CKS - Useful commands

October 13, 2021 0 Comments Kubernetes, cks

Too many tools...

Hi everyone, this is a small collection of commands and hints useful (i hope) for CKS certification.

kubectl

Decode secrets on the fly:

kubectl get secret my-super-secret -o jsonpath="{.data.key}" | base64 --decode  

Get all the images for the pods in the current namespace:

kubectl get pods -o jsonpath='{range .items[*]}{.spec.containers[*].image}{"\n"}{end}'  

etcd

Retrieve secrets directly from etcd:

ETCDCTL_API=3 etcdctl --<various certs> get /registry/{type}/{namespace}/{name}  

seccomp - restrict syscalls

The standard path where the kubelet search for seccomp profiles is: /var/lib/kubelet/seccomp .

To load a profile in a Pod definition use:

apiVersion: v1  
kind: Pod  
metadata:  
  name: pod-with-seccomp
spec:  
  securityContext:
    seccompProfile:
      type: Localhost
      localhostProfile: profiles/audit.json
  containers:
...

the profiles/audit.json is the relative path from /var/lib/kubelet/seccomp .

apparmor - what a container can or cannot do

Check apparmor status:

aa-status  

Load apparmor profile:

apparmor_parser -q /etc/apparmor.d/profile.something  

The actual name to use in the kubernetes annotation is the name of the profile inside the file we are loading, note that it can be different.

How to load a profile in a pod definition:

apiVersion: v1  
kind: Pod  
metadata:  
  name: hello-apparmor
  annotations:
    container.apparmor.security.beta.kubernetes.io/hello: localhost/myprofile
spec:  
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]

In this example we are loading the apparmor profile myprofile for the container hello

trivy - scan image for vulnerabilities

Find all images in a namespace and scan them with trivy to find CRITICAL vulnerabilities:

kubectl get pods -o jsonpath='{range .items[*]}{.spec.containers[*].image}{"\n"}{end}' | xargs -n 1 trivy image --severity CRITICAL  

links available during the exam

Kubernetes

Tools

CKS rules: https://docs.linuxfoundation.org/tc-docs/certification/important-instructions-cks

Samuele Chiocca
Padova, italy Website
Kubernetes Engineer @SIGHUP