Security Concepts Flashcards
Quick reference flashcards for Kubernetes security concepts (KCSA/CKS).
RBAC
Q: What are the four RBAC resources?
Answer
- **Role** - Namespace-scoped permissions - **ClusterRole** - Cluster-scoped permissions - **RoleBinding** - Binds Role to subjects in namespace - **ClusterRoleBinding** - Binds ClusterRole cluster-wide Q: What are RBAC subjects?
Answer
- **User** - Human user (external) - **Group** - Set of users - **ServiceAccount** - Pod identity Q: What verbs are available in RBAC?
Answer
- get, list, watch (read) - create, update, patch, delete (write) - deletecollection - use (for PodSecurityPolicies) - bind, escalate (for Roles)
Network Security
Q: What does a default-deny NetworkPolicy look like?
Answer
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Q: What are the NetworkPolicy selectors?
Answer
- **podSelector** - Select pods by labels - **namespaceSelector** - Select namespaces by labels - **ipBlock** - Select IP CIDR ranges
Pod Security
Q: What are the Pod Security Standards?
Answer
- **Privileged** - Unrestricted, no restrictions - **Baseline** - Minimally restrictive, prevents known escalations - **Restricted** - Heavily restricted, best practices Q: What security context fields prevent privilege escalation?
Answer
securityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
Q: What is a privileged container?
Answer
A container with full access to host: - All capabilities - Access to all devices - Can modify host kernel - **Should be avoided in production**
Secrets Management
Q: How are Kubernetes secrets encoded?
Answer
Base64 encoded (NOT encrypted by default) # Encode
echo -n 'password' | base64
# Decode
echo 'cGFzc3dvcmQ=' | base64 -d
Q: How to encrypt secrets at rest?
Answer
Configure EncryptionConfiguration: apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: <base64-key>
- identity: {}
Image Security
Q: What is image scanning?
Answer
Analyzing container images for: - Known vulnerabilities (CVEs) - Misconfigurations - Malware - Compliance issues Tools: Trivy, Clair, Anchore Q: What is image signing?
Answer
Cryptographically signing images to verify: - Image authenticity - Image integrity - Publisher identity Tools: Cosign, Notary
Runtime Security
Q: What is Falco?
Answer
Cloud-native runtime security tool: - Detects abnormal behavior - Uses kernel-level system calls - Rule-based detection - Real-time alerts Q: What is AppArmor?
Answer
Linux security module that: - Restricts program capabilities - Controls file access - Controls network access - Uses profiles (enforce/complain mode) Q: What is Seccomp?
Answer
Secure Computing Mode: - Filters system calls - Reduces attack surface - Profiles define allowed syscalls - RuntimeDefault profile recommended
Supply Chain Security
Q: What is SBOM?
Answer
Software Bill of Materials: - List of all components in software - Dependencies and versions - Licenses - Helps track vulnerabilities Q: What are the 4Cs of Cloud Native Security?
Answer
- **Cloud** - Infrastructure security - **Cluster** - Kubernetes security - **Container** - Image and runtime security - **Code** - Application security
Audit Logging
Q: What are the audit log levels?
Answer
- **None** - Don't log - **Metadata** - Log request metadata only - **Request** - Log metadata + request body - **RequestResponse** - Log metadata + request + response Q: What stages are logged?
Answer
- **RequestReceived** - When request is received - **ResponseStarted** - Response headers sent - **ResponseComplete** - Response body sent - **Panic** - Panic occurred
← Back to Home