Автор: Benjamin Muschko
Издательство: O’Reilly Media, Inc.
Год: 2023
Страниц: 329
Язык: английский
Формат: pdf, epub, mobi
Размер: 12.7 MB
Vulnerabilities in software and IT infrastructure pose a major threat to organizations. In response, the Cloud Native Computing Foundation (CNCF) developed the Certified Kubernetes Security Specialist (CKS) certification to verify an administrator's proficiency to protect Kubernetes clusters and the cloud native software they contain. This practical book helps you fully prepare for the certification exam by walking you through all of the topics covered.
Different from typical multiple-choice formats used by other certifications, this performance-based exam requires deep knowledge of the tasks it covers under intense time pressure. If you want to pass the CKS exam on the first go, author Benjamin Muschko shares his personal experience to help you learn the objectives, abilities, and tips and tricks you need to pass on the first attempt.
The Kubernetes certification program has been around for more than five years now. Security-aspects have become more and more important, also in the Kubernetes world. Recently, the Certified Kubernetes Security Specialist (CKS) has been added to the certification track to address the need. Security can have different facets, and the way you address those concerns can be very diverse. That’s where the Kubernetes ecosystem comes into play. Apart from Kubernetes’ built-in security features, many tools have evolved that help with identifying, and fixing secuirty risks. As a Kubernetes administrator, you need to be familiar with the wide range of concepts and tools to harden your clusters and applications.
Container security starts with the base image. You need to be aware of the best practices for building container images that minimize the risk of introducing security vulnerabilities from the get-go. Optimally, you will only want to allow pulling trusted container images from an organization-internal container registry that already scanned the image for vulnerabilities before use it. Allowing only those registries is paramount and will be one of the topics important to this domain. Tools like Trivy can help with the task of scanning images for vulnerabilities and are listed as a requirement to pass the exam.
The process of building and scanning a container image can be incorporated into a CI/CD pipeline. Third-party tools can parse and analyze the resource files of your deployable artifacts even before you build them. We looked at Haskell Dockerfile Linter for Dockerfiles and Kubesec for Kubernetes manifests. The other use case that needs to be covered on security aspects is consuming an existing container image built by an entity external to you as a developer, or your company. Before running a container image in a Kubernetes Pod, make sure to scan the contents for vulnerabilities. Trivy is one of those tools that can identify and report vulnerabilities in a container image to give you an idea of the security risks you are exposing yourself to in case you are planning to operate it in a container. Haskell Dockerfile Linter, also called hadolint in short, is a linter for Dockerfiles. The tool inspects a Dockerfile based on best practices listed on the Docker documentation page. Example 6-12 shows an unoptimized Dockerfile for building a container image running a Go-based application.
Identify, mitigate, and/or minimize threats to cloud native applications and Kubernetes clusters
Learn the ins and outs of Kubernetes's security features, and external tools for security detection and mitigation purposes
Demonstrate competency to perform the responsibilities of a Kubernetes administrator or application developer with a security viewpoint
Solve real-world Kubernetes problems in a hands-on, command-line environment
Effectively navigate and solve questions during the CKS exam
Who This Book Is For
This book is for anyone who already passed the CKA exam and wants to broaden their knowledge in the realm of security. Given that you need to pass the CKA exam before signing up for the CKS, you should already be familiar with the format of the exam questions and environment. Chapter 1 only briefly recaps the general aspects of the exam curriculum, but it highlights the information specific to the CKS exam. If you have not taken the CKA exam yet, I recommend taking a step by reading the Certified Kubernetes Administrator (CKA) Study Guide (O’Reilly). The book will provide you with the foundation you need to get started with the CKS.
Скачать Certified Kubernetes Security Specialist (CKS) Study Guide (Final Release)