System Hardening
Domain Overview
System Hardening accounts for 15% of the CKS exam. This domain focuses on minimizing the attack surface of the host operating system and enforcing strict security boundaries between containers and the underlying kernel. While it carries less weight than Supply Chain Security or Microservice Vulnerabilities, the topics here are deeply practical and frequently appear as sub-tasks within larger exam questions.
What This Domain Covers
System Hardening is about reducing what containers and nodes can do. The core principle is least privilege -- every process should have only the permissions it absolutely needs, and nothing more.
| Topic | Key Concept | Exam Relevance |
|---|---|---|
| AppArmor | Mandatory Access Control via profiles | Applying profiles to pods, loading profiles on nodes |
| Seccomp | System call filtering | Creating and applying seccomp profiles |
| Linux Capabilities | Fine-grained root privilege decomposition | Dropping capabilities, SecurityContext |
| Host Namespaces | Isolation boundaries between pod and host | Restricting hostNetwork, hostPID, privileged |
| Pod Security Standards | Cluster-wide security baselines | PSA labels, enforce/audit/warn modes |
| Kernel Hardening | OS-level attack surface reduction | sysctl, disabling services, minimal packages |
Key Tools and Concepts
Exam Tools You Must Know
- AppArmor:
aa-status,apparmor_parser, profile syntax, pod annotations - Seccomp: JSON profile format,
securityContext.seccompProfile,RuntimeDefault - Capabilities:
securityContext.capabilities.dropand.add - Pod Security Admission: Namespace labels
pod-security.kubernetes.io/*
What to Expect on the Exam
System Hardening questions on the CKS exam are typically performance-based tasks that require you to:
- Apply an AppArmor profile to a pod running on a specific node
- Create or apply a seccomp profile that restricts specific syscalls
- Configure SecurityContext to drop capabilities and enforce non-root execution
- Label namespaces with Pod Security Standards to enforce baseline or restricted policies
- Identify and fix pods running with excessive privileges
Exam Strategy
These topics often appear as parts of larger questions rather than standalone tasks. For example, you might be asked to create a pod that uses a specific AppArmor profile AND drops all capabilities AND runs as non-root. Practice combining multiple hardening techniques in a single pod spec.
Prerequisites
Before diving into this domain, ensure you are comfortable with:
- Linux security fundamentals (users, groups, file permissions)
- Kubernetes pod specification and SecurityContext
- YAML editing under time pressure
- Basic understanding of Linux namespaces and cgroups
Section Navigation
| Section | Topic |
|---|---|
| AppArmor | Mandatory Access Control profiles for containers |
| Seccomp | System call filtering and custom profiles |
| Linux Capabilities | Fine-grained privilege management |
| Host Namespaces & Privileges | Restricting host-level access |
| Pod Security Standards | Cluster-wide security policies via admission |
| Kernel Hardening | OS and kernel attack surface reduction |
| Practice Questions | 20 hands-on practice questions |
| Solutions | Detailed solutions with verification steps |
Study Approach
Work through each section in order. The concepts build on each other -- understanding Linux capabilities makes AppArmor and seccomp profiles easier to reason about, and all three feed into Pod Security Standards.