Certified-Kubernetes-Security-Specialist
Curated resources help you prepare for the CNCF/Linux Foundation CKS 2021 "Kubernetes Certified Security Specialist" Certification exam. Please provide feedback or requests by raising issues, or making a pull request. All feedback for improvements are welcome. thank you. (by walidshaari)
apparmor-profiles
AppArmor Profiles for Arch Linux (by jelly)
| Certified-Kubernetes-Security-Specialist | apparmor-profiles | |
|---|---|---|
| 5 | 1 | |
| 1,918 | 2 | |
| - | - | |
| 2.1 | 0.8 | |
| 3 months ago | about 1 year ago | |
| AGS Script | ||
| Creative Commons Attribution Share Alike 4.0 | - |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Certified-Kubernetes-Security-Specialist
Posts with mentions or reviews of Certified-Kubernetes-Security-Specialist.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2021-02-21.
- Resources to pass the CKS exam?
-
CKS - I passed the exam on the weekend. Just some thoughts if it can be helpful to someone.
This repo https://github.com/walidshaari/Certified-Kubernetes-Security-Specialist was immensely helpful (suggested by killer.sh). One thing to note is that PSP has been deprecated; so you need to be studying the PodSecurity admission controller. I didn't use any other resources.
-
What after Kubernetes CKA certification?
CKS Repo by Walid Shaari - https://github.com/walidshaari/Certified-Kubernetes-Security-Specialist
-
All about Kubernetes Certifications – CKA/CKAD/CKS
Also prepration repository by Walid Shaari -> https://github.com/walidshaari/Certified-Kubernetes-Security...
-
#8 DevOps Diary: No more Docker?
Adding to #7 of this newsletter; some amazing people have started collections of free resources on GitHub to help you prepare for the CNCF Certified Kubernetes Security Specialist - CKS (or just to learn cool stuff about security)
apparmor-profiles
Posts with mentions or reviews of apparmor-profiles.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2023-11-11.
-
Enhancing Service Security with Systemd
# /etc/systemd/system/nginx.service # Rootless Nginx service based on https://github.com/stephan13360/systemd-services/blob/master/nginx/nginx.service [Unit] # This is from the default nginx.service Description=nginx (hardened rootless) Documentation=https://nginx.org/en/docs/ Documentation=https://github.com/stephan13360/systemd-services/blob/master/nginx/README.md After=network-online.target remote-fs.target nss-lookup.target Wants=network-online.target [Service] # forking is not necessary as `daemon` is turned off in the nginx config Type=exec User=nginx Group=nginx ## can be used e.g. for accessing directory containing SSL certs #SupplementaryGroups=acme # define runtime directory /run/nginx as rootless services can't access /run RuntimeDirectory=nginx # write logs to /var/log/nginx LogsDirectory=nginx # write cache to /var/cache/nginx CacheDirectory=nginx # configuration is in /etc/nginx ConfigurationDirectory=nginx ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf # PID is not necessary here as the service is not forking ExecReload=/usr/sbin/nginx -s reload Restart=on-failure RestartSec=10s # Hardening # hide the entire filesystem tree from the service and also make it read only, requires systemd >=238 TemporaryFileSystem=/:ro # Remount (bind) necessary paths, based on https://gitlab.com/apparmor/apparmor/blob/master/profiles/apparmor.d/abstractions/base, # https://github.com/jelly/apparmor-profiles/blob/master/usr.bin.nginx, # https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RootDirectory= # # This gives access to (probably) necessary system files, allows journald logging BindReadOnlyPaths=/lib/ /lib64/ /usr/lib/ /usr/lib64/ /etc/ld.so.cache /etc/ld.so.conf /etc/ld.so.conf.d/ /etc/bindresvport.blacklist /usr/share/zoneinfo/ /usr/share/locale/ /etc/localtime /usr/share/common-licenses/ /etc/ssl/certs/ /etc/resolv.conf BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout /run/systemd/notify # Additional access to service-specific directories BindReadOnlyPaths=/usr/sbin/nginx BindReadOnlyPaths=/run/ /usr/share/nginx/ PrivateTmp=true PrivateDevices=true ProtectControlGroups=true ProtectKernelModules=true ProtectKernelTunables=true # Network access RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 # Miscellaneous SystemCallArchitectures=native # also implicit because settings like MemoryDenyWriteExecute are set NoNewPrivileges=true MemoryDenyWriteExecute=true ProtectKernelLogs=true LockPersonality=true ProtectHostname=true RemoveIPC=true RestrictSUIDSGID=true ProtectClock=true # Capabilities to bind low ports (80, 443) AmbientCapabilities=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target
What are some alternatives?
When comparing Certified-Kubernetes-Security-Specialist and apparmor-profiles you can also consider the following projects:
atomic-red-team - Small and highly portable detection tests based on MITRE's ATT&CK.
apparmor
azure-policy - Repository for Azure Resource Policy built-in definitions and samples
Kubernetes-Certified-Administrator - Online resources that will help you prepare for taking the CNCF CKA 2020 "Kubernetes Certified Administrator" Certification exam. with time, This is not likely the comprehensive up to date list - please make a pull request if there something that should be added here.
extending-falco-outputs-with-falcosidekick - Demonstrating how you can send Falco alerts to the slack with the make use of falcosidekick
kube-bench-exporter - :whale: :rocket: Helps you to export your kube-bench reports to multiple targets like Amazon S3 buckets with ease.
k-rail - Kubernetes security tool for policy enforcement
awesome-falco - A curated list of Falco related tools, frameworks, blogs, podcasts, and articles
Certified-Kubernetes-Security-Specialist vs atomic-red-team
apparmor-profiles vs apparmor
Certified-Kubernetes-Security-Specialist vs azure-policy
Certified-Kubernetes-Security-Specialist vs Kubernetes-Certified-Administrator
Certified-Kubernetes-Security-Specialist vs extending-falco-outputs-with-falcosidekick
Certified-Kubernetes-Security-Specialist vs kube-bench-exporter
Certified-Kubernetes-Security-Specialist vs k-rail
Certified-Kubernetes-Security-Specialist vs awesome-falco