Stage 7 · Master
KCSA — Kubernetes & Cloud Native Security Associate
Platform Security (16%)
Supply chain security, image scanning, admission control, and PKI infrastructure.
Supply Chain Security
The software supply chain includes every step from source code to running container. An attacker can compromise any step — source code, build pipeline, registry, or deployment. Securing the supply chain means verifying integrity at every stage.
- Source — Code review, branch protection, signed commits.
- Build — Reproducible builds, isolated build environments.
- Registry — Image scanning, access control, retention policies.
- Deployment — Admission control, image signature verification.
- Runtime — Minimal base images, no privilege escalation.
SLSA (Supply-chain Levels for Software Artifacts) defines four levels of supply chain security maturity. Level 1 is basic provenance. Level 4 requires hermetic builds and two-party review. Aim for at least Level 2.
Image Security
Container images are the packaging format for applications. An insecure image can contain known vulnerabilities, malware, or secrets. Image security involves scanning, signing, and using minimal base images.
- Scan for CVEs — Use Trivy, Grype, or Snyk to scan images.
- Use minimal base images — distroless, alpine, or scratch.
- Do not run as root — Set runAsNonRoot in SecurityContext.
- Pin image tags — Use SHA digests, not mutable tags.
- Private registries — Do not pull from public registries in production.
Admission Control
Admission controllers intercept requests to the API server after authentication and authorization but before the object is stored in etcd. They can validate, mutate, or reject requests.
| Controller | Type | Purpose |
|---|---|---|
| PodSecurity | Validating | Enforce Pod Security Standards |
| NodeRestriction | Validating | Limit kubelet permissions |
| LimitRange | Mutating | Set default resource limits |
| ResourceQuota | Validating | Enforce namespace quotas |
| OPA Gatekeeper | Validating | Custom policy enforcement |
| Kyverno | Validating/Mutating | Kubernetes-native policies |
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequirelabels
spec:
crd:
spec:
names:
kind: K8sRequireLabels
validation:
openAPIV3Schema:
type: object
properties:
labels:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequirelabels
violation[{"msg": msg}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("Missing required labels: %v", [missing])
}Gatekeeper uses Rego (Open Policy Agent) to define policies. This template requires specific labels on all resources.
PKI and Certificates
Kubernetes uses TLS certificates extensively — for API server communication, etcd encryption, webhook authentication, and ingress traffic. Understanding PKI is essential for cluster security.
- CA certificate — Root of trust for the cluster.
- API server certificate — Used by clients to verify the API server.
- Kubelet certificates — Used by the API server to communicate with kubelets.
- etcd certificates — Used by the API server to communicate with etcd.
- Service account tokens — Signed JWTs for service account authentication.
Secrets Management
Kubernetes Secrets store sensitive data like passwords, tokens, and keys. However, Secrets are only base64-encoded by default, not encrypted. For real security, enable etcd encryption at rest and use external secret stores.
kubectl create secret generic my-secret \
--from-literal=password='s3cr3t' \
--from-literal=username='admin'
kubectl get secret my-secret -o jsonpath='{.data.password}' | base64 -d
echo ""
# External secret stores
# - HashiCorp Vault (via Vault Agent or CSI driver)
# - AWS Secrets Manager (via External Secrets Operator)
# - Azure Key Vault (via CSI driver)Base64 is not encryption. Anyone with access to the Secret can decode it. Use etcd encryption and external secret stores for production security.
Storing secrets as environment variables is less secure than mounting them as volumes. Environment variables can leak through process listings, logs, and crash dumps. Prefer mounted secret volumes.
Image Signing and Verification
Image signing uses cryptographic signatures to verify that an image was built by a trusted source and has not been tampered with. Sigstore and Cosign are the emerging standards for container image signing.
- Cosign — Sign and verify container images.
- Sigstore — Keyless signing with OIDC identity.
- Notary — Docker Content Trust for image signing.
- Admission controllers — Enforce image signature verification at deploy time.
Key Commands
kubectl get validatingwebhookconfigurations
kubectl get mutatingwebhookconfigurations
kubectl get certificates -A
kubectl get certificaterequests -A
kubectl describe secret -n kube-system
kubectl get events --field-selector type=Warning -AWebhook configurations show admission controllers. Certificate resources show TLS certificate management. These are critical for security auditing.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.