如同每個故事的起頭都有個壯烈的故事一樣，去年的四月在一次壓線過 CKA 之後覺得今年對於 CKS 的準備肯定式輕輕鬆鬆的，殊不知在今年的考試慘遭重重的滑鐵盧，所以決定痛定思痛開始根據官方提供的評測範圍，一章一節的仔細研讀。

後續會針對官方提出的這些項目一一的研究，希望可以在結束後再創巔峰取得認證。主要會分為以下六個大項：

1. Cluster Setup15%

• Use Network security policies to restrict cluster level access
• Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
• Properly set up Ingress with TLS
• Protect node metadata and endpoints
• Verify platform binaries before deploying

2. Cluster Hardening15%

• Use Role Based Access Controls to minimize exposure
• Exercise caution in using service accounts e.g. disable defaults, minimize - permissions on newly created ones
• Restrict access to Kubernetes API
• Upgrade Kubernetes to avoid vulnerabilities

3. System Hardening10%

• Minimize host OS footprint (reduce attack surface)
• Using least-privilege identity and access management
• Minimize external access to the network
• Appropriately use kernel hardening tools such as AppArmor, seccomp

4. Minimize Microservice Vulnerabilities20%

• Use appropriate pod security standards
• Manage Kubernetes secrets
• Understand and implement isolation techniques (multi-tenancy, sandboxed containers, etc.)
• Implement Pod-to-Pod encryption (Cilium, Istio)

5. Supply Chain Security20%

• Minimize base image footprint
• Understand your supply chain (e.g. SBOM, CI/CD, artifact repositories)
• Secure your supply chain (permitted registries, sign and validate artifacts, etc.)
• Perform static analysis of user workloads and container images (e.g. Kubesec, KubeLinter)

6. Monitoring, Logging and Runtime Security20%

• Perform behavioral analytics to detect malicious activities
• Detect threats within physical infrastructure, apps, networks, data, users and workloads
• Investigate and identify phases of attack and bad actors within the environment
• Ensure immutability of containers at runtime
• Use Kubernetes audit logs to monitor access

明天就開始吧

參考資料
Certified Kubernetes Security Specialist (CKS)