Security Essentials (LFS260)](https://training.linuxfoundation.org/training/kubernetes-security-essentials-lfs260/)
* [Cloud Native Security Tutorial](https://tutorial.kubernetes-security.info/)
* [Killer Shell CKS Simulator](https://killer.sh/cks)
* [Sysdig Kubernetes Security Guide](https://sysdig.com/resources/ebooks/kubernetes-security-guide/)
* [Kubernetes Security Best Practices - Ian Lewis, Google](https://youtu.be/wqsUfvRyYpw)
* [Kubernetes security concepts and demos](https://youtu.be/VjlvS-qiz_U)
* [Tutorial: Getting Started With Cloud Native Security - Liz Rice, Aqua Security & Michael Hausenblas](https://youtu.be/MisS3wSds40)
* [11 Ways (Not) to Get Hacked](https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/)
* [Kubernetes Goat](https://github.com/madhuakula/kubernetes-goat)
* [Kubernetes CTF on vagrant environment](https://github.com/NodyHub/k8s-ctf-rocks)
* [Udemy Kubernetes CKS 2020 Complete Course and killer.sh Simulator](https://www.udemy.com/course/certified-kubernetes-security-specialist/)
* [NSA/CISA Kubernetes Hardening Guidance 08/2021](https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF)
### White Papers
* [CNCF cloud-native security white paper Nov 2020](https://github.com/cncf/sig-security/blob/master/security-whitepaper/CNCF_cloud-native-security-whitepaper-Nov2020.pdf)# Keep Updating
* LIVING DOCUMENT - I WILL UPDATE IT FREQUENTLY WHEN I HAVE NEW INFORMATIONS
* PRs are always welcome so star, fork and contribute
* please make a pull request if you would like to add or updateIbrahim Jelliti © 2020