KCSA Study Guide

2024-07-21 kubernetes security

When searching for Kubernetes and Cloud Native Security Associate (KCSA) study materials, I couldn’t find any that were both free
and high-quality. So, I’ve created this resource to guide you through the curriculum and provide free resources for your studies.

Overview
The Kubernetes and Cloud Native Security Associate (KCSA) exam demonstrates a user’s understanding of the baseline
security configuration of Kubernetes clusters to meet compliance objectives, including the ability to harden security
controls, test and monitor the security, and participate in assessing security threats and vulnerabilities.

The KCSA exam is fully remote and consists of 60 multiple-choice questions which have to be completed within 90 minutes.

This guide is a combination of my CKS notes and stuff I found online. See the sources for details.

If you find any inaccuracies or have suggestions for improvements, please reach out or open an issue in website-ref.

Study Guide
The KCSA curriculum can be found on the CNCF GitHub. I’ll be breaking up the guide into chunks based on the certs domains.

Overview of Cloud Native Security

Kubernetes Cluster Component Security
Kubernetes Security Fundamentals
Kubernetes Threat Model
Platform Security
Compliance and Security Frameworks

Overview of Cloud Native Security

This section makes up 14% of the exam

The 4Cs of Cloud Native Security

The four Cs of are Cloud, Cluster, Container, Code.

Cloud Provider and Infrastructure Security

Kubernetes | Cloud provider security

Controls and Frameworks

The OWASP Kubernetes Top Ten can be used to prioritize risk around Kubernetes.

Isolation Techniques

Namespaces
Network policies
Policies
Pod Security Standard
Pod Security Admission
Open Policy Agent
Kyverno
RBAC
Artifact Repository and Image Security

Kubernetes | Images

Workload and Application Code Security

Kubernetes | Workload protection

OWASP | Vulnerability Scanning OWASP | Container Vulnerability Scanning

Security Contexts

Kubernetes, as the container orchestration engine, can apply additional configuration to increase container security. You
do so by defining a security context. A security context defines privilege and access control settings for a Pod or a
container.

The user ID that should be used to run the Pod and/or container
The group ID that should be used for filesystem access
Granting a running process inside the container some privileges of the root user but not all of them

Kubernetes Cluster Component Security

This section makes up 22% of the exam

Kubernetes | Overview of Components

API Server

The core of Kubernetes’ control plane is the API server. The API server exposes an HTTP API that lets end users, different parts of
your cluster, and external components communicate with one another.

Kubernetes | Controlling API Access

DataDog | Kubernetes security fundamentals: API Security

Controller Manager

The Kubernetes controller manager is a daemon that embeds the core control loops shipped with Kubernetes. In applications of
robotics and automation, a control loop is a non-terminating loop that regulates the state of the system.

kube-controller-manager

Scheduler

The Kubernetes scheduler is a control plane process which assigns Pods to Nodes. The scheduler determines which Nodes are valid
placements for each Pod in the scheduling queue according to constraints and available resources.

Kubernetes | kube-scheduler

Kubelet

The kubelet is the primary “node agent” that runs on each node.

Sysdig | Securing Kubernetes components: kubelet

Kubernetes | Controlling access to the Kubelet

Container Runtime

The container runtime are installed on nodes and are what actually run containers.

Some of the common container runtimes are:

 containerd
CRI-O
Docker Engine

Kubernetes | Container socket

KubeProxy

The Kubernetes network proxy runs on each node. This reflects services as defined in the Kubernetes API on each node and can do
simple TCP, UDP, and SCTP stream forwarding or round robin TCP, UDP, and SCTP forwarding across a set of backends.

Pod

A Pod is a group of one or more containers, with shared storage and network resources, and a specification for how to run the
containers. A Pod’s contents are always co-located and co-scheduled, and run in a shared context.

Etcd

Etcd is a distributed, reliable key-value store for the most critical data of a distributed system and its used by Kubernetes.

Sysdig | Securing Kubernetes components: etcd

Kubernetes | etcd Risk

Container Networking

Kubernetes nodes should not be publicly exposed to the internet and access to the control plane nodes should be restricted.

https://www.tkng.io/

Client Security

Secure your kubeconfig file its used to authenticate to a cluster using the kubectl tool.

Storage

Kubernetes | Storage

Kubernetes Security Fundamentals

This section makes up 22% of the exam

Pod Security Standards

The Pod Security Standards define three different policies to broadly cover the security spectrum. These policies are cumulative and
range from highly-permissive to highly-restrictive. This guide outlines the requirements of each policy.

Level Behavior
privileged Fully unrestricted policy
baseline Minimally restrictive policy that covers crucial standards
restricted Heavily restricted policy following best practices for hardening Pods from a security perspective

Snyk | Understanding Kubernetes Pod Security Standards

Kubernetes | Enforcing Pod Security Standards

Pod Security Admission

Older versions of Kubernetes shipped with a feature called Pod Security Policies (PSP). Pod Security Policies are a
concept that help with enforcing security standards for Pod objects. Kubernetes 1.21 deprecated Pod Security Policies
 and introduced the replacement functionality Pod Security Admission. Kubernetes release 1.25 completely removed Pod
Security Policies

Pod Security admission controller to enforce the Pod Security Standards. Pod security restrictions are applied at the namespace level
when pods are created.

Mode Behavior
enforce Violations will cause the Pod to be rejected
audit Pod creation will be allowed. Violations will be appended to the audit log
warn Pod creation will be allowed. Violations will be rendered on the console

You can configure namespaces to define the admission control mode you want to use for pod security in each namespace by adding
the following label. A namespace can configure any or all modes, or even set a different level for different modes.
metadata:
labels:
pod-security.kubernetes.io/MODE: LEVEL

Kubernetes | Pod Security Admission

Authentication

Authentication is what grant you the ability to login (not do anything).

Kubernetes | Authenticating
DataDog | Kubernetes security fundamentals: Authentication
Kubernetes | Hardening Authentication

Authorization

Authorization is what grants permissions. In Kubernetes there a Roles (namespaced) and ClusterRoles (cluster level) they can be
granted to a target with RoleBinding and ClusterRoleBinding.

Here is an example creating a role and then attaching it the user johndoe.
kubectl create role developer \
--verb=create,get,list,update,delete \
--resource=pods

kubectl create rolebinding developer-binding-johndoe \

--role=developer \
--user=johndoe

Kubernetes | Authorization
Kubernetes | RBAC

Secrets

Any data stored in etcd exists in unencrypted key-value form, so access to the control plane node allows for reading Secrets in plain
text. One way to mitigate the situation is by encrypting the data stored in etcd. Access to etcd, either using etcdctl or by reading the
etcd data from the filesystem, would not expose human-readable, sensitive information anymore.

Service Accounts

Enforce mountable secrets To limit what secrets can be passed into the container (mounted/env) the annotation
kubernetes.io/enforce-mountable-secrets: "true" can be added to the serviceAccount to restrict access.

apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
 kubernetes.io/enforce-mountable-secrets: "true"
name: <SERVICE_ACCOUNT>
secrets:
- name: <SECRET_NAME>

Isolation and Segmentation

isolation-techniques
Kubernetes | Multi-tenancy
Namespaces logically isolate resources from one another.
Pods can be assigned to specific nodes with node selectors and restricted from assignment with node taints.

Audit Logging

Kubernetes | Auditing

Entries in the audit log exist in JSON Lines format and can consist of, but aren’t limited to, the following information:

What event occurred?

Who triggered the event?
When was it triggered?
Which Kubernetes component handled the request?

Network Policy

Network policies are used to restrict ingress and egress traffic to pods.

Isovalent provides a nice online network policy editor.

Policies are namespaces, they target pod based on labels attached to the pods. Here is an example of a rule that denys ingress and
egress to all (podSelector: {}) pods in the namespace.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: NAMESPACE
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress

Another example that allows ingress to a backend service only from the frontend service in the same namespace.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend
namespace: NAMESPACE
spec:
podSelector:
matchLabels:
tier: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- port: 3000

Kubernetes Threat Model

This section makes up 16% of the exam

 Kubernetes Security Testing Guide | Threat Model
TrendMico | Kubernetes Threat Modeling

Kubernetes Trust Boundaries and Data Flow

Trust Boundary or Zone segregates different components in a Data Flow Diagram based on sensitivity and level of access to critical
assets in the system.

Zone Description
Internet The externally facing, wider internet zone
API Server The master component, usually exposed to cluster users, needed for interaction with kubectl
Master Components Internal components of the master node that works via. callbacks and subscriptions to the API Server
Master Data The master data layer that stores the cluster state. Example: etcd
Worker The worker components that is required to add a node in the cluster and to run containers
Container The containers being orchestrated by the cluster

Persistence

A malicious techniques that enable access to a system long after an initial compromise

RedHat | Kubernetes Persistence

Denial of Service

A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network
resources due to the actions of a malicious cyber threat actor.

CISA | Understanding Denial-of-Service Attacks

Malicious Code Execution and Compromised Applications in Containers

Update software, containers and cluster

Backups of key components (etcd, volumes, etc.)

Attacker on the Network

Network attacks are unauthorized actions on the digital assets within an organizational network.

HackTricks Cloud | Kubernetes Network Attacks

Access to Sensitive Data

Sensitive data is mainly access to the ectd data store which contains secrets, code (intellectual property) and volumes (like
databases).

Privilege Escalation

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software
application to gain elevated access to resources that are normally protected from an application or user.

BishopFox | Bad Pods: Kubernetes Pod Privilege Escalation

HackTricks Cloud | Kubernetes Privilege Escalation Techniques

Platform Security

This section makes up 16% of the exam

Supply Chain Security

https://www.cncf.io/blog/2022/04/12/a-map-for-kubernetes-supply-chain-security/

Minimizing base images improves security by reducing the potential attack service by remove unneeded services. A cool project to
checkout is distroless

Use multi-stage builds to separate build from runtime and only include the necessary packages to run the application.

Image Repository

Image repositories store container images and can offer features such as vulnerability scanning

Example solutions:

Harbor
Docker Hub
AWS Gallery

Kubernetes | Authenticating to Private Registry

Observability

Logs from containers can easily be viewed with the following command.
kubectl logs <POD> -c <CONTAINER>

Metrics can be retrieved from the cluster and pods with the Metrics API.
kubectl top node

kubectl top pod <POD>

Falco is a tool that monitors the nodes container runtimes for security related events.

Service Mesh

A service mesh is an infrastructure layer that gives applications capabilities like zero-trust security, observability, and advanced
traffic management, without code changes.

OWASP | Securing Service Mesh

PKI

Kubernetes uses Public Key Infrastructure to authenticate all components of the cluster. This allows each component to verify each
other by verifying the certificate against the root certificate.

Kubernetes | Certificates Best Practices

Connectivity

Kubernetes | Cluster Networking

Kubernetes | Network Model

Admission Control

An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but
after the request is authenticated and authorized.

Admission controllers may be validating, mutating, or both.

 Mutating controllers may modify objects related to the requests they admit
Validating controllers validate the request.

View all admission controllers enabled by default

kubectl exec -it kube-apiserver -n kube-system -- kube-apiserver -h | grep admission-control

To add a new default plugin to the api server updated the manifest. --enable-admission-
plugins=NodeRestriction,AlwaysPullImages,...

Compliance and Security Frameworks

This section makes up 10% of the exam

Compliance Frameworks

CIS | Kubernetes Benchmark

Aqua | Kubernetes CIS Benchmark: Best Practices in Brief

Red Hat | Kubernetes compliance considerations

Threat Modelling Frameworks

Threat Modeling Process

MITRE ATT&CK Framework

OWASP Top Ten
OWASP Kubernetes Top Ten
STRIDE

Supply Chain Compliance

Signing container images allows the source running the container to verify who published it.

Pinning images verifies that the image cannot change without resulting in an issue. A pinned image looks like the following:
gcr.io/kaniko-project/executor:v1.15.0@sha256:6aace7210ad8bf0da4b1aa707a1c0ea962d0e871bb1921504c1a5e690d5f6a2a

Automation and Tooling

Many free 3rd party solution are available to audit clusters, workloads and container images

kube-bench
kubescape
checkov
trivy

Sources
https://github.com/riquetta/KCSA/wiki
https://www.tkng.io/
LinkedIn Learning | Kubernetes and Cloud Security Associate (KCSA) Crash Course
dbi services | Kubernetes Certificates Overview
https://owasp-kstg.netlify.app/

Pages

Home
About
Search
 RSS

Table of Contents
Overview
Study Guide
Overview of Cloud Native Security
The 4Cs of Cloud Native Security
Cloud Provider and Infrastructure Security
Controls and Frameworks
Isolation Techniques
Artifact Repository and Image Security
Workload and Application Code Security
Kubernetes Cluster Component Security
API Server
Controller Manager
Scheduler
Kubelet
Container Runtime
KubeProxy
Pod
Etcd
Container Networking
Client Security
Storage
Kubernetes Security Fundamentals
Pod Security Standards
Pod Security Admission
Authentication
Authorization
Secrets
Isolation and Segmentation
Audit Logging
Network Policy
Kubernetes Threat Model
Kubernetes Trust Boundaries and Data Flow
Persistence
Denial of Service
Malicious Code Execution and Compromised Applications in Containers
Attacker on the Network
Access to Sensitive Data
Privilege Escalation
Platform Security
Supply Chain Security
Image Repository
Observability
Service Mesh
PKI
Connectivity
Admission Control
Compliance and Security Frameworks
Compliance Frameworks
Threat Modelling Frameworks
Supply Chain Compliance
Automation and Tooling
Sources
© 2025 Andrew | Powered by Fuji & Hugo
Compare (0/20)
Clear All