note cks temp

 

Contents

 

CKS. 1

Chương 3:  Cluster Setup và Harderning. 2

Kube-bench. 2

Trivy. 2

ufw.. 2

SecurityContext 3

Limit user/Group. 3

Capability. 3

Seccomp. 3

Log audit 3

 

Phạm vi thi chứng chỉ

Cluster Setup (10%)
Use Network security policies to restrict cluster level access
Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
Properly set up Ingress objects with security control
Protect node metadata and endpoints
Minimize use of, and access to, GUI elements
Verify platform binaries before deployin

Cluster Hardening (15%)
Restrict access to Kubernetes API
Use Role Based Access Controls to minimize exposure
Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
Update Kubernetes frequently

System Hardening (15%)
Minimize host OS footprint (reduce attack surface)
Minimize IAM roles
Minimize external access to the network
Appropriately use kernel hardening tools such as AppArmor, seccomp

Minimize Microservice Vulnerabilities (20%)
Setup appropriate OS level security domains
Manage Kubernetes secrets
Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
Implement pod to pod encryption by use of mTLS

Supply Chain Security (20%)
Minimize base image footprint
Secure your supply chain: whitelist allowed registries, sign and validate images
Use static analysis of user workloads (e.g.Kubernetes resources, Docker files)
Scan images for known vulnerabilities

Monitoring, Logging and Runtime Security (20%)
Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
Detect threats within physical infrastructure, apps, networks, data, users and workloads
Detect all phases of attack regardless where it occurs and how it spreads
Perform deep analytical investigation and identification of bad actors within environment
Ensure immutability of containers at runtime
Use Audit Logs to monitor access

 

---

CKS

 

Để bảo mật toàn diện ta cần bảo vệ cả 4 lớp Vật lý -> k8s cluster -> Contianer -> Code

 

 

Chương 3:  Cluster Setup và Harderning

 

 

 

Kube-bench

Link tải: https://github.com/aquasecurity/kube-bench/releases

wget https://github.com/aquasecurity/kube-bench/releases/download/v0.9.2/kube-bench_0.9.2_linux_amd64.deb

dpkg -i kube-bench_0.9.2_linux_amd64.deb

 

kube-bench run                   #dùng để scan all

kube-bench run --targets etcd    #hoặc master|node| controlplane| etcd| policies

kube-bench --config-dir /etc/kube-bench/cfg --config /etc/kube-bench/cfg/config.yaml -v10

 

Để hiểu bản chất kube-bench check các hạng mục như nào. Ta có thể tải file .tar.gz về và giải nén. Trong đó có bộ config file /etc/kube-bench/cfg có tập lệnh nó check kubernetes cluster.

 

 

Trivy

Download: https://github.com/aquasecurity/trivy/releases

wget https://github.com/aquasecurity/trivy/releases/download/v0.57.1/trivy_0.57.1_Linux-64bit.deb

dpkg -i trivy_0.57.1_Linux-64bit.deb

trivy image nginx:1.26.0

trivy k8s --report summary kubernetes-admin@kubernetes

trivy image --severity HIGH,CRITICAL nginx:1.26.0

 

 

 

 

ufw

#Refer: https://blog.rtsp.us/ufw-uncomplicated-firewall-cheat-sheet-a9fe61933330

#Refer:  https://manpages.ubuntu.com/manpages/oracular/en/man8/ufw.8.html

ufw enable|disable|reload

ufw show added

ufw show listening

ufw status [verbose|numbered]

 

#Chặn khóa ALL luồng vào/ra/routed

ufw default allow|deny|reject [incoming|outgoing|routed]

ufw default reject incoming

ufw default allow outgoing

ufw default deny routed

 

# Basic rule

ufw allow 80/tcp

ufw allow ssh|http|https

 

# Toàn bộ rule UFW sẽ xếp theo thứ tự sau

ufw [rule]

  [delete] [insert NUM] [prepend]

  allow|deny|reject|limit

  [in|out [on INTERFACE]]

  [log|log-all]

  [proto PROTOCOL]

  [from ADDRESS [port PORT | app APPNAME ]]

  [to ADDRESS [port PORT | app APPNAME ]]

  [comment COMMENT]

 

# Example:

## specific incoming interface

ufw allow in on eth0 proto tcp to any port 22

ufw allow in on eth0 to any port ssh

## specific source ip

ufw allow from 192.168.1.0/24 proto tcp to any port 22

ufw allow from 172.16.1.10 proto tcp to any port 80

ufw allow from 172.16.1.10 proto tcp to any port 443

## or both

ufw allow in on eth0 from 192.168.1.0/24 to any port 22

#Bật log ufw và level in log

ufw logging on|off|LEVEL

ufw logging full

tail -f /var/log/ufw.log

 

#Other

ufw show REPORT

ufw app list|info|default|update

ufw [delete] [insert NUM] [prepend] allow|deny|reject|limit [in|out] [log|log-all] [ PORT[/PROTOCOL] | APPNAME ] [comment COMMENT]

ufw [rule] [delete] [insert NUM] [prepend] allow|deny|reject|limit [in|out [on INTERFACE]] [log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT | app APPNAME ]] [to ADDRESS [port PORT | app APPNAME ]] [comment COMMENT]

ufw route [delete] [insert NUM] [prepend] allow|deny|reject|limit [in|out on INTERFACE] [log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT | app APPNAME]] [to ADDRESS [port PORT | app APPNAME]] [comment COMMENT]

ufw delete NUM

 

#Reset

ufw reset

SecurityContext

Limit user/Group

 

Capability

 

Seccomp

 

 

 

 

 

 

 

 

 

 

 

Log audit

 

 

 

 

 

 

 

 https://blog.csdn.net/sinat_33076015/category_12426913.html

https://ai-feier.github.io/p/2024-cks-%E9%A2%98%E5%BA%93/

kubernetes-exercises/topics/README.md at main · jayendrapatil/kubernetes-exercises