Security in Cloud native with CKS — My Review
Today, i was qualified by CNCF as CKS or CKSS— Certified Kubernetes Security Specialist. This article is about my journey towards that.
Enjoy it … !
While my initial background is software engineering, i did not use my software engineering capabilities for only building web/mobile apps, however, i tried also to use this big speciality for the sake of others: infrastructure, security, networking, machine learning, .. so on.
I am doing that because i believe that #SRE (reliability engineering) cannot be reached without software engineering … everywhere.
Accordingly, being specialized in other fields is required for that purpose.
Marriage of security ♥ software engineering give a birth of 4 children 👨👩👧👦:
- Security as Code — Bake security in DNA
- Expose security features as services via API
- Automate everything so everything scales
- real security change management based on principles of release engineering which is a subfield of software engineering.
In software engineering, we learned that security is a non-functional requirement. However, i don’t think so, namely, when i got my hands dirty with Security on the Cloud (AWS) 5 years ago.
Five years ago, I was assigned the responsibility of maintaining the AWS infrastructure in term of production deployment, provisioning, security, HA, DR and in general DevOps. This was a big shift in my professional career; from pure software engineer to a cloud engineer.
That time, AWS architect speciality gave me the big picture; actually i was introduced to infra world for free.
That time, i practiced security on the cloud which is more complicated than security on-prem. Indeed, i found myself use the cloud to protect the cloud 😁 !!
That was really amazing days practicing cloud security on many layers: AWS WAF, security groups, ELB/ALB for mitigating DDoS, prewarming process and others.
2 years ago, i worked on Openshift OCP clusters. Openshift introduced me the topic of container security : rootless container, .. so on.
In summary, this was my background in security before hitting CKS.
Security in General
Security principles are 3:
i/ Defense in depth:
- Multi security layers (Layered defence )
- redundancy (vs RDY)
ii/ Least privileges
- give the access which just allows to do the work
iii/ Limiting the attach surface
- limiting/removing possibility for any attacker to even exploit anything in your system
A security framework should have 4 capabilities:
- directive :
Data security has 2 categories:
- Data security at rest ( data stored and archived)
- Data security in transit ( data in traffic )
Security in Cloud Native
3 categories of security in kubernetes :
- Host OS security ( Node OS)
- Kubernetes Cluster Security
- Application Security
Techs & topics related to k8s security:
- falco & sysdig
- appArmor & SECCOMP
- admission controller & webhooks
- and others
Tips for Preparation
- Try to make your hands dirty with practices.. always
- Apply whatever you learned in your daily work.
- Talk about this knowledge in meetups and others. this will help you solidifying your knowledge.
- You should not appear to exam without getting your hands dirty with Kim’s course: https://www.udemy.com/course/certified-kubernetes-security-specialist/
The exam lasts 2 hours with a cluster for each task.
I found that the exam is comfortable because of 3 reasons:
- the duration of exam is reasonable comparing with the number of tasks
- each task has its own cluster. which means a task execution cannot impact the others.
- Each task highlights notes/warning using a clear colored boxes. This help to avoid mistakes.
Tips for Exam
Managing your time
While you are allowed to access many websites during the exam , you should not be happy of this advantage because if you think that you will have time to read and learn during the exam, you may not finish the half of tasks.
Instead, You should use these websites to search quickly on the snippets of code that you need, copy it, edit it and apply it for your tasks.
Your speed can be boosted by 3 configuration :
- configuring kubectl autocomplete
- configuring vim with YAML to avoid TABs while adding new line
# cat ~/.vim
autocmd FileType yaml setlocal ai ts=2 sw=2 et
- handy aliases like “k” as alias of “kubectl”.. and this set of aliases can be concluded depending on how long you worked with kubernetes in your professional career.