Kubernetes Certified Security Associate (KCSA) Notes

https://www.cncf.io/certification/kcsa/

Kubernetes Certified Security Associate (KCSA) Notes

Table of Contents

• Exam
  • Outline
  • Changes
• Preparation
  • Study Resources
  • Practice
• Introduction
• Overview of Cloud Native Security
  • 4Cs of Cloud Native Security
  • Cluster Security
  • Pod Security
  • Code Security
  • Kubernetes Threat Models
    • Attack Vectors
    • Mitigations
  • Platform Security
    • Supply Chain Security
    • Artifact and Image Security
    • Policy Enforcement
  • Compliance Frameworks
    • GDPR
    • HIPAA
    • PCI DSS
    • CIS Benchmarks
  • Threat Modeling
    • STRIDE Framework
    • MITRE ATT&CK Framework
  • Observability and Incident Response
    • Monitoring and Logging
    • Incident Investigation Tools
• Kubernetes Cluster Component Security
  • Kube-api Server

Exam

Outline

• Exam Duration: 2 hours
• Number of Questions: 50
• Question Format: Multiple choice
• Passing Score: 66%
• Exam Cost: $300

Changes

Preparation

Study Resources

• Kubernetes Documentation: https://kubernetes.io/docs/

Practice

Introduction

The Kubernetes and Cloud Native Security Associate (KCSA) certification prepares individuals to secure Kubernetes environments and address modern cloud-native security challenges. This document consolidates core concepts, threat models, compliance standards, and best practices.

Overview of Cloud Native Security

4Cs of Cloud Native Security

1. Code: Secure development practices (e.g., avoid hardcoding secrets).
2. Container: Prevent privilege escalation, use minimal base images.
3. Cluster: Restrict API server access, encrypt etcd data.
4. Cloud: Use cloud-native tools for monitoring and securing infrastructure.

Cluster Security

• Harden the Kubernetes API server with role-based access control (RBAC).
• Disable anonymous authentication for kubelet communication.

Pod Security

• Use Pod Security Admission (PSA) to enforce best practices (e.g., no root users).
• Isolate sensitive workloads using namespaces and network policies.

Code Security

• Use static code analysis tools like SonarQube or Codacy.
• Store secrets securely using Kubernetes Secrets.

Kubernetes Threat Models

Attack Vectors

• Privilege Escalation: Exploiting weak RBAC configurations.
• Unauthorized Access: Using misconfigured service accounts.
• Data Theft: Exploiting unencrypted volumes or exposed secrets.

Mitigations

• Apply principle of least privilege with RBAC.
• Use encryption for both data at rest and in transit.
• Regularly scan images for vulnerabilities.

Platform Security

Supply Chain Security

• Use SBOMs (Software Bill of Materials) to track dependencies.
• Sign container images using tools like Cosign.

Artifact and Image Security

• Enforce vulnerability scanning with tools like Trivy or Clair.
• Ensure images come from trusted registries.

Policy Enforcement

• Use tools like Kyverno and OPA Gatekeeper to validate deployments.
• Enforce policies for image signatures, namespace isolation, and resource quotas.

Compliance Frameworks

GDPR

• Encrypt sensitive user data in transit and at rest.
• Implement RBAC to restrict access to personal data.

HIPAA

• Ensure secure handling of healthcare information using TLS and encrypted storage.
• Log and monitor access to healthcare data.

PCI DSS

• Segment payment data workloads with network policies.
• Regularly audit access controls and encryption compliance.

CIS Benchmarks

• Use kube-bench to check Kubernetes against CIS recommendations.
• Ensure secure API server and etcd configurations.

Threat Modeling

STRIDE Framework

• Spoofing: Prevent by enforcing strong authentication (e.g., mTLS).
• Tampering: Ensure data integrity with digital signatures.
• Information Disclosure: Encrypt all sensitive data.
• Denial of Service: Use resource quotas and rate limits.

MITRE ATT&CK Framework

• Focuses on real-world attack scenarios.
• Categories include Initial Access, Persistence, Privilege Escalation, and Defense Evasion.

Observability and Incident Response

Monitoring and Logging

• Use Prometheus for metrics collection and alerting.
• Use Fluentd or Elasticsearch for log aggregation and search.

Incident Investigation Tools

• Use Falco for runtime security alerts.
• Use Zeek and Snort for network intrusion detection.

Kubernetes Cluster Component Security

• Use TLS to ensure all traffic between cluster control-plane components is encrypted

Kube-API Server

• Kube-API server is at the center of all operations in a Kubernetes cluster
• In regards to security, we need to make 2 decisions, who can access the cluster, and what can they do?
  • Certificates
  • LDAP
  • Service Accounts
• Once they gain access to the cluster, what they can do is defined by authorization mechanisms:
  • RBAC
  • ABAC

Controller Manager and Scheduler

• Controller manager ensures nodes are healthy, manages pods and controllers, etc.
• The scheduler determines where (on which nodes) the pods can run on in a cluster
• To protect either of these components, you need to isolate them.

Kubelet

• Kubelet runs on the worker nodes and manages the node
• Kubelet registers the node with the control-plane
• Kubelet listens on 2 ports:
  • 10250: Serves API that allows full access
  • 10255: Serves API that allows unauthenticated, read-only access
• By default, kubelet allows anonymous access to it’s API.
  • curl -sk https://nodename:10250/pods/
  • curl -sk https://nodename:10250/logs/syslog/
  • curl -sk https://nodename:10255/metrics/
  • This can be disabled by setting anonymous-auth=false in the kubelet config
  • Kubelet supports 2 types of authentication, bearer token and certificate-based

Security the Container Runtime

• The container runtime is responsible for running the containers
• CRI (Container Runtime Interface) allows Kubernetes to use any container runtime that is compliant with CRI
• The most common container runtime is Docker, but others include containerd, cri-o, etc.
• You should configure pods and containers to run with least privileges by configuring the security context
• You should also scan the images for vulnerabilities before deploying them

Securing KubeProxy

• KubeProxy is responsible for managing the network in a Kubernetes cluster
• Ensure that proper permissions are set on the kube-proxy config file

  > px aux |grep -i kube-proxy |grep -i config - This will show the kube-proxy process and the config file it is using
  > ls -l /var/lib/kube-proxy/kube-config.conf - This will show the permissions on the kube-proxy config file
  

Pod Security

Pod Security Admission

• Pod Security Policies (PSP) are deprecated in Kubernetes 1.21
• Pod Security Admission (PSA) is the new way to enforce security policies on pods
• PSA is a webhook that intercepts pod creation requests and validates them against a set of policies

Securing etcd

• etcd is a distributed key-value store that stores the state of the cluster
• etcd is a critical component of the cluster and should be secured
• etcd should be configured to use TLS for encryption. To encrypt the database, you can create a EncryptionConfiguration object and pass it to the etcd pod

Kubernetes Security Fundamentals

Pod Security Admission

• Replaces pod security standards
• Meant to be safe and easy to use.
• Enabled by default. Runs as an admission controller.
• Applied to namespaces. To apply to a namespace, simply add a label:

  kubectl label ns <namespace> pod-security.kubernetes.io/<mode>=<security standard>
  

  • Modes:

    • What action to take if a pod violates the policy
    • The modes are: enforce, audit, warn

  • Standards:

    • These are built-in policies
    • They are: Privileged, baseline, and restricted

Authentication

• Kubernetes does not manage user accounts itself. It depends on an external service to do that.
• All authentication is managed by the kube-api server
• Kube-api server authenticates users via certificates, tokens, or an external service such as LDAP or Kerberos

Authorization

• Once someone or something is authenticated, what are they able to do? This is authorization.
• There are 6 different authorization modes in Kubernetes:
  • Node
  • ABAC
  • RBAC
  • Webhook
  • AlwaysAllow (the default)
  • AlwaysDeny
• Authorization mode can be configured on the kube-api server using the --authorization-mode flag

RBAC

• Role, ClusterRole, RoleBinding ClusterRoleBinding

Secrets

• Secrets are used to store sensitive information
• They are similar in concept to ConfigMaps
• Secrets are not encrypted, they are base64 encoded
• Secrets are only loaded on nodes where they are needed.

Namespaces

• Namespaces can be used to isolate or organize resources in a Kubernetes cluster
• RBAC can be applied to namespaces for authorization

Resource Quotas and Limits

Resource Requests and Limits

Resource Quotas

• Set a hard limit for resource requests and quotas defined on a pod

Limit Ranges

Security Context

• a Security Context gives you the ability to do several things:
  • run the container as a different UID/GID
  • make the root file system read-only
  • etc
• Some settings can be applied on the pod, and some can be applied on the container

Kubernetes Threat Model

• Threat modeling helps you identify potential threats, understand their impact, and put measures in place to prevent them
• Understand how traffic/data flows in the environment and identity vulnerabilities at each point

Persistence

• Once an attacker accesses the environment, the first goal is typically to establishpersistence.
• Persistence allows attackers to maintain access to a cluster

Denial of Service

• Set resource quotas to prevent excessive resource usage
• Restrict service account permissions
• Use Network Policies and firewalls to control access
• Monitor and alert on unusual activity

Platform Security

Observability

• Falco is a tool that can be used to monitor actions taken on cluster nodes, such as reading/writing files, etc.

Service Mesh

• A service mesh is a dedicated infrastructure layer for handling service-to-service communication
• It can handle service discovery, load balancing, encryption, etc.
• Istio is a popular service mesh

Istio

• Istio is a service mesh that provides a way to control how microservices share data with each other
• Istio works with Kubernetes and traditional workloads
• Istio uses a high-performance proxy service called Envoy to manage traffic between services

Certificates

Openssl

• You can use openssl to generate certificates for the cluster
• Generate keys: openssl genrsa -out my.key 2048
• Create a CSR: openssl req -new -key my.key -sub "/CN=KUBERNETES-CA" -out ca.csr
• Sign certificates: openss x509 -req -in ca.csr -signkey my.key -out ca.crt

Compliance and Security Frameworks

Compliance Frameworks

• Examples: GDPR, HIPAA, NIST, PCI DSS, CIS

GDPR

• Introduced by the European Union to protect the data of citizens

HIPAA

• A United States regulation used to control the access to health data

PCI DSS

• Used to protect payment data

NIST

• Created by the United States but recognized globally.
• Used to protect compute environments by doing regular security-related audits (pentests, etc.)

CIS

• CIS creates benchmarks for various environments such as operating systems and Kubernetes

Threat-Modeling Frameworks

• Threat-modeling frameworks defined how to achieve the compliance frameworks mentioned above
• Two thread-models of interests are STRIDE and MITRE

STRIDE

• Created and maintained by Microsoft
• Helps identity 6 categories of threats
  • Spoofing
  • Tampering
  • Repudiation
  • Information Disclosure
  • Denial of Service
  • Elevation of Privilege

MITRE

• 5 categories
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
• https://microsoft.github.io/Threat-Matrix-for-Kubernetes/

Supply Chain Compliance

• Verify all the components (libraries, container images, etc.) that make up your application are secure and meet compliance requirements
• Securing the supply chain focuses on 4 main areas:
  • artifacts
  • metadata
  • attestations
  • policies

Reduce docker image size

• Smaller images are faster to download and deploy

• Smaller images are more secure

• Smaller images are easier to manage

• To reduce the size of a docker image:

  • Use a smaller base image
  • Use specific package/image versions
  • Make file-system read-only
  • Don’t run the container as root
  • Use multi-stage builds
  • Remove unnecessary files
  • Use a .dockerignore file to exclude files and directories from the image
  • Use COPY instead of ADD
  • Use alpine images
  • Use scratch images
  • Use distroless images

• Example of a multi-stage build:

  # build container stage 1
    FROM ubuntu
    ARG DEBIAN_FRONTEND=noninteractive
    RUN apt-get update && apt-get install -y golang-go
    COPY app.go .
    RUN CGO_ENABLED=0 go build app.go
  
  # app container stage 2
    FROM alpine:3.12.1 # it is better to use a defined tag, rather than 'latest'
    RUN addgroup -S appgroup && adduser -S appuser -G appgroup -h /home/appuser
    COPY --from=0 /app /home/appuser/app
    USER appuser # run as a non-root user
    CMD ["/home/appuser/app"]
  

• Dockerfile best practices: https://docs.docker.com/build/building/best-practices/

• Only certain docker directives create new layers in an image

  • FROM
  • COPY
  • CMD
  • RUN

• dive and docker-slim are two tools you can use to explore the individual layers that make up an image

Static Analysis

SBOM

• A SBOM is a list of all the software that makes up a container image (or an application, etc.)
• Formats
  • SPDX
    • The standard format for sharing SBOM
    • Available in JSON, RDF, and tag/value formats
    • More complex than CycloneDX due to it’s extensive metadata coverage
    • Comprehensive metadata including license information, origin, and file details
  • CycloneDX
    • A lightweight format focused on security and compliance
    • Available in JSON and XML formats
    • Simpler and more focused on essential SBOM elements
    • Focuses on component details, vulnerabilities, and dependencies

Kubesec

• Used for static analysis of manifests
• https://github.com/controlplaneio/kubesec

Syft

• Syft is a powerful and easy-to-use open-source tool for generating Software Bill of Materials (SBOMs) for container images and filesystems. It provides detailed visibility into the packages and dependencies in your software, helping you manage vulnerabilities, license compliance, and software supply chain security.
• Syft can export results in SPDX, CycloneDX, JSON, etc.
• To scan an image with syft and export the results to a file in SPDX format:

  syft scan docker.io/kodekloud/webapp-color:latest -o spdx --file /root/webapp-spdx.sbom
  

Grype

• Grype is a tool (also from Anchore) that can be used to scan SBOM for vulnerabilities
• To scan a SBOM with Grype:

  grype /root/webapp-sbom.json -o json --file /root/grype-report.json
  

Kube-linter

• Kube-linter can be used to lint Kubernetes manifests and ensure best practices are being followed
• kube-linter is configurable. You can disable/enable checks and even create your own custom checks
• kube-linter includes recommendations for how to fix failed checks
• https://github.com/stackrox/kube-linter

Scanning Images for Vulnerabilities

trivy

• trivy can be used to scan images for vulnerabilities
• https://github.com/aquasecurity/trivy
• Example:

    sudo docker run --rm  aquasec/trivy:0.17.2 nginx:1.16-alpine