CKS Tools Quick Reference
A rapid-lookup reference for every tool you may encounter in the CKS exam. Each section includes the most commonly needed commands and configuration patterns.
trivy -- Container Image Vulnerability Scanner
When to Use
Scanning container images for vulnerabilities, checking severity levels, and identifying images that need to be updated.
Common Commands
bash
# Scan an image (all severities)
trivy image <IMAGE>
# Scan with severity filter
trivy image --severity CRITICAL <IMAGE>
trivy image --severity CRITICAL,HIGH <IMAGE>
trivy image --severity CRITICAL,HIGH,MEDIUM <IMAGE>
# Save output to file
trivy image --severity CRITICAL <IMAGE> > /tmp/scan-results.txt
# Scan and output as JSON
trivy image --format json <IMAGE> > /tmp/scan.json
# Scan and output as table (default)
trivy image --format table <IMAGE>
# Scan a tar archive
trivy image --input /path/to/image.tar
# Scan filesystem
trivy fs /path/to/project
# Scan Kubernetes config files
trivy config /path/to/manifests/Quick Reference Table
| Task | Command |
|---|---|
| Scan image | trivy image nginx:1.19 |
| Critical only | trivy image --severity CRITICAL nginx:1.19 |
| Critical + High | trivy image --severity CRITICAL,HIGH nginx:1.19 |
| Output to file | trivy image nginx:1.19 > /tmp/output.txt |
| JSON output | trivy image --format json nginx:1.19 |
| Skip unfixed | trivy image --ignore-unfixed nginx:1.19 |
| Scan config | trivy config /path/to/yaml/ |
Falco -- Runtime Security and Threat Detection
When to Use
Detecting anomalous runtime behavior such as shell spawning in containers, unexpected file modifications, or suspicious network connections.
Service Management
bash
# Check Falco status
sudo systemctl status falco
# Start Falco
sudo systemctl start falco
# Stop Falco
sudo systemctl stop falco
# Restart Falco (after rule changes)
sudo systemctl restart falco
# Enable Falco at boot
sudo systemctl enable falco
# View Falco logs
sudo journalctl -u falco --no-pager
sudo journalctl -u falco --no-pager --since "1 hour ago"
sudo journalctl -u falco -f # follow live
# Check Falco log file
sudo cat /var/log/falco/falco.log
sudo tail -f /var/log/falco/falco.logConfiguration Files
| File | Purpose |
|---|---|
/etc/falco/falco.yaml | Main Falco configuration |
/etc/falco/falco_rules.yaml | Default rules |
/etc/falco/falco_rules.local.yaml | Local rule overrides |
/etc/falco/rules.d/ | Directory for custom rule files |
Custom Rule Structure
yaml
- rule: <Rule Name>
desc: <Description>
condition: >
spawned_process and
container and
proc.name in (sh, bash)
output: >
Shell spawned (container=%container.name user=%user.name
shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline
container_id=%container.id image=%container.image.repository)
priority: WARNING
tags: [container, shell]Common Falco Condition Fields
| Field | Description | Example |
|---|---|---|
container | Event is inside a container | container |
spawned_process | A new process was created | spawned_process |
open_write | File opened for writing | open_write |
open_read | File opened for reading | open_read |
outbound | Outbound network connection | outbound |
inbound | Inbound network connection | inbound |
proc.name | Process name | proc.name = bash |
proc.pname | Parent process name | proc.pname = nginx |
proc.cmdline | Full command line | proc.cmdline contains curl |
fd.name | File descriptor name (file path) | fd.name startswith /etc/ |
fd.sip | Server IP (destination) | fd.sip = 10.0.0.1 |
fd.sport | Server port (destination) | fd.sport = 443 |
user.name | User name | user.name = root |
container.name | Container name | container.name = nginx |
container.id | Container ID | container.id |
container.image.repository | Image repository | container.image.repository |
evt.time | Event timestamp | evt.time |
k8s.pod.name | Kubernetes pod name | k8s.pod.name |
k8s.ns.name | Kubernetes namespace | k8s.ns.name |
Falco Priority Levels
| Priority | Use Case |
|---|---|
EMERGENCY | System is unusable |
ALERT | Immediate action required |
CRITICAL | Critical conditions |
ERROR | Error conditions |
WARNING | Warning conditions |
NOTICE | Normal but significant |
INFORMATIONAL | Informational messages |
DEBUG | Debug messages |
kube-bench -- CIS Benchmark Scanner
When to Use
Evaluating cluster configuration against CIS Kubernetes Benchmark standards, identifying security misconfigurations on control plane and worker nodes.
Common Commands
bash
# Run all checks on master node
kube-bench run --targets=master
# Run all checks on worker node
kube-bench run --targets=node
# Run all checks on etcd
kube-bench run --targets=etcd
# Run specific check
kube-bench run --targets=master --check=1.2.6
# Run and output as JSON
kube-bench run --targets=master --json
# Run with specific benchmark version
kube-bench run --targets=master --benchmark cis-1.8
# Run all targets
kube-bench runQuick Reference Table
| Target | Description | Example |
|---|---|---|
master | Control plane checks | kube-bench run --targets=master |
node | Worker node checks | kube-bench run --targets=node |
etcd | etcd checks | kube-bench run --targets=etcd |
controlplane | Alternative for master | kube-bench run --targets=controlplane |
policies | Policy checks | kube-bench run --targets=policies |
Understanding Output
[PASS] 1.2.1 Ensure that the --anonymous-auth argument is set to false
[FAIL] 1.2.2 Ensure that the --token-auth-file parameter is not set
[WARN] 1.2.3 Ensure that the --DenyServiceExternalIPs is not set- PASS: Configuration meets the benchmark
- FAIL: Configuration does NOT meet the benchmark (fix required)
- WARN: Advisory finding (review recommended)
kubesec -- Kubernetes Resource Security Scanner
When to Use
Static analysis of Kubernetes resource manifests to identify security risks and get improvement recommendations.
Common Commands
bash
# Scan a manifest file
kubesec scan pod.yaml
# Scan from stdin
cat pod.yaml | kubesec scan -
# Scan and output JSON
kubesec scan pod.yaml
# Scan via HTTP API
curl -sSX POST --data-binary @pod.yaml https://v2.kubesec.io/scanUnderstanding Output
json
[
{
"object": "Pod/myapp",
"valid": true,
"score": 3,
"scoring": {
"passed": [...], // Security controls present
"advise": [...] // Recommended improvements
}
}
]- Score > 0: Basic security controls are present
- Score 0: Minimal security
- Negative score: Actively dangerous configurations detected
Scoring Items
| Control | Points | Description |
|---|---|---|
readOnlyRootFilesystem | +1 | Root filesystem is read-only |
runAsNonRoot | +1 | Container runs as non-root |
runAsUser > 10000 | +1 | High UID user |
capabilities.drop ALL | +1 | All capabilities dropped |
resources.limits.cpu | +1 | CPU limits set |
resources.limits.memory | +1 | Memory limits set |
ServiceAccountName != default | +3 | Not using default SA |
crictl -- Container Runtime Interface CLI
When to Use
Debugging containers at the runtime level on nodes, checking container status when kubectl is not available or when API server is down.
Common Commands
bash
# List running containers
crictl ps
# List all containers (including stopped)
crictl ps -a
# List pods
crictl pods
# Get container logs
crictl logs <CONTAINER-ID>
crictl logs --tail=50 <CONTAINER-ID>
# Inspect a container
crictl inspect <CONTAINER-ID>
# Inspect a pod
crictl inspectp <POD-ID>
# Execute in a container
crictl exec -it <CONTAINER-ID> sh
# Pull an image
crictl pull <IMAGE>
# List images
crictl images
# Remove a container
crictl rm <CONTAINER-ID>
# Remove a pod
crictl rmp <POD-ID>
# Stop a container
crictl stop <CONTAINER-ID>Quick Reference Table
| Task | Command |
|---|---|
| List running containers | crictl ps |
| List all containers | crictl ps -a |
| Container logs | crictl logs <ID> |
| Find API server | crictl ps | grep apiserver |
| Watch container restarts | watch crictl ps |
| Container details | crictl inspect <ID> |
etcdctl -- etcd Client
When to Use
Verifying encryption at rest, backing up etcd, and directly inspecting stored data.
Common Commands
bash
# Set API version (always required)
export ETCDCTL_API=3
# Common TLS flags (set these as variables)
export ETCD_ARGS="--endpoints=https://127.0.0.1:2379 \
--cacert=/etc/kubernetes/pki/etcd/ca.crt \
--cert=/etc/kubernetes/pki/etcd/server.crt \
--key=/etc/kubernetes/pki/etcd/server.key"
# Check etcd health
etcdctl $ETCD_ARGS endpoint health
# Check etcd status
etcdctl $ETCD_ARGS endpoint status --write-out=table
# List members
etcdctl $ETCD_ARGS member list --write-out=table
# Get a secret from etcd (verify encryption)
etcdctl $ETCD_ARGS get /registry/secrets/<NAMESPACE>/<SECRET-NAME>
# Get a secret and hex dump (check encryption)
etcdctl $ETCD_ARGS get /registry/secrets/<NAMESPACE>/<SECRET-NAME> | hexdump -C
# Snapshot backup
etcdctl $ETCD_ARGS snapshot save /tmp/etcd-backup.db
# Snapshot restore
etcdctl snapshot restore /tmp/etcd-backup.db \
--data-dir=/var/lib/etcd-restoreTLS Flags Quick Copy
bash
ETCDCTL_API=3 etcdctl \
--endpoints=https://127.0.0.1:2379 \
--cacert=/etc/kubernetes/pki/etcd/ca.crt \
--cert=/etc/kubernetes/pki/etcd/server.crt \
--key=/etc/kubernetes/pki/etcd/server.key \
<COMMAND>Encryption Verification
When checking encryption at rest, look for the prefix in the etcd output:
- Encrypted:
k8s:enc:aescbc:v1:<key-name>followed by garbled data - NOT encrypted: You can see the plaintext secret value
openssl -- Certificate Management
When to Use
Inspecting TLS certificates, checking expiration dates, verifying SANs, and understanding the PKI chain.
Common Commands
bash
# View certificate details
openssl x509 -in <CERT-FILE> -noout -text
# Check certificate expiration date
openssl x509 -in <CERT-FILE> -noout -enddate
# Check certificate start date
openssl x509 -in <CERT-FILE> -noout -startdate
# Check Subject Alternative Names (SANs)
openssl x509 -in <CERT-FILE> -noout -text | grep -A1 "Subject Alternative Name"
# Check certificate subject
openssl x509 -in <CERT-FILE> -noout -subject
# Check certificate issuer
openssl x509 -in <CERT-FILE> -noout -issuer
# Verify certificate against CA
openssl verify -CAfile <CA-CERT> <CERT-FILE>
# Check certificate serial number
openssl x509 -in <CERT-FILE> -noout -serial
# Generate a private key
openssl genrsa -out key.pem 2048
# Generate a CSR
openssl req -new -key key.pem -out csr.pem -subj "/CN=<COMMON-NAME>/O=<ORG>"
# Self-sign a certificate
openssl x509 -req -in csr.pem -signkey key.pem -out cert.pem -days 365Kubernetes PKI File Locations
| Certificate | Path |
|---|---|
| CA cert | /etc/kubernetes/pki/ca.crt |
| CA key | /etc/kubernetes/pki/ca.key |
| API server cert | /etc/kubernetes/pki/apiserver.crt |
| API server key | /etc/kubernetes/pki/apiserver.key |
| API server kubelet client cert | /etc/kubernetes/pki/apiserver-kubelet-client.crt |
| API server etcd client cert | /etc/kubernetes/pki/apiserver-etcd-client.crt |
| etcd CA cert | /etc/kubernetes/pki/etcd/ca.crt |
| etcd server cert | /etc/kubernetes/pki/etcd/server.crt |
| etcd server key | /etc/kubernetes/pki/etcd/server.key |
| etcd peer cert | /etc/kubernetes/pki/etcd/peer.crt |
| Front proxy CA | /etc/kubernetes/pki/front-proxy-ca.crt |
| SA public key | /etc/kubernetes/pki/sa.pub |
| SA private key | /etc/kubernetes/pki/sa.key |
AppArmor Commands
When to Use
Creating, loading, and verifying AppArmor profiles that restrict container filesystem and network access.
Common Commands
bash
# Check AppArmor status and loaded profiles
sudo aa-status
# Load/reload a profile
sudo apparmor_parser -r /etc/apparmor.d/<PROFILE-NAME>
# Load a profile (first time)
sudo apparmor_parser /etc/apparmor.d/<PROFILE-NAME>
# Remove a profile
sudo apparmor_parser -R /etc/apparmor.d/<PROFILE-NAME>
# Set profile to complain mode (audit only)
sudo aa-complain /etc/apparmor.d/<PROFILE-NAME>
# Set profile to enforce mode
sudo aa-enforce /etc/apparmor.d/<PROFILE-NAME>
# Check if a specific profile is loaded
sudo aa-status | grep <PROFILE-NAME>
# List all profiles
sudo cat /sys/kernel/security/apparmor/profilesProfile Location
| Location | Purpose |
|---|---|
/etc/apparmor.d/ | Profile definitions |
/sys/kernel/security/apparmor/profiles | Loaded profiles list |
Seccomp Reference
When to Use
Restricting system calls available to containers, applying custom seccomp profiles.
File Locations
| Path | Purpose |
|---|---|
/var/lib/kubelet/seccomp/ | Default seccomp profile root directory |
/var/lib/kubelet/seccomp/profiles/ | Custom profile directory |
Profile Types in Pod Spec
| Type | Description | Example |
|---|---|---|
RuntimeDefault | Container runtime default profile | Most common for CKS |
Localhost | Custom profile from node filesystem | localhostProfile: profiles/custom.json |
Unconfined | No seccomp filtering | Avoid in production |
Seccomp Actions
| Action | Description |
|---|---|
SCMP_ACT_ALLOW | Allow the syscall |
SCMP_ACT_ERRNO | Deny the syscall (return error) |
SCMP_ACT_LOG | Allow but log the syscall |
SCMP_ACT_KILL | Kill the process |
SCMP_ACT_KILL_PROCESS | Kill the process (newer) |
SCMP_ACT_TRAP | Send SIGSYS signal |
Summary Table -- All Tools
| Tool | Purpose | Typical CKS Task |
|---|---|---|
trivy | Image vulnerability scanning | Scan images, find CRITICAL vulns, choose safer images |
falco | Runtime threat detection | Write custom rules, investigate alerts, find compromised pods |
kube-bench | CIS benchmark compliance | Run scans, fix FAIL findings on control plane and nodes |
kubesec | Manifest static analysis | Score pod specs, improve security posture |
crictl | Container runtime debugging | Check container status, view logs when API is down |
etcdctl | etcd operations | Verify encryption at rest, backup/restore |
openssl | Certificate management | Inspect certs, check expiry, verify SANs |
apparmor_parser | AppArmor profile management | Load/reload profiles on nodes |
aa-status | AppArmor status check | Verify profiles are loaded and enforcing |
kubeadm | Cluster lifecycle | Certificate renewal, cluster upgrades |