CKS-1.27 cheatsheet

CKS-1.27 cheatsheet

https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
https://www.cisecurity.org/cis-benchmarks
https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/
https://kubernetes.io/docs/tutorials/security/seccomp/
https://kubernetes.io/docs/tutorials/security/seccomp/#create-a-pod-with-a-seccomp-profile-for-syscall-auditing
https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data
https://kubernetes.io/docs/concepts/containers/runtime-class/

seccomp - ПОВТОРИТЬ!
AppArmor - ПОВТОРИТЬ!

==============================================CIS-CAT===================================================
cd /root/Assessor
sh ./Assessor-CLI.sh -i -rd /var/www/html/ -nts -rp index


===============================================kube-bench===============================================
./kube-bench --config-dir `pwd`/cfg --config `pwd`/cfg/config.yaml 

===============================================ServiceAccount=====================================================
kubectl create token dashboard-sa
kubectl certificate approve akshay
kubectl certificate deny agent-smith


===============================================Contexts=====================================================
kubectl config --kubeconfig=/root/my-kube-config use-context research
kubectl config --kubeconfig=/root/my-kube-config current-context
kubectl proxy &
kubectl port-forward deploy/nginx 8005:80
kubectl proxy - Opens proxy port to API server
kubectl port-forward - Opens port to target deployment pods



===============================================RBAC=====================================================
/var/rbac
kubectl describe pod kube-apiserver-controlplane -n kube-system и --authorization-mode - проверить authorization-mode
kubectl get roles -A --no-headers | wc -l
kubectl describe role kube-proxy -n kube-system
kubectl describe rolebinding kube-proxy -n kube-system - проверить биндинг которые привязаны к роли
kubectl get pods --as dev-user
kubectl create role dev-user --verb=list,create,delete --resource=pods --namespace=default
kubectl create rolebinding dev-user-binding --role=developer --user=dev-user --namespace=default
kubectl get clusterrole -A --no-headers | wc -l - кол-во кластерролей
kubectl get clusterrolebindings -A --no-headers | wc -l
kubectl describe clusterrolebinding cluster-admin
===========================================clusterrole====================================================
kubectl create clusterrole node-admin  --verb=get,watch,list,createm,delete --resource=nodes
kubectl create clusterrolebinding michelle-binding  --user=michelle --clusterrole=node-admin
kubectl create clusterrolebinding michelle-strage-admin --user-michelle --clusterrole=storage-admin
kubectl create clusterrolebinding michelle-storage-admin --user=michelle --clusterrole=storage-admin
===========================================kubelet========================================================
/var/lib/kubelet/config.yaml - kubelet config

===============================================SYSTEM HARDENING===========================================
/var/lib/kubelet/seccomp/profiles/ - seccomp profiles location
sha512sum kubernetes.tar.gz - проверить контрольные суммы файла
useradd -d /opt/sam -s /bin/bash -G admin -u 2328 sam
netstat -an | grep -w LISTEN
===============================================UFW========================================================
ufw allow from 192.168.1.15 to any port 22 proto tcp
ufw allow from 192.168.1.0/24 to any port 22 proto tcp
ufw allow 1000:2000/tcp - allow port range 1000-2000
ufw reset
ufw allow 22 - allow 22 port
ufw deny 80
ufw disable

==================================================Tracee====================================================================
kubectl logs -f `kubectl get pods -l=io.kompose.service=tracee -o custom-columns=":metadata.name" --no-headers`
===============================================AppArmor====================================================
aa-status
aa-genprof /root/test.sh
apparmor_parser -q /etc/apparmor.d/usr.sbin.nginx - загрузить профиль apparmor

==================================================Admission Controller====================================================================
Which admission controller is not enabled by default? - NameSpaceAutoprovision
kube-apiserver -h | grep enable-admission-plugins
ps -ef | grep kube-apiserver | grep admission-plugins


#example of admission controller
cat /etc/kubernetes/manifests/kube-apiserver.yaml 
- --enable-admission-plugins=NodeRestriction,NamespaceAutoProvision
- --disable-admission-plugins=DefaultStorageClass
====================================================Runtime Classes=======================================================================
kubectl get runtimeclasses -A 
kubectl describe runtimeclasses gvisor  | grep Handler
kubectl describe runtimeclasses kata-containers  | grep Handler
====================================================kubesec===============================================================================
wget https://github.com/controlplaneio/kubesec/releases/download/v2.11.0/kubesec_linux_amd64.tar.gz
kubesec scan pod.yaml
====================================================trivy=================================================================================
trivy image nginx:1.18.0
trivy image python:3.6.12-alpine3.11 --severity=HIGH > /root/python.txt
trivy image --input alpine.tar --format json --output /root/alpine.json - scan tar archive
==================================================falco============================================================
kill -1 $(cat /var/run/falco.pid) - restart falco without restarting falco service