Skip to content

Latest commit

 

History

History

01

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Allowed resources

Kubernetes Documentation:

https://kubernetes.io/docs/ and their subdomains

https://kubernetes.io/blog/ and their subdomains

This includes all available language translations of these pages (e.g. https://kubernetes.io/zh/docs/)

Tools:

Trivy documentation https://aquasecurity.github.io/trivy/

Falco documentation https://falco.org/docs/ This includes all available language translations of these pages (e.g. https://falco.org/zh/docs/)

App Armor: Documentation https://gitlab.com/apparmor/apparmor/-/wikis/Documentation

preview

  • run time_left on work pc to check time
  • run check_result on work pc to check result

Questions

1 Container Runtime Sandbox gVisor
Task weight 4%
Cluster cluster1 (kubectl config use-context cluster1-admin@cluster1)
Acceptance criteria - runsc was installed on node2 (label node_name=node_2)
- create RuntimeClass gvisor with handler runsc
- add label RuntimeClass=runsc to node2
- update pods in Namespace team-purple to use RuntimeClass gvisor
- Make sure the Pod runs on node with gvisor
- Write the dmesg output of the successfully started one of Pod into /var/work/tests/artifacts/1/gvisor-dmesg

2 Image Vulnerability Scanning
Task weight 2%
Cluster cluster1 (kubectl config use-context cluster1-admin@cluster1)
Acceptance criteria - trivy is installed on cluster worker node node
- check image in pods in team-xxx namespace, check all image by CRITICAL vulnerability. leave 2 of 4 deployments with the smallest amount of severity CRITICAL . Other deployments scale to 0 replica.

3 Enable audit log
Task weight 7%
Cluster cluster2 (kubectl config use-context cluster2-admin@cluster2)
Acceptance criteria - logs /var/logs/kubernetes-api.log
- policy /etc/kubernetes/policy/log-policy.yaml
- From Secret resources, level Metadata, namespace prod.
- From configmaps, level RequestResponse, namespace billing.

4 CIS Benchmark
Task weight 3%
Cluster cluster3 (kubectl config use-context cluster3-admin@cluster3)
Acceptance criteria - CIS Benchmark is installed on nodes
- fix on control-plane:
  - 1.2.16 Ensure that the --profiling argument is set to false
  - 1.3.2 Ensure that the --profiling argument is set to false (Automated)
  - 1.4.1 Ensure that the --profiling argument is set to false (Automated)

- fix on worker node:
  - 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)

5 Secrets
Task weight 2%
Cluster cluster6 (kubectl config use-context cluster6-admin@cluster6)
Acceptance criteria from secret db in team-5 ns save :
  - user context to /var/work/tests/artifacts/5/user
  - password context to /var/work/tests/artifacts/5/password
  - create new secret db-admin { user=xxx, password=yyyy }
  - create pod db-admin NS=team-5 image = viktoruj/cks-lab, command = sleep 60000, and mount secret db-admin to /mnt/secret

6 Set tls version and allowed ciphers for etcd, kube-api, kubelet
Task weight 6%
Cluster cluster1 (kubectl config use-context cluster4-admin@cluster4)
Acceptance criteria kube-api:
  - tls cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  - tls min version 1.3

etcd:
  - tls cipher = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384


7 Encrypt secrets in ETCD
Task weight 6%
Cluster cluster5 (kubectl config use-context cluster5-admin@cluster5)
Acceptance criteria 1. create encrypt config (/etc/kubernetes/enc/enc.yaml):
  - aescbc
  - key1: MTIzNDU2Nzg5MDEyMzQ1Ng==
  - resources: secret
2. Create a new secret test-secret NS = prod, password=strongPassword
3. encrypt all secrets in stage ns with new config

8 Network policy
Task weight 6%
Cluster cluster6 (kubectl config use-context cluster6-admin@cluster6)
Acceptance criteria - create default deny ingress policy in prod-db NS
- create policy with allow connections from prod Namespaces to prod-db
- create policy with allow connections from stage Namespaces and have label: role=db-connect
- create policy with allow connections from any Namespaces and have label: role=db-external-connect

9 AppArmor
Task weight 3%
Cluster cluster6 (kubectl config use-context cluster6-admin@cluster6)
Acceptance criteria - install appArmor profile from /opt/course/9/profile (work pc) to worker node on cluster
- Add label security=apparmor to the Node
- Create a Deployment named apparmor in apparmor Namespace with:
  - image: nginx:1.19.2
  - container named c1
  - AppArmor profile enabled
  - nodeSelector to workerNode
- save logs of the Pod into /var/work/tests/artifacts/9/log

10 Deployment security
Task weight 6%
Cluster cluster6 (kubectl config use-context cluster6-admin@cluster6)
Acceptance criteria Modify deployment secure in secure Namespace:
- prevent escalation
- Read only root file system
- user id 3000
- group id 3000
- allow wread to /tmp/ container c1

11 RBAC
Task weight 6%
Cluster cluster6 (kubectl config use-context cluster6-admin@cluster6)
Acceptance criteria - update existing permissions for SA dev in Namespaces rbac-1:
  - delete verb delete for pods
  - add verb watch for pods
- create new role dev in rbac-2 Namespaces:
  - resource configmaps, verbs = get,list
- create rolebinding dev in rbac-2, sa = dev in rbac-1 Namespace , role = dev
- create pod dev-rbac NS=rbac-1 image = viktoruj/cks-lab, command = sleep 60000, SA=dev

12 Falco, sysdig
Task weight 6%
Cluster cluster7 (kubectl config use-context cluster7-admin@cluster7)
Acceptance criteria use falco or sysdig, prepare logs in format:

time-with-nanosconds,container-id,container-name,user-name,kubernetes-namespace,kubernetes-pod-name

for pod with image nginx and store log to /var/work/tests/artifacts/12/log

13 Image policy webhook
Task weight 6%
Cluster cluster8 (kubectl config use-context cluster8-admin@cluster8)
Acceptance criteria configure image policy webhook:
  - /etc/kubernetes/pki/admission_config.json
  - /etc/kubernetes/pki/webhook/admission_kube_config.yaml
  - https://image-bouncer-webhook:30020/image_policy
create pod - test-lasted in default ns with image nginx

result: Error from server (Forbidden): pods test is forbidden: image policy webhook .... latest tag are not allowed

create pod - test-tag in default ns with image nginx:alpine3.17

result: ok

14 Fix Dockerfile
Task weight 4%
Cluster any
Acceptance criteria fix Dockerfile /var/work/14/Dockerfile:
  - use FROM image 20.04 version
  - use myuser for running app
  - build image cks:14 (podman installed on worker pc)

15 Pod Security Standard
Task weight 6%
Cluster cluster6 ( kubectl config use-context cluster6-admin@cluster6 )
Acceptance criteria There is Deployment container-host-hacker in Namespace team-red which mounts /run/containerd as a hostPath volume on the Node where its running.
This means that the Pod can access various data about other containers running on the same Node.

To prevent this configure Namespace team-red to enforce the baseline Pod Security Standard.

Once completed, delete the Pod of the Deployment mentioned above.

Check the ReplicaSet events and write the event/log lines containing the reason why the Pod isn't recreated into /var/work/tests/artifacts/15/logs.

16 Create a new user called john. Grant him access to the cluster. John should have permission to create, list and get pods in the development namespace.
Task weight 6%
Cluster cluster1 (kubectl config use-context cluster1-admin@cluster1)
Acceptance criteria - create ns development
- create private key and csr
- CSR: john-developer with Status:Approved
- Role Name: developer, namespace: development, Resource: pods , verbs: create,list,get
- rolebinding: name=developer-role-binding , role=developer, user=john , namespace=development
- Access: User 'john' has appropriate permissions

17 Open Policy Agent - Blacklist Images from very-bad-registry.com
Task weight 6%
Cluster cluster9 (kubectl config use-context cluster9-admin@cluster9)
Acceptance criteria - Cannot run a pod with an image from very-bad-registry.com

18 Create Pod with Seccomp Profile. profile is located on work node /var/work/profile-nginx.json
Task weight 6%
Cluster cluster10 (kubectl config use-context cluster10-admin@cluster10)
Acceptance criteria - Pod status is Running
- Pod name is seccomp
- Image is nginx
- Seccomp profile is profile-nginx.json