Skip to content

Instantly share code, notes, and snippets.

@pyaillet

pyaillet/cks-tasks.md

Last active December 29, 2022 10:00
Show Gist options
  • Save pyaillet/7e1d5cbe0c67d14164ebf9b95e72fcd8 to your computer and use it in GitHub Desktop.
Save pyaillet/7e1d5cbe0c67d14164ebf9b95e72fcd8 to your computer and use it in GitHub Desktop.
Download ZIP
CKS Tasks
Raw
cks-tasks.md
  • Check certificates
    • /etc/kubernetes/pki
    • openssl x509 -in <certificate.crt> -noout -text
    • kubeadm certs renew all
  • Check PID Namespace isolation
    • v1.PodSpec.shareProcessNamespace: true
  • Use Network policies
    • Default deny ingress
    • Default deny egress
    • frontend to backend
    • backend to database
  • Dashboard usage
    • Install dashboard
    • Outside insecure access
    • RBAC for the dashboard
  • Secure ingress
    • Create Ingress
    • Secure Ingress
    • Check curl for custom resolution
  • Protect node metadata
    • Access node metadata
    • Protect node metadata via NetworkPolicy
  • Use CIS Benchmark
    • Access and use CIS Benchmark doc
    • Launch and use kube-bench
  • Verify platform binaries
    • Check kubectl
    • Check kubeadm
    • Check kube-apiserver
  • Use RBAC
    • Create Role and RoleBinding
    • Create ClusterRole and ClusterRoleBinding
    • Account and users
    • Create CertificateSigningRequest for users
  • Hardening SA Usage
    • Create a Pod with a custom ServiceAccount
    • Disable ServiceAccount mounting
    • Limit ServiceAccount using RBAC
  • Restrict API Access
    • Restrict anonymous access
    • Remove insecure access
    • Forge a manual API Request with curl
    • Access API Server from outside
    • Activate NodeRestriction admission controller
    • Check NodeRestriction
  • Upgrade Kubernetes
  • Application hardening : secrets
    • Use k8s secrets
    • Activate etcd encryption
  • Container runtime sandboxes
    • Use strace in a container
    • Use crictl
    • Install runtime gvisor
    • Use sandbox runtime gvisor
    • ?Experiment runtime katacontainers
  • Security contexts
    • Set container user and group
    • Force container non-root
    • Create and test privileged container
    • Disable privilege escalation
    • PodSecurityPolicy?
  • mTLS
    • Create a proxy sidecar with NET_ADMIN
  • Open Policy Agent
    • Install OPA
    • Deny all policy
    • Enforce Namespace labels
    • Enforce Deployment replicas count
    • ?Rego playground
  • Build secure images
    • Multi-stage builds
    • Fix versions
    • Use non-root user
    • Readonly FS
    • Remove shell access
  • Supply chain security: descriptors
    • Kubesec
    • OPA Conftest k8s yaml
    • OPA Conftest Dockerfile
  • Image vulnerability scanning
    • Trivy
    • Clair
  • Supply chain security: Images
    • Use image digest rather than tag
    • Whitelist registries with OPA
    • Setup ImagePolicyWebhook
  • Behavior analytics
    • Install Falco
    • Use Falco to find malicious processes
    • Update falco rules
  • Container immutability
    • Use an initContainer if root actions are needed on startup
    • Readonly FS with SecurityContext
  • API Audit
    • Enable Audit logging in API Server
    • Use audit logging
    • Create advanced audit policy
    • Investigate API Access history
  • Kernel Hardening tools
    • Use AppArmor
    • Use Seccomp
  • System hardening
    • Disable and stop useless systemd services
    • Disable applications listening on the host
    • Investigate Linux Users
    • (Outside training) Use LinEnum
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment