TryHackMe — Cluster Hardening — Writeup

Learn initial security considerations when creating a Kubernetes cluster.

Task1 Introduction

Calling all Kubernetes users and aspiring DevSecOps engineers! You’re familiar with Kubernetes, the concepts, the architecture, the landscape, but you want to know how to build your K8s cluster securely, like a true DevSecOps engineer? Well, you’ve come to the right place. This room takes you through security considerations when starting to develop your Kubernetes cluster, with detailed explanations, examples and, in the last task, a hands-on practical VM simulating a ‘day in the life’ of a DevSecOps engineer.

Task2 Kubernetes Cluster Hardening

Q: What lives at the highest level of Kubernetes architecture and is comprised of all lower-level components?

A: Kubernetes cluster

Q: What mindset is always beneficial in the world of cyber?

A: Security-First

Task3 Security Benchmarks

Q: What standards are used to check a clusters’ level of security?

A: security benchmarks

Q: What CIS security benchmark ensures anonymous traffic is disallowed?

A: 4.2.1

Q: What open-source tool can perform automated security assessments on a Kubernetes cluster?

A: Kube-bench

Task4 Securing Kubelet

Q: Which port does Kubelet serve the kubelet-api and allow for full access?

A: 10250

Q: What value has to be set to “false” to ensure unauthorised traffic is locked down?

A: authentication:anonymous:enabled

Q: One method of kubelet request authentication is “X509 Client Certificate Authentication”, what is the other?

A: API Bearer Token

Task5 Securing API Traffic

Q: Which component acts as both a ‘Server’ and a ‘Client’?

A: Kube-apiserver

Q: Which CIS security benchmarks would TLS encryption implement?

A: 1.2.24–27

Task6 Admission Controllers

Q: Which type of admission controller can modify the object related to the request they admit?

A: Mutating

Q: Which built-in admission controller helps avoid a problem where the Kubernetes API gets flooded with requests to store new events?

A: EventRateLimit

Q: What can be used if your organisation wants to enforce custom security standards or bespoke pod deployment checks specific to its organisation?

A: Admission Controller Webhooks

Q: What are the names of the two built-in admission controllers that call upon a defined admission controller webhook? Format: Answer1, Answer2

A: ValidatingAdmissionWebhook, MutatingAdmissionWebhook

Task7 Securing Network Traffic

Q: What Kubernetes resource is used to restrict pod-to-pod communication?

A: NetworkPolicy

Q: If we had an app running with the label “database”, what field would we put this label in if we wanted to restrict traffic to this app?

A: spec:PodSelector:matchLabels:app

Task8 Practical

Q: What is the Encoded Policy?

A: U3BlYzoKICBQb2RTZWxlY3RvcjogICAgIGFwcD1iYWNrZW5kLXNlcnZpY2UyCiAgQWxsb3dpbmcgaW5ncmVzcyB0cmFmZmljOgogICAgVG8gUG9ydDogODg4OC9UQ1AKICAgIEZyb206CiAgICAgIFBvZFNlbGVjdG9yOiBhcHA9YmFja2VuZC1zZXJ2aWNlMQogIE5vdCBhZmZlY3RpbmcgZWdyZXNzIHRyYWZmaWMKICBQb2xpY3kgVHlwZXM6IEluZ3Jlc3M=