CKS: Certified Kubernetes Security Specialist

API server hardening: disable anonymous authentication (--anonymous-auth=false), restrict insecure port (--insecure-port=0), enable audit logging (--audit-policy-file, --audit-log-path), use NodeRestriction admission plugin (prevents kubelets from modifying other nodes' objects). kubelet hardening: --protect-kernel-defaults=true, --read-only-port=0, --anonymous-auth=false, certificate rotation (--rotate-certificates). Node OS hardening: use CIS benchmarks, disable unused kernel modules, apply AppArmor/seccomp profiles, restrict SSH access. CIS Benchmark tool: kube-bench automates checking nodes and control plane components against CIS Kubernetes Benchmark. Running it (docker run --pid=host -v /etc:/etc ... aquasec/kube-bench) is a common exam task — interpret the FAIL/WARN output.

Pod Security Standards (PSA): three levels — Privileged (unrestricted), Baseline (prevents known privilege escalations), Restricted (hardened, drops all capabilities). Enforced at namespace level via labels: pod-security.kubernetes.io/enforce: restricted. PSA replaced PodSecurityPolicy (PSP) in Kubernetes 1.25. Admission controllers: OPA Gatekeeper (Rego policies, ConstraintTemplate + Constraint resources), Kyverno (YAML-native policies). Common security policies: block privileged containers, require non-root user, require read-only root filesystem, require resource limits, restrict hostPath mounts. SecurityContext: runAsNonRoot, runAsUser/Group, fsGroup, allowPrivilegeEscalation: false, capabilities (add/drop, drop ALL is the baseline), readOnlyRootFilesystem, seccompProfile (RuntimeDefault or Localhost with a custom profile path).

NetworkPolicy enforcement requires a CNI plugin that supports it (Calico, Cilium, Weave — Flannel does not). Baseline network hardening: deny-all ingress and egress policies per namespace, then add specific allow rules. Service mesh mTLS: Istio enforces mutual TLS between services using PeerAuthentication (STRICT mode = mTLS required) and DestinationRule (TLS mode ISTIO_MUTUAL). Envoy sidecar proxies handle the TLS handshake transparently. mTLS prevents lateral movement even after a pod is compromised. Falco: runtime security tool that detects anomalous syscall activity. Rules written in YAML define conditions (fd.name startswith /etc and evt.type = open) and output (alert, log). Common exam task: write or modify a Falco rule to alert on shell spawned in a container.

Image signing and verification: Cosign signs OCI images, Sigstore provides the transparency log. Policy engines (Kyverno, Gatekeeper) can require signed images before admission. Always use specific image digests (image@sha256:...) rather than mutable tags in production to prevent image substitution attacks. Trivy: scans container images, Kubernetes manifests, and git repos for CVEs. Common exam usage: trivy image <image-name> --severity HIGH,CRITICAL to identify vulnerabilities. Distroless and minimal base images (Alpine, scratch) reduce attack surface. Audit logging: configure the audit policy to log RequestResponse for sensitive operations (secrets, exec, attach). Log to a file or webhook. Review logs for anomalous access patterns. Immutable container filesystems: combine readOnlyRootFilesystem with emptyDir or tmpfs mounts for writable directories the app needs.