Contents
Chương
3: Cluster Setup và Harderning
Phạm vi thi chứng chỉ
Cluster
Setup (10%)
Use Network security
policies to restrict cluster level access
Use CIS benchmark to review the security configuration of Kubernetes components
(etcd, kubelet, kubedns, kubeapi)
Properly set up Ingress objects with security control
Protect node metadata and endpoints
Minimize use of, and access to, GUI elements
Verify platform binaries before deployin
Cluster
Hardening (15%)
Restrict access to Kubernetes API
Use Role Based Access Controls to minimize exposure
Exercise caution in using service accounts e.g. disable defaults, minimize
permissions on newly created ones
Update Kubernetes frequently
System
Hardening (15%)
Minimize host OS footprint (reduce attack surface)
Minimize IAM roles
Minimize external access to the network
Appropriately use kernel hardening tools such as AppArmor, seccomp
Minimize
Microservice Vulnerabilities (20%)
Setup appropriate OS level security domains
Manage Kubernetes secrets
Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata
containers)
Implement pod to pod encryption by use of mTLS
Supply
Chain Security (20%)
Minimize base image footprint
Secure your supply chain: whitelist allowed registries, sign and validate
images
Use static analysis of user workloads (e.g.Kubernetes resources, Docker files)
Scan images for known vulnerabilities
Monitoring,
Logging and Runtime Security (20%)
Perform behavioral analytics of syscall process and file activities at the host
and container level to detect malicious activities
Detect threats within physical infrastructure, apps, networks, data, users and
workloads
Detect all phases of attack regardless where it occurs and how it spreads
Perform deep analytical investigation and identification of bad actors within
environment
Ensure immutability of containers at runtime
Use Audit Logs to monitor access
---
CKS
Để bảo mật
toàn diện ta cần bảo vệ cả 4 lớp Vật lý -> k8s cluster -> Contianer -> Code
Chương 3:
Cluster Setup và Harderning
Kube-bench
Link tải: https://github.com/aquasecurity/kube-bench/releases
wget https://github.com/aquasecurity/kube-bench/releases/download/v0.9.2/kube-bench_0.9.2_linux_amd64.deb
dpkg -i kube-bench_0.9.2_linux_amd64.deb
kube-bench run
#dùng
để scan all
kube-bench run --targets etcd #hoặc master|node| controlplane| etcd| policies
kube-bench --config-dir /etc/kube-bench/cfg --config /etc/kube-bench/cfg/config.yaml -v10
Để hiểu bản
chất kube-bench check các hạng mục như nào. Ta có thể tải file .tar.gz về
và giải nén. Trong đó có bộ config file /etc/kube-bench/cfg có tập lệnh nó
check kubernetes cluster.
Trivy
Download: https://github.com/aquasecurity/trivy/releases
wget https://github.com/aquasecurity/trivy/releases/download/v0.57.1/trivy_0.57.1_Linux-64bit.deb
dpkg -i trivy_0.57.1_Linux-64bit.deb
trivy image nginx:1.26.0
trivy k8s --report summary kubernetes-admin@kubernetes
trivy image
--severity HIGH,CRITICAL nginx:1.26.0
ufw
#Refer: https://blog.rtsp.us/ufw-uncomplicated-firewall-cheat-sheet-a9fe61933330
#Refer: https://manpages.ubuntu.com/manpages/oracular/en/man8/ufw.8.html
ufw enable|disable|reload
ufw show added
ufw show listening
ufw status [verbose|numbered]
#Chặn khóa ALL luồng vào/ra/routed
ufw default allow|deny|reject [incoming|outgoing|routed]
ufw default reject incoming
ufw default allow outgoing
ufw default deny routed
# Basic rule
ufw allow 80/tcp
ufw allow ssh|http|https
# Toàn bộ rule UFW sẽ xếp theo thứ tự sau
ufw [rule]
[delete] [insert NUM] [prepend]
allow|deny|reject|limit
[in|out [on INTERFACE]]
[log|log-all]
[proto PROTOCOL]
[from ADDRESS [port PORT | app APPNAME ]]
[to ADDRESS [port PORT | app APPNAME ]]
[comment COMMENT]
# Example:
## specific incoming interface
ufw allow in on eth0 proto tcp to any port 22
ufw allow in on eth0 to any port ssh
## specific source ip
ufw allow from 192.168.1.0/24 proto tcp to any port 22
ufw allow from 172.16.1.10 proto tcp to any port 80
ufw allow from 172.16.1.10 proto tcp to any port 443
## or both
ufw allow in on eth0 from 192.168.1.0/24 to any port 22
#Bật log ufw và level in log
ufw logging on|off|LEVEL
ufw logging full
tail -f /var/log/ufw.log
#Other
ufw show REPORT
ufw app list|info|default|update
ufw [delete] [insert NUM]
[prepend] allow|deny|reject|limit [in|out] [log|log-all] [ PORT[/PROTOCOL] | APPNAME ] [comment COMMENT]
ufw [rule] [delete]
[insert NUM] [prepend] allow|deny|reject|limit [in|out [on INTERFACE]] [log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT | app APPNAME ]] [to ADDRESS [port PORT | app APPNAME ]] [comment COMMENT]
ufw route [delete] [insert NUM]
[prepend] allow|deny|reject|limit [in|out on INTERFACE] [log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT | app APPNAME]] [to ADDRESS [port PORT | app APPNAME]] [comment COMMENT]
ufw delete NUM
#Reset
ufw reset
