https://github.com/cncf/curriculum/blob/master/CKS_Curriculum%20v1.32.pdf
- Inject service account token in a deployment.
- Create/override a Falco rule (e.g., to monitor pods accessing sensitive files/directories).
- Load an AppArmor profile and apply it in a pod/deployment.
- Load a Seccomp profile and use it in the pod definition.
- Auditing rules (https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/).
- Use
seccompProfileinsecurityContext. - SecurityContexts in Pod vs Container.
- Analyze static YAML files with KubeSec.
- TLS Ingress and TLS SSL redirects.
- How to restart kubelet.
- How kubelet is started and how to start it with new parameters.
- Linux: Remove a user from a specific group.
- PSA -> How to ensure a pod respects it (securityContexts). All securityContext requirements for "restricted" need to be known by heart.
- ImagePolicyWebhook.
- Cilium Network Policies (see examples in the official documentation for Layer 3 and 4).
- Startup settings for the Docker daemon.
- Enable a custom Admission Controller for a Kubernetes cluster (e.g., ImagePolicyWebhook).
- Kubelet config is not the same as kubelet ConfigMap →
/var/lib/kubelet/config.yamltakes precedence over the ConfigMap. - Cilium mutual authentication.
- Worker/Control plane node upgrade.