CKS: Certified Kubernetes Security Specialist

Certified Kubernetes Security Specialist (CKS) is a performance-based certification exam that tests candidates’ knowledge of Kubernetes and cloud security in a simulated, real-world environment. Obtaining a CKS demonstrates a candidate possesses the requisite abilities to secure container-based applications and Kubernetes platforms during build, deployment, and runtime and is qualified to perform these tasks in a professional setting.

Who is the exam for?

A Certified Kubernetes Security Specialist (CKS) is an accomplished Kubernetes practitioner (must be CKA certified) who has demonstrated competence in a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment, and runtime.

Exam Prerequisites

• Must have taken and passed the Certified Kubernetes Administrator (CKA) exam prior to attempting the CKS exam.
• CKA Certification must be active (non-expired) on the date the CKS exam (including Retakes) is scheduled.

Exam Details

Exam Name Certified Kubernetes Security Specialist (CKS)	Exam Code CKS
Exam Duration 120 mins	Exam Format Performance-based tasks
Certificate Validity 2 years	Number of Questions 15-20 Questions
Eligibility/Pre-Requisite Valid CKA	Exam Fee $375 USD
Exam Language English	Pass Score 67% and above

Exam Registration

Follow these steps to register for the exam –

• Firstly, visit the official website of the Linux Foundation.
• Then, follow the link to the “Training” page.
• Further, search for the CKS exam.
• And finally, select the date, and time, and confirm the payment method.

Exam Delivery

• The exams are delivered online and consist of performance-based tasks (problems) to be solved on the command line running Linux.
• The exam is proctored remotely via streaming audio, video, and screen-sharing feeds.

Resources permitted during the exam

• Exam content instructions in the command line terminal.
• Documents installed by the distribution (i.e. /usr/share and its subdirectories)
• Use the browser within the VM to access:
  • Kubernetes Documentation:
    • https://kubernetes.io/docs/ and their subdomains
    • https://github.com/kubernetes/ and their subdomains
    • https://kubernetes.io/blog/ and their subdomains
  • Tools:
    • Trivy documentation https://aquasecurity.github.io/trivy/
    • Falco documentation https://falco.org/docs/
  • App Armor:
    • Documentation https://gitlab.com/apparmor/apparmor/-/wikis/Documentation

Exam Results

Results will be emailed 24 hours from the time that the exam is completed

For More Details See the Certified Kubernetes Security Specialist (CKS) FAQ

Course Outline

The Certified Kubernetes Security Specialist (CKS) exam covers the following domains:

Cluster Setup 10%

• Use Network security policies to restrict cluster-level access (Kubernetes Documentation – Network Policies )
• Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi) (Kubernetes Documentation – Kube-bench  )
• Properly set up Ingress objects with security control (Kubernetes Documentation – Ingress )
• Protect node metadata and endpoints (Kubernetes Documentation – Protect node metadata and endpoints)
• Minimize use of, and access to, GUI elements (Kubernetes Documentation – GUI elements )
• Verify platform binaries before deploying (Kubernetes Documentation – platform binaries )

Cluster Hardening 15%

• Restrict access to Kubernetes API (Kubernetes Documentation – Kube-apiserver)
• Use Role Based Access Controls to minimize exposure (Kubernetes Documentation –  RBAC Impersonation)
• Exercise caution in using service accounts e.g. disable defaults and minimize permissions on newly created ones (Kubernetes Documentation –  )
• Update Kubernetes frequently (Kubernetes Documentation –  )

System Hardening 15%

• Minimize host OS footprint (reduce attack surface) (Kubernetes Documentation –  )
• Minimize IAM roles (Kubernetes Documentation –  )
• Minimize external access to the network (Kubernetes Documentation –  )
• Appropriately use kernel hardening tools such as AppArmor, seccomp (Kubernetes Documentation –  )

Minimize Microservice Vulnerabilities 20%

• Setup appropriate OS-level security domains e.g. using PSP, OPA, and security contexts (Kubernetes Documentation –  )
• Manage Kubernetes secrets (Kubernetes Documentation –  )
• Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers) (Kubernetes Documentation –  )
• Implement pod-to-pod encryption by use of mTLS (Kubernetes Documentation –  )

Supply Chain Security 20%

• Minimize base image footprint (Kubernetes Documentation –  )
• Secure your supply chain: whitelist allowed registries, sign and validate images (Kubernetes Documentation –  )
• Use static analysis of user workloads (e.g.Kubernetes resources, Docker files) (Kubernetes Documentation –  )
• Scan images for known vulnerabilities (Kubernetes Documentation –  )

Monitoring, Logging, and Runtime Security 20%

• Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities (Kubernetes Documentation –  )
• Detect threats within a physical infrastructure, apps, networks, data, users, and workloads (Kubernetes Documentation –  )
• Detect all phases of attack regardless of where it occurs and how it spreads (Kubernetes Documentation –  )
• Perform deep analytical investigation and identification of bad actors within the environment (Kubernetes Documentation –  )
• Ensure immutability of containers at runtime (Kubernetes Documentation –  )
• Use Audit Logs to monitor access (Kubernetes Documentation –  )

Preparation Guide for Certified Kubernetes Security Specialist (CKS) Exam

This study guide aims to help you gain the experience and knowledge you need to study and pass the Certified Kubernetes Security Specialist (CKS) Exam. In the following section, you will find various study materials and a comprehensive study plan to assist you in preparing for and taking the Certified Kubernetes Security Specialist (CKS) exam.

Review all the objectives 

A candidate who has a complete understanding of the exam objectives can spend less time preparing for the exam because they know what to study and what is important. It is important to note that this is the most crucial step in the preparation guide. Below-mentioned is the objectives of the Certified Kubernetes Administrator exam.

• Cluster Setup10%
• Cluster Hardening 15%
• System Hardening 15%
• Minimize Microservice Vulnerabilities 20%
• Supply Chain Security 20%
• Monitoring, Logging, and Runtime Security 20%

Official Training – Linux Foundation Kubernetes Security Essentials LFS 260

This course provides you with the knowledge and skills needed to maintain security in dynamic, multi-project environments. Security concerns for cloud production environments are addressed in this course, as well as topics related to the security container supply chain, including topics prior to the configuration of a cluster, deployment, ongoing, and agile use, as well as where information about ongoing security and vulnerability is available. Students can build, secure, monitor, and log security events in Kubernetes clusters while completing hands-on lab exercises.

Recommended Books

• Aqua Security Liz Rice: Free Container Security Book
• Learn Kubernetes security: Securely orchestrate, scale, and manage your microservices in Kubernetes deployments
• Let’s Learn CKS Scenarios

Join the Kubernetes Community

Once you enroll in the CKS course, you will get access to the Kubernauts Community of teachers and learners on Slack where we discuss important topics, tips, and tricks to pass the exam. This is a great place for you to clear your doubts and get answers to your questions instantly.

Pratice Practice Practice!

In order to pass the certification, you cannot rely solely on lectures. This is a hands-on exam that focuses on the practical aspects of Kubernetes. The key to success is experience, quick learning, and practice. So, Start Practicing Now!