Nurlan199206 · July 24, 2023 16:51
diff --git a/CKS-1.27 cheatsheet b/CKS-1.27 cheatsheet
 https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
 https://www.cisecurity.org/cis-benchmarks
 https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/
 https://kubernetes.io/docs/tutorials/security/seccomp/
 https://kubernetes.io/docs/tutorials/security/seccomp/#create-a-pod-with-a-seccomp-profile-for-syscall-auditing
 https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data
 https://kubernetes.io/docs/concepts/containers/runtime-class/

 seccomp - ПОВТОРИТЬ!
 AppArmor - ПОВТОРИТЬ!

 ==============================================CIS-CAT===================================================
 cd /root/Assessor
 sh ./Assessor-CLI.sh -i -rd /var/www/html/ -nts -rp index


 ===============================================kube-bench===============================================
 ./kube-bench --config-dir `pwd`/cfg --config `pwd`/cfg/config.yaml 

 ===============================================ServiceAccount=====================================================
 kubectl create token dashboard-sa
 kubectl certificate approve akshay
 kubectl certificate deny agent-smith


 ===============================================Contexts=====================================================
 kubectl config --kubeconfig=/root/my-kube-config use-context research
 kubectl config --kubeconfig=/root/my-kube-config current-context
 kubectl proxy &
 kubectl port-forward deploy/nginx 8005:80
 kubectl proxy - Opens proxy port to API server
 kubectl port-forward - Opens port to target deployment pods



 ===============================================RBAC=====================================================
 /var/rbac
 kubectl describe pod kube-apiserver-controlplane -n kube-system и --authorization-mode - проверить authorization-mode
 kubectl get roles -A --no-headers | wc -l
 kubectl describe role kube-proxy -n kube-system
 kubectl describe rolebinding kube-proxy -n kube-system - проверить биндинг которые привязаны к роли
 kubectl get pods --as dev-user
 kubectl create role dev-user --verb=list,create,delete --resource=pods --namespace=default
 kubectl create rolebinding dev-user-binding --role=developer --user=dev-user --namespace=default
 kubectl get clusterrole -A --no-headers | wc -l - кол-во кластерролей
 kubectl get clusterrolebindings -A --no-headers | wc -l
 kubectl describe clusterrolebinding cluster-admin
 ===========================================clusterrole====================================================
 kubectl create clusterrole node-admin  --verb=get,watch,list,createm,delete --resource=nodes
 kubectl create clusterrolebinding michelle-binding  --user=michelle --clusterrole=node-admin
 kubectl create clusterrolebinding michelle-strage-admin --user-michelle --clusterrole=storage-admin
 kubectl create clusterrolebinding michelle-storage-admin --user=michelle --clusterrole=storage-admin
 ===========================================kubelet========================================================
 /var/lib/kubelet/config.yaml - kubelet config

 ===============================================SYSTEM HARDENING===========================================
 /var/lib/kubelet/seccomp/profiles/ - seccomp profiles location
 sha512sum kubernetes.tar.gz - проверить контрольные суммы файла
 useradd -d /opt/sam -s /bin/bash -G admin -u 2328 sam
 netstat -an | grep -w LISTEN
 ===============================================UFW========================================================
 ufw allow from 192.168.1.15 to any port 22 proto tcp
 ufw allow from 192.168.1.0/24 to any port 22 proto tcp
 ufw allow 1000:2000/tcp - allow port range 1000-2000
 ufw reset
 ufw allow 22 - allow 22 port
 ufw deny 80
 ufw disable

 ==================================================Tracee====================================================================
 kubectl logs -f `kubectl get pods -l=io.kompose.service=tracee -o custom-columns=":metadata.name" --no-headers`
 ===============================================AppArmor====================================================
 aa-status
 aa-genprof /root/test.sh
 apparmor_parser -q /etc/apparmor.d/usr.sbin.nginx - загрузить профиль apparmor

 ==================================================Admission Controller====================================================================
 Which admission controller is not enabled by default? - NameSpaceAutoprovision
 kube-apiserver -h | grep enable-admission-plugins
 ps -ef | grep kube-apiserver | grep admission-plugins


 #example of admission controller
 cat /etc/kubernetes/manifests/kube-apiserver.yaml 
 - --enable-admission-plugins=NodeRestriction,NamespaceAutoProvision
 - --disable-admission-plugins=DefaultStorageClass
 ====================================================Runtime Classes=======================================================================
 kubectl get runtimeclasses -A 
 kubectl describe runtimeclasses gvisor  | grep Handler
 kubectl describe runtimeclasses kata-containers  | grep Handler
 ====================================================kubesec===============================================================================
 wget https://github.com/controlplaneio/kubesec/releases/download/v2.11.0/kubesec_linux_amd64.tar.gz
 kubesec scan pod.yaml
 ====================================================trivy=================================================================================
 trivy image nginx:1.18.0
 trivy image python:3.6.12-alpine3.11 --severity=HIGH > /root/python.txt
 trivy image --input alpine.tar --format json --output /root/alpine.json - scan tar archive
 ==================================================falco============================================================
 kill -1 $(cat /var/run/falco.pid) - restart falco without restarting falco service
	https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
	https://www.cisecurity.org/cis-benchmarks
	https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/
	https://kubernetes.io/docs/tutorials/security/seccomp/
	https://kubernetes.io/docs/tutorials/security/seccomp/#create-a-pod-with-a-seccomp-profile-for-syscall-auditing
	https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data
	https://kubernetes.io/docs/concepts/containers/runtime-class/

	seccomp - ПОВТОРИТЬ!
	AppArmor - ПОВТОРИТЬ!

	==============================================CIS-CAT===================================================
	cd /root/Assessor
	sh ./Assessor-CLI.sh -i -rd /var/www/html/ -nts -rp index


	===============================================kube-bench===============================================
	./kube-bench --config-dir `pwd`/cfg --config `pwd`/cfg/config.yaml

	===============================================ServiceAccount=====================================================
	kubectl create token dashboard-sa
	kubectl certificate approve akshay
	kubectl certificate deny agent-smith


	===============================================Contexts=====================================================
	kubectl config --kubeconfig=/root/my-kube-config use-context research
	kubectl config --kubeconfig=/root/my-kube-config current-context
	kubectl proxy &
	kubectl port-forward deploy/nginx 8005:80
	kubectl proxy - Opens proxy port to API server
	kubectl port-forward - Opens port to target deployment pods



	===============================================RBAC=====================================================
	/var/rbac
	kubectl describe pod kube-apiserver-controlplane -n kube-system и --authorization-mode - проверить authorization-mode
	kubectl get roles -A --no-headers \| wc -l
	kubectl describe role kube-proxy -n kube-system
	kubectl describe rolebinding kube-proxy -n kube-system - проверить биндинг которые привязаны к роли
	kubectl get pods --as dev-user
	kubectl create role dev-user --verb=list,create,delete --resource=pods --namespace=default
	kubectl create rolebinding dev-user-binding --role=developer --user=dev-user --namespace=default
	kubectl get clusterrole -A --no-headers \| wc -l - кол-во кластерролей
	kubectl get clusterrolebindings -A --no-headers \| wc -l
	kubectl describe clusterrolebinding cluster-admin
	===========================================clusterrole====================================================
	kubectl create clusterrole node-admin --verb=get,watch,list,createm,delete --resource=nodes
	kubectl create clusterrolebinding michelle-binding --user=michelle --clusterrole=node-admin
	kubectl create clusterrolebinding michelle-strage-admin --user-michelle --clusterrole=storage-admin
	kubectl create clusterrolebinding michelle-storage-admin --user=michelle --clusterrole=storage-admin
	===========================================kubelet========================================================
	/var/lib/kubelet/config.yaml - kubelet config

	===============================================SYSTEM HARDENING===========================================
	/var/lib/kubelet/seccomp/profiles/ - seccomp profiles location
	sha512sum kubernetes.tar.gz - проверить контрольные суммы файла
	useradd -d /opt/sam -s /bin/bash -G admin -u 2328 sam
	netstat -an \| grep -w LISTEN
	===============================================UFW========================================================
	ufw allow from 192.168.1.15 to any port 22 proto tcp
	ufw allow from 192.168.1.0/24 to any port 22 proto tcp
	ufw allow 1000:2000/tcp - allow port range 1000-2000
	ufw reset
	ufw allow 22 - allow 22 port
	ufw deny 80
	ufw disable

	==================================================Tracee====================================================================
	kubectl logs -f `kubectl get pods -l=io.kompose.service=tracee -o custom-columns=":metadata.name" --no-headers`
	===============================================AppArmor====================================================
	aa-status
	aa-genprof /root/test.sh
	apparmor_parser -q /etc/apparmor.d/usr.sbin.nginx - загрузить профиль apparmor

	==================================================Admission Controller====================================================================
	Which admission controller is not enabled by default? - NameSpaceAutoprovision
	kube-apiserver -h \| grep enable-admission-plugins
	ps -ef \| grep kube-apiserver \| grep admission-plugins


	#example of admission controller
	cat /etc/kubernetes/manifests/kube-apiserver.yaml
	- --enable-admission-plugins=NodeRestriction,NamespaceAutoProvision
	- --disable-admission-plugins=DefaultStorageClass
	====================================================Runtime Classes=======================================================================
	kubectl get runtimeclasses -A
	kubectl describe runtimeclasses gvisor \| grep Handler
	kubectl describe runtimeclasses kata-containers \| grep Handler
	====================================================kubesec===============================================================================
	wget https://github.com/controlplaneio/kubesec/releases/download/v2.11.0/kubesec_linux_amd64.tar.gz
	kubesec scan pod.yaml
	====================================================trivy=================================================================================
	trivy image nginx:1.18.0
	trivy image python:3.6.12-alpine3.11 --severity=HIGH > /root/python.txt
	trivy image --input alpine.tar --format json --output /root/alpine.json - scan tar archive
	==================================================falco============================================================
	kill -1 $(cat /var/run/falco.pid) - restart falco without restarting falco service