☠️
smadi0x86 Playground
  • 💀Welcome to smadi0x86 Playground
    • 🍷Resources
    • 🚬Projects
    • 🎓Certifications
    • 📌Pinned
    • ❓Questions
    • 📞Contact
  • 🏞️Cloud Native
    • Docker
      • Quick Reference
      • Introduction
      • Containers
      • Images
      • Storage & Volumes
      • Security
      • Cheatsheet
    • Git
    • Serverless Framework
    • YAML
  • 🔨Software Engineering
    • System Design
    • Environment Variables
    • JSON Web Tokens
  • 👾Architecture
    • C Language
      • Introduction
      • Calling Conventions
      • GCC Compilation
      • Libraries & Linking
      • I/O
      • Files
      • Pointers
      • Dynamic Memory Allocation
      • Data Types
      • Strings Manipulation
      • Bit Manipulation
      • Pre-processors
      • Macros
      • Type Qualifiers
    • C/C++ Build Systems
      • Fundamentals for Linking
      • Symbolic Linking
      • Cross-Platform Compilation
      • CMake for Building and Linking
      • Shared Libraries
      • Dynamic Linking and Dependency Management
    • Operating Systems
      • OS & Architecture
      • Processes
      • CPU Scheduling
      • Memory Management
  • 🛩️Cyber Warfare
    • Flight Physics
    • Communication
      • PWM & PPM
      • MAVLink
  • 🏴‍☠️Offensive Security
    • Active Directory
      • Introduction
    • Web Attacks
      • Server Side
        • OS Command Injection
        • Information Disclosure
        • Directory Traversal
        • Business Logic
        • Authentication
        • File Upload
        • SSRF
      • Client Side
        • CSRF
        • XSS
    • Recon
      • Active
        • Host discovery
        • Nmap
        • Mass Scan
      • Passive
        • Metadata
      • Web Applications
        • Discovery
        • Subdomains & Directories
        • SSL Certs
        • CMS
        • WAF Detection
      • Firewall Evasion
  • Binary Exploitation
    • Stack Smashing
      • x86
      • x86_64
    • pwntools
      • Processes and Communication
      • Logging and Context
      • Cyclic
      • Packing
      • ELF
      • ROP
  • 😈Advanced Persistent Threat
    • C2
      • Sliver
    • Malware
      • Windows Internals
        • PEB
      • Academy
        • Basics
      • Sektor7
        • Essentials
  • 💌Certifications
    • AWS Certified Cloud Practitioner (CLF-C01)
      • Cloud Foundations
      • Domain 1: Cloud Concepts
      • Domain 2: Security and Compliance
      • Domain 3: Technology
      • Domain 4: Billing and Pricing
    • AWS Certified Solutions Architect - Associate (SAA-C03)
      • Foundation
    • Certified Kubernetes Administrator (CKA)
      • Core Concepts
      • Scheduling
      • Logging & Monitoring
      • Application Lifecycle Management
      • Cluster Maintenance
      • Security
      • Storage
      • Networking
      • Design Kubernetes Cluster
      • Kubernetes The Kubeadm Way
      • Troubleshooting
      • JSONPATH
      • Lightning Lab
      • Mock Exams
      • Killer Shell
    • Certified Kubernetes Security (CKS)
      • Foundation
      • Cluster Setup
      • Cluster Hardening
      • Supply Chain Security
      • Runtime Security
      • System Hardening
      • Killer Shell
    • (KGAC-101) Kong Gateway Foundations
      • Introduction to APIs and API Management
      • Introduction to Kong Gateway
      • Getting Started with Kong Enterprise
      • Getting Started with Kong Konnect
      • Introduction to Kong Plugins
  • 📜Blog Posts
    • Modern Solutions For Preventing Ransomware Attacks
Powered by GitBook
On this page
  • Network Security Policies
  • Network Policies
  • Multiple Network Policies
  • Practical
  • GUI Elements
  • Secure Ingress
  • Protect Node Metadata and Endpoints
  • CIS Benchmark
  • Verify Platform Binaries
  1. Certifications
  2. Certified Kubernetes Security (CKS)

Cluster Setup

Network Security Policies

Network Policies

Network policies are:

  • Firewall rules in k8s.

  • Implemented by the Network Plugins CNI (Calico, Weave)

  • Namespace Level

  • Restrict the Ingress and/or Egress for a group of pods based on certain rules and conditions.

Without Network Policies:

  • Every pod can access every pod.

  • Pods are not isolated.

We can apply network policies using:

  • Pod Selector

  • Namespace Selector

  • ipBlock

Multiple Network Policies

We can have multiple NPs selecting the same pods.

If a pod has more than one NP:

  • Then the union of all NPs is applied.

  • Order doesn't affect policy results.

Practical

Default Deny All

Allow Frontend Pods to talk to backend Pods

We need to set an egress rule for frontend pod so it can send traffic to the backend pod.

After that, we need to allow ingress rule on the backend pod so it can receive traffic from the frontend pod

**Due to the default-deny policy we created, it also blocks dns resolution, which means we can't run **kubectl exec frontend -- curl backend instead we have 2 choices:

  1. Get the IP of the backend and frontend and use them in the command using kubectl get po -o wide.

  2. We can create an egress policy to allow dns on port 53:

Allow backend pods to talk to database pods

  • Add egress rule to backend pod network policy with a namespaceSelector.

  • Create a new ingress rule for cassandra pod in cassandra namespace with a podSelector rule to allow backend pod traffic.

GUI Elements

Installing kubernetes dashboard

helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
helm upgrade --install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --create-namespace --namespace kubernetes-dashboard

Secure Ingress

How does ingress work?

Setting up an example ingress

  1. Deploy the ingress-controller:

 k apply -f https://raw.githubusercontent.com/killer-sh/cks-course-environment/master/course-content/cluster-setup/secure-ingress/nginx-ingress-controller.yaml
  1. Create an ingress resource which points to 2 services and the 2 services points to the pods respectively.

  2. Run 2 pods and expose them on port 80

  3. Test by running curl on the cks-master public ip and the NodePort of the ingress-controller:

curl http://x.x.x.x:34313/service1
curl http://x.x.x.x:34313/service2

Securing our example ingress

Now, we will do the same as before, but instead of

When trying to curl with https, we get an error:

A workaround would be to specify the -k (accept self-signed certificates) and it will work.

Also we can specify the -v flag to check debug outputs, we can see from it the fake certificate we are using which leads to the original error.

Protect Node Metadata and Endpoints

Cloud Platform Node Metadata

Cloud providers manage metadata server and the instances we spin up have access to these metadata servers.

Restrict access using Network Policies

Containers running on cloud instances have access to the metadata service, so what we can do is create network policies to allow/deny certain containers from accessing the metadata service.

CIS Benchmark

  • Best practices for the secure configuration of a target system

  • Covering more than 14 technology groups

CIS Benchmark has a PDF where you can see the defaults ok k8s security measures and the corresponding best practices for it, so you must apply the best practices.

Note: In exam you would have some rules and you must apply them, you don't need to access the PDF.

Running Kube-bench

We will be fixing 1.1.12

We go to the CIS Benchmark PDF to check the solution for it.

Now, we can run the Kube-bench command again to confirm it worked:

Every cloud provider has its own CIS Benchmarks for its managed kubernetes cluster, take a look at GKE CIS Benchmarks:

Verify Platform Binaries

Hashes

Every file has a unique fingerprint that can be generated using a hash, there are different algorithms to generate hashes (MD5, SHA1 etc...)

We can run sha512 sum command to check the hash of any file, then we can add it to a file and paste under it the original hash and then we can run cat compare.txt | uniq, if we got a single line as output, then both hashes are the same.

For example to compare the hash value of kube-api server binary:

  • Get our own kube-api server binary by running ps aux | grep apiserver and getting the process number (e.g: 1444).

  • After that we can run find /proc/1444/root/ | grep kube-api to get the full path of our current kube-api server binary.

  • Then run on the path sha256sum.

  • Compare both sums by piping them into uniq

PreviousFoundationNextCluster Hardening

Last updated 10 months ago

Download the and run sha256 sum on it.

https://github.com/aquasecurity/kube-bench/blob/main/docs/running.md
https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks
latest kube-api server
💌
Page cover image