CKS Cheatsheet

Written on November 19, 2022
Estimated reading time : 7 mins
Tags : | certification | kubernetes |

A cheatsheet to prepare for the final exam of the k8s triad - CKS in 2022. Helped me a lot in nailing the CKS exam as there are a lot of tools involved here. This post helps in summarizing all of them. You can read my blog on preparing for CKS here.

Techniques

Ways to get secret

From inside a pod

  • Exec into the pod and look into env cmd for secrets as env var.
  • Exec into the pod and look into mount cmd for mounted secrets.

From worker node

  • crictl ps to get containers and pods.
  • crictl inspect CONTAINERID to get secrets as env vars OR mounted paths from host.
  • Can also get pid from above cmd and then search in the /proc/PID_NUMBER/environ file OR /proc/PID_NUMBER/fd/SOME_NUMBER.

From master node

  • Get certs from /etc/kubernetes/pki folder.
  • Use ETCDCTL cmd to get secret.

Linux Commands

crictl

  • CLI for CRI-compatible container runtimes which can be used to inspect and debug container runtimes and applications on a Kubernetes node.
  • Works well with logs and tools like Falco which log container id.
  • Cmd
    • crictl ps - Gives pod name, pod id and container id.
    • crictl ps | grep CONTAINER_ID
    • crictl ps -id CONTAINER_ID - Similar to crictl ps output but with headers.
    • crictl pods -id POD_ID - Gives pod name, pod id and k8s namespace.
    • crictl inspect CONTAINER_ID

strace

  • Chapter - Runtime Security
  • Intercepts and logs system calls and signals.
  • Cmd
    • strace ls
    • strace -cw ls - count and summarise cmd outputs
    • strace -p 3502
    • strace -p 1234 -cw -f
      • -f is very important here. Allows for fork processed…else it will show blank for lots of api calls made from process being examined (k8s API server). Ctrl c to stop and see.

proc folder

  • Chapter - Runtime Security
  • Storage of processes and communications with kernel.
  • Cmd
    • cd /proc/3502/exe
    • cd /proc/3502/fd && cat 7 | strings | grep SECRETVALUE -C10
      • Eg of cmd to find secret value stored recently in ETCD.
    • cat /proc/28696/environ
      • View env values including secrets of pod. PID can also be obtained via pstree -p.
  • Cmd
    • find FOLDER_PATH | grep FILE_NAME
    • grep -r “NEEDLE”
    • grep -E “NEEDLE1|NEEDLE2”

netstat

  • Chapter - System hardening
  • Cmd
    • netstat -plnt | grep 22

lsof

  • Chapter - System hardening
  • Cmd
    • lsof -i :22

systemctl

  • Chapter - System hardening
  • Similar to service cmd but format is different with action as 2nd word and noun as 3rd word.
  • Cmd
    • systemctl status falco
    • systemctl stop falco
    • systemctl start falco
    • systemctl restart falco
    • systemctl disable snapd
    • systemctl list-units

Tools

kube-bench

  • Cluster setup
  • Open source cluster scanner.
  • Can scan specific parts of the cluster.
  • Cmd
    • kube-bench run --targets=master
    • kube-bench run --targets=master –check=1.2.20
  • Ideal for IaC CI (post deployment or embedded inside integration test).

gVisor

  • Chapter - Microservice vulnerabilities.
  • User space sandbox for containers.
  • RuntimeClass resource for setting it up and linking to pod.
  • Runtime : runsc
  • Alternative : Kata containers (VM based).

OPA Gatekeeper

  • Chapter - Open Policy Agent
  • Open source policy engine.
  • 2 CRDs - ConstraintTemplate and the CRD on the name of the ConstraintTemplate.
  • Requires Rego code to be embedded inside ConstraintTemplate.

Kubesec.io

  • Chapter - Supply chain Security
  • Open source static code scanner.
  • Cmd
    • kubesec scan pod.yaml

OPA ConfTest

  • Chapter - Supply chain Security
  • Open source code scanner.
  • Need to write Rego code for tests.

Clair

  • Chapter - Supply chain Security
  • Container scanner (not image !)

Trivy

  • Chapter - Supply chain Security
  • Image scanner.
  • Cmd
    • trivy image nginx

Falco

  • Kernel tracing.
  • Add security rules to detect unwanted calls and automate response.
  • Built-in vars which can be used in security rules : Supported Fields for Conditions and Outputs Falco. - Might help in remembering commonly used vars like evt.time, container.id, k8s.pod.name etc.
  • Important files
    • /etc/falco/falco.yml - config and log path (eg : /var/log/syslog`).
    • /etc/falco/falco_rules.yaml
  • Cmd
    • tail -f /var/log/syslog | grep falco

AppArmor

  • Chapter - System hardening
  • Kernel hardening tool.
  • Kernel space sandbox for containers.
  • Can be used for containers.
  • For containers inside k8s pods, use annotation at pod metadata for each container and link to AA profile name.
  • Important files
    • /etc/apparmor.d
  • Cmd
    • aa-status
    • aa-genprof curl
    • aa-complain
    • aa-enforce
    • aa-logprof
    • apparmor_parser PATH_TO_AA_CONFIG
    • docker container run --security-opt apparmor=AA_PROFILE_NAME -d nginx

seccomp

  • Chapter - System hardening
  • Kernel hardening tool.
  • Kernel space sandbox for containers.
  • Moved away from pod annotation to SecurityContext for linking workloads.
  • Config json file kept in folder and linked to pod SecurityContext.
  • Important folders
    • /var/lib/kubelet/ - storage of config json file to be referenced in pod.

API Server Manifest changes

Note - Changes in the manifest will not delete services. You will have to delete them manually so that they can be automatically recreated by the kubelet monitoring the manifests.

RBAC

  • Chapter - Cluster hardening
  • Authorization mode.
  • Linked to api server manifest
    • --authorization-mode=Node,RBAC

PodSecurityPolicy

  • Chapter - Microservice vulnerabilities
  • Admission Controller for ensuring pods follow specific rules.
  • Linked to api server manifest
    • --enable-admission-plugins=PodSecurityPolicy
  • Deprecated. So wont find any document on it except the API ref doc which might help. Better to use an existing psp in the cluster.

ImagePolicyWebHook

  • Chapter - Supply chain Security
  • Admission Controller for ensuring rules on images downloaded.
  • Linked to api server manifest
    • --enable-admission-plugins=NodeRestriction,ImagePolicyWebHook
    • --admission-control-config-file=PATH_TO_JSON_OR_YAML_FILE
  • Add the directory to the host and mount attributes of yaml.
  • The yaml or json should reference a kubeconfig file.
  • Ensure the above kubeconfig file has the right remote server for checking image and k8s cluster info.

Audit Policy Logging

  • Chapter - Runtime Security
  • Linked to api server manifest
    • –audit-policy-file=/etc/kubernetes/audit/policy.yaml
    • --audit-log-path=/etc/kubernetes/audit/logs/audit.log
    • --audit-log-maxage=1
    • --audit-log-maxbackup=5
    • --audit-log-maxsize=500
  • Add the policy file to the host and mount attributes of yaml.
  • Add the logs directory to the host and mount attributes of yaml.

Secret encryption

  • Chapter - Microservice vulnerabilities
  • Config Linked to api server manifest
    • --encryption-provider-config=/etc/kubernetes/enc/enc.yaml
  • Add the EncryptionConfiguration folder to the host and mount attributes of yaml.




Feel free to share this article :

submit to reddit

Add your thoughts, questions, doubts, suggestions as comments below :