Kubernetes and Cloud Native Security Associate (KCSA) preparation

15 October 2024 // Henrik Starefors

Not long ago, I passed the KCSA(Kubernetes Cloud Native Security Associate) Exam, and thought that I could share some pointers about my experience in this post.

As you might expect, the KCSA exam is primarily focused on Kubernetes and its role in securing your cluster. However, it also delves into topics such as managing your cloud platform, containers, and the code they run.

Since it’s an Associate certificate, the topics are more focused on breadth instead of depth. This is great for those who want to dip their toes into IT security, want a clearer picture of the problem space, and maybe even as a first step toward a more focused effort in the world of security.

This exam was a great way to broaden my security perspective, get a clearer picture, and increase the size of the known-knowns in my knowledge sphere of security.

While optional, a basic understanding of Kubernetes and familiarity with cloud development and Linux computers make understanding the different areas tested easier.

The exam itself is remotely proctored, meaning it doesn’t require a dedicated test center, so it can be taken at home. It consists of 60 multiple-choice questions over a 90-minute duration, so all you need to take the exam is a stable network and a provided test browser.

With that said, let’s do a quick overview of the different areas and see what they contain and if they’re useful to you.

Cloud Native Security (14% of the exam )

In order to pass the KCSA, it’s important to be comfortable with the basics of cloud-native security. A good first step is to examine the concept of “the 4 C’s” (Cloud, Cluster, Container, Code).

Each of the 4 Cs layers comes with its own security risks and attack surfaces that we need to be aware of and know how to counter. The layers talk about security from top to bottom, how to secure our cloud infrastructure, the Kubernetes cluster we manage, the containers we deploy, and the code we run inside them.

These layers will also be the foundation that supports the rest of the know-how the exam tests, so to build up our foundation, we start with the following topics.

• The 4Cs of Cloud Native Security
  • Kubernetes Security
  • 4Cs
• Cloud Provider and Infrastructure Security
  • AWS
  • GCP
  • Azure
• Controls and Frameworks
  • OWASP
  • CIS
• Isolation Techniques
  • Namespaces
  • Pod-Security-Standards
  • Network-Policies
• Artifact Repository and Image Security
  • Image
  • Repository
• Workload and Application Code Security
  • Workload
  • RuntimeClass

Example questions:

In the context of cloud native security, what does “shift left” refer to?

• a) Moving security considerations earlier in the development process
• b) Prioritizing left-to-right data flow in network security
• c) Shifting security responsibilities to left-hand side team members
• d) Implementing security measures only in production environments

Which of the following is NOT a key principle of cloud native security?

• a) Defense in depth
• b) Least privilege
• c) Immutability
• d) Centralized management

Kubernetes Cluster Component Security (22% of exam)

While the first section paints with broad strokes, we will now pull out our magnifying glass and look closer at the components inside Kubernetes itself and how the various elements are utilized from a security point of view.

Given that this section, along with the subsequent Wing K8s security foundation, accounts for a significant 44% of the exam, it demands some extra time and effort.

While you don’t have to know every detail of every component, make sure you understand the responsibility of the different parts and how they integrate with each other for different flows in the cluster. Who assigns new pods to a suitable Node? (Scheduler). Who can validate an external delete request? (API server), and so on. The components the exam covers are:

The different components we need to know:

• Control Plane Components
  • API Server
  • Etcd
  • Scheduler
  • Controller Manager
• Node Components
  • Kubelet
  • Container Runtime
  • KubeProxy
  • Pod
• Cluster Components
  • Container Networking
  • Client Security
  • Storage

Example questions:

Which Kubernetes component is responsible for scheduling pods on nodes?

• a) kubelet
• b) kube-proxy
• c) kube-scheduler
• d) etcd Correct answer:

What is the primary function of etcd in a Kubernetes cluster?

• a) Managing network policies
• b) Storing the cluster’s configuration data
• c) Scheduling pods
• d) Load balancing incoming traffic

Kubernetes Security Fundamentals (22% of exam)

Now that we have a good grasp of Kubernetes’s components, this section will test your knowledge of how to secure these components and our cluster in a broader sense.

How can we implement proper access controls and secure our configuration and sensitive data?

What does it mean when we speak about the different pod security standards, and when should we enforce the Privileged, Baseline, or Restricted standard?

This section, while still within the Kubernetes scope, examines the cluster as a whole instead of each individual component.

The concepts to read up on for this domain are:

• Pod Security Standards
• Pod Security Admissions
• Authentication
• Authorization
• Secrets
• Isolation and Segmentation
• Audit Logging
• Network Policy

Example questions:

Which Kubernetes object is used to define fine-grained access controls?

• a) NetworkPolicy
• b) SecurityContext
• c) Role
• d) PodSecurityPolicy

What is the purpose of a ServiceAccount in Kubernetes?

• a) To authenticate and authorize API requests from pods
• b) To manage user accounts for cluster administrators
• c) To provide SSH access to worker nodes
• d) To encrypt communication between cluster components

Kubernetes Threat Model (16% of exam)

The Kubernetes Threat Model section focuses on understanding potential security risks and implementing measures to mitigate them. It covers various aspects of securing Kubernetes and our surrounding environment against threats.

Threat modeling is about being proactive and predictive, understanding the different attack surfaces of our system and trying to anticipate what a bad actor could use as leverage during an attack.

We can find some reading material for Kubernetes threat modeling in the following areas:

• Kubernetes Trust Boundaries and Data Flow
• Persistence
• Denial of Service
• Malicious Code Execution and Compromised Applications in Containers
• Attacker on the Network
• Access to Sensitive Data
• Privilege Escalation

Example questions:

Which of the following is considered an internal threat to a Kubernetes cluster?

• a) DDoS attacks
• b) Malicious container images
• c) Network scanning
• d) Phishing attempts

In the context of Kubernetes threat modeling, what does “blast radius” refer to?

• a) The physical area affected by a hardware failure
• b) The extent of potential damage from a security breach
• c) The coverage area of cluster monitoring tools
• d) The maximum number of pods that can run on a single node

Platform Security (16% of exam)

Here we are, nearing the end. After digging around in the cluster itself, this domain will instead focus on the surrounding platform and systems.

A secure cluster is all well and good, but it will do us no good if the platform it runs on is wide open to attackers or if the code and containers we deploy are full of malicious code and exploits. This section talks about how we can trust our different integration points to our cluster, feel confident in the code we run, and hopefully sleep well at night, knowing no bad actors are rooting around in our environment.

This Domain covers:

• Supply Chain Security
• Image Repository
• Observability
• Service Mesh
• PKI
• Connectivity
• Admission Control

Example questions:

Which of the following is NOT typically considered part of platform security in a Kubernetes environment?

• a) Node hardening
• b) Network segmentation
• c) Application code review
• d) Container runtime security

What is the purpose of using a container-specific operating system in a Kubernetes environment?

• a) To provide a full desktop environment for developers
• b) To reduce the attack surface and improve security
• c) To enable legacy applications to run in containers
• d) To increase the number of available system utilities

Compliance and Security Frameworks (10% of exam)

Last, and also least in terms of weight: Frameworks.

The frameworks covered in this domain are essential in setting up and maintaining the best practices and standards of the security industry, ensuring we are covering our bases and keeping up with an ever-evolving field of security safeguarding.

For the purpose of this exam, it’s important to be familiar with certain frameworks, such as NIST, OWASP, STRIDE, and GDPR. Similarly, understanding the role of tools like Falco, Aqua, and Gvisor in automating our checklists and compliance validation is crucial.

While the exam doesn’t require us to know every detail of every tool mentioned, a general understanding of the landscape and which tool to apply to different situations will be part of it.

So for the final domain, we cover the following topics:

• Compliance Frameworks
  • CIS Benc(hmark
  • PCI DSS
  • NIST
• Threat Modelling Frameworks
  • MITRE ATT&CK
  • STRIDE
• Supply Chain Compliance
  • CNCF
• Automation and Tooling
  • OPA
  • Kubernetes Operators

Example questions:

Which of the following is NOT a common compliance framework relevant to Kubernetes environments?

• a) GDPR
• b) PCI DSS
• c) HIPAA
• d) KUBECTL

What is the primary purpose of the CIS Kubernetes Benchmark?

• a) To provide guidelines for securing Kubernetes clusters
• b) To certify Kubernetes administrators
• c) To test the performance of Kubernetes clusters
• d) To standardize Kubernetes API definitions

Preparations

So, what does it take to pass the exam?

In terms of preparations, I would say that reading through the official documentation and understanding the different domains and topics listed will already get you 80% of the way.

If you, like me, prefer moving pictures, following a video course like KodeCloud together with some reading will undoubtedly set you up for success.

And lastly, the preparation icing on the exam cake - go through a couple of practice exams - My choice was an exam prep course from Udemy (which is no longer available, replaced with newer versions). The questions from here matched the real exam quite well, indicating how well I had mastered the material.

To pass the KCSA exam, you must dedicate a little over a week’s work. I paced my study time out over around a month, doing around an hour of work every other day or so, and in the end, I was fairly certain of my ability to pass.

Hopefully, this has given you a sense of what a KCSA exam entails and whether it’s something worth looking into for yourself.

And if you do decide to take the exam, I wish you good luck and have fun.

practice questions:

Which Kubernetes feature helps in implementing the principle of least privilege for pods?

• a) ResourceQuota
• b) NetworkPolicy
• c) RBAC
• d) Taints and Tolerations

What is the recommended way to handle secrets in a Kubernetes environment?

• a) Store them as environment variables in pod specifications
• b) Use Kubernetes Secrets and integrate with external secret management systems
• c) Hardcode them in application code for easy access
• d) Store them in ConfigMaps with base64 encoding

Which component is responsible for enforcing network policies in a Kubernetes cluster?

• a) kube-proxy
• b) CoreDNS
• c) Container Network Interface (CNI) plugin
• d) kubelet

What is the purpose of Pod Security Standards in Kubernetes?

• a) To encrypt communication between pods
• b) To define security configurations for pods
• c) To authenticate pods to the API server
• d) To scan pods for vulnerabilities

In the context of Kubernetes security, what does “4C’s” refer to? a) Cloud, Clusters, Containers, and Code b) Compute, Connectivity, Control, and Compliance c) Configuration, Credentials, Cryptography, and Continuity d) Create, Configure, Commit, and Control

Which of the following is a best practice for securing a Kubernetes cluster?

• a) Running all containers as root
• b) Disabling RBAC for easier management
• c) Regularly updating and patching all components
• d) Using the same credentials for all service accounts

What is the primary purpose of Open Policy Agent (OPA) in a Kubernetes environment?

• a) To provide a web-based dashboard for cluster management
• b) To enforce custom policies across the cluster
• c) To automatically scale the number of worker nodes
• d) To generate detailed logs of all cluster activities

Which of the following is NOT a typical responsibility of a Container Runtime Interface (CRI) implementation?

• a) Creating containers
• b) Managing container lifecycles
• c) Allocating IP addresses to pods
• d) Setting up container namespaces

What is the purpose of using admission controllers in Kubernetes?

• a) To authenticate users to the cluster
• b) To intercept and potentially modify requests to the API server
• c) To schedule pods on appropriate nodes
• d) To manage network traffic between pods

Which of the following tools is commonly used for scanning container images for vulnerabilities?

• a) kubectl
• b) kubeadm
• c) Trivy
• d) Helm

All the pictures, and example questions in this post has been generated using AI