Certified Kubernetes Security Specialist CKS exam tips
Things to keep in mind to clear exam effortlessly.
containers, programming, golang, hacks, kubernetes, productivity, books
Things to keep in mind to clear exam effortlessly.
A simple Helm chart to generate TLS x509 certificates.
The previous blog talked about generating self-signed certificates using a binary. It was a manual, cumbersome process where you had to generate the certificates using a tool, embed them into a Kubernetes Secret via Helm chart, and then use it. There is a better way of doing it! Which is what this blog will discuss.
A simple binary to generate TLS x509 certificates.
UPDATE: There is a way to generate these certificates automatically. To find out how, read this post.
A Validating Admission Webhook Server to deny anyone accessing forbidden Kubernetes Secrets!
In the previous blog, we discussed how any user without RBAC access to a Kubernetes secret can use a trick to access that secret. To mitigate that problem, we will use a validating admission webhook. But before looking at what sorcery this validating admission webhook server is, let us understand how Kubernetes handles the API requests.
A little trickery and access any Kubernetes Secret!
Photo by Kyle Glenn on Unsplash.
How to watch the traffic of a container or a pod without execing into the pod/contaienr?
For the reasons of security, many container deployments nowadays run their workloads in a scratch based image. This form of implementation helps reduce the attack surface since there is no shell to gain access to, especially if someone were to break out of the application.
This post shows how you can enable seccomp on all the Pods that are deployed with Prometheus Operator
Seccomp helps us limit the system calls the process inside container can make. And PodSecurityPolicy
is the way to enable it on pods in Kubernetes.
Note on Linux Kernel capabilities
File capabilities allow users to execute programs with higher privileges. Best example is network utility ping
.
The easiest way to prove that root inside the container is also root on the host
Here are simple steps that you can follow to prove that the root
user inside container is also root
on the host. And how to mitigate this.
Understanding the seccomp profile json format
A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. A certain subset of userland applications benefit by having a reduced set of available system calls. The resulting set reduces the total kernel surface exposed to the application. System call filtering is meant for use with those applications. Seccomp filtering provides a means for a process to specify a filter for incoming system calls.