[Recap] Day 4 – K8s Upgrade Cluster, AppArmor, Secret & ETCD Encryption [Certified Kubernetes Security Specialist] [CKS]

In this post, I am going to share some quick tips, including Q/A and valuable links from the Day 4 live session of our current batch of Certified Kubernetes Security Specialist [CKS].

Are you also planning to get a Certified Kubernetes Security Specialist [CKS] now, or would you like to do so anytime in the near future?

This series will help you gain a better understanding and make it easier for you to learn Docker and Kubernetes, clearing Certification [CKS] & get a better-paid job.

In Day 1, Day 2 & Day3 live session of Certified Kubernetes Security Specialist training program, we have gone through installation of Kubernetes Dashboard & set permission on Dashboard using RBAC, introduction to service account, Kubernetes Network Policy, Create & Secure Ingress Resource, Access and Restrict access Node Metadata, CIS benchmark And Verify platform binaries right from scratch now in Day 4 of our training program we covered these topics:

• Upgrade Kubernetes Cluster.

Then we went ahead with Manage Kubernetes secrets (Create Secret, Secret in ETCD) concepts and introduced why it is an important aspect in Kubernetes.

• Create and manage Kubernetes secrets

We started with the Kernel Hardening tools and discussed why it is important in Kubernetes

• Kernel Hardening tools (Apparmor, Seccomp)
• ETCD Encryption

↦ Know everything about the CKS Certification

So, here are some of the Q/A’s asked during the Live session from Cluster Hardening & 5: Minimize Microservice Vulnerabilities.

➪ Upgrade Kubernetes Cluster

Software aging is the most obvious reason for a Kubernetes upgrade. We are required to upgrade the cluster to keep up with the latest security features and bug fixes, as well as benefit from new features being released on an on-going basis. This is especially important when we have installed a really outdated version or if we want to automate the process and always be on top of the latest supported version.

The upgrade workflow at high level is the following:

• Upgrade the primary control plane node.
• Upgrade additional control plane nodes.
• Upgrade worker nodes.

↦ Read more about How to Upgrade Kubernetes Cluster.

Q-1. What is the correct sequence of updating the control panel manually?

Ans. Manually update the control plane in the following sequence:

• etcd (all instances)
• kube-apiserver (all control plane hosts)
• kube-controller-manager
• kube-scheduler
• cloud controller manager, if you use one

➪ Create and manage Kubernetes secrets

Secrets are used to hold sensitive data like passwords or keys. They’re similar to Config Map except that they’re stored in an encoded or hashed format with config maps.

There are two levels involved in working with secrets. First, to create the secret, and second, to introduce it into the pod. Putting confidential data in secret is safer and adaptable rather than putting it in a container image or a Pod definition.

To use a secret, a pod has to reference the secret. There are three ways to use a secret with a Pod:

• As a file in a volume mounted on one or more of its containers.
• As a container environment variable.
• kubelet uses secrets by pulling images for the Pod.

↦ Read more about Secrets.

Q-2. What is a Secret?

Ans. A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key.

Q-3. What is the difference between config map and secret?

Ans. Config maps ideally stores application configuration in a plain text format whereas Secrets store sensitive data like password in an encrypted format. Both config maps and secrets can be used as volume and mounted inside a pod through a pod definition file.

Config map:

Secret:

➪ Kernal Hardening tools

AppArmor

AppArmor (“Application Armor”) is a Linux kernel security module that allows the system administrator to restrict programs’ capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths.

↦ Read more about the Apparmor.

Seccomp

Seccomp stands for secure computing mode and has been a feature of the Linux kernel since version 2.6.12. It can be used to sandbox the privileges of a process, restricting the calls it is able to make from userspace into the kernel. Kubernetes lets you automatically apply seccomp profiles loaded onto a Node to your Pods and containers.

↦ Read more about the Seccomp.

Q-3. What is Appormor?

Ans. AppArmor is a Linux kernel security module that supplements the standard Linux user and group-based permissions to confine programs to a limited set of resources. AppArmor can be configured for any application to reduce its potential attack surface and provide a greater in-depth defense.

Q-4. What is the difference between Apparmor and Seccomp?

Ans.

• Seccomp reduces the chance that a kernel vulnerability will be successfully exploited.
• AppArmor prevents an application from accessing files it should not access.

➪ ETCD Encryption

Etcd plays a very important role in hosting Kubernetes-related data and may contain sensitive information such as access credentials and private keys associated with digital certificates. These credentials are targets for malicious groups and should always be protected.

Compromised or stolen credentials are the key source of successful data breaches. Additionally, they can be used to impersonate legitimate entities or create rogue certificates to access application data and spread malware.

Traditionally this sensitive and crucial data was not stored in a centralized manner and was owned by established teams responsible for data protection. However, in Kubernetes platforms these credentials are now stored in etcd. Because of the sensitivity and how critical the data is, it is important to encrypt the etcd store.

Quiz Time!

With our Certified Kubernetes Security Specialist [CKS] training program, we cover real exam questions to help you prepare for the CKS certification.

Check out one of a simple question and see if you can crack this…

Ques: The US Government does not provide security information from multiple agencies. True or False?

A. True

B. False

The right answer will be revealed in my next week’s email.

Here is the answer to the question shared last week.

Ques : If ingress is declared in a network policy, but no rules, then:

A. All ingress is allowed

B. No ingress is allowed

C. It is not parsed by the API server

Correct Answer: B

Explanation:

You can create a “default” isolation policy for a namespace by creating a Network Policy that selects all pods but does not allow any ingress traffic to those pods.

Feedback

We always work on improving and being best version of ourselves from previous session hence constantly ask feedback from our attendees.

Here’s the feedback that we received from our trainees who had attended the session…

References

• Certified Kubernetes Security Specialist (CKS): Everything You Must Know
• How to generate a Certificate in Kubernetes
• Kubernetes Dashboard: An Overview, Installation, and Accessing
• Kubernetes Building Blocks
• Certified Kubernetes Security Specialist (CKS): Everything You Must Know
• Kubernetes Security for Beginners
• Certified Kubernetes Security Specialist (CKS): Step-by-Step Activity Guide (Hands-on Lab)

Next Task For You

Begin your journey towards becoming a Certified Kubernetes Security Specialist [CKS] by joining our FREE CLASS. You will also know more about the Roles and Responsibilities, Job opportunities for K8s security specialists in the market.