CKS - Certified Kubernetes Security Specialist¶
The Certified Kubernetes Security Specialist (CKS) exam certifies that candidates have the skills, knowledge, and competency to perform a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment, and runtime.
Exam Overview¶
| Detail | Information |
|---|---|
| Exam Format | Performance-based (hands-on) |
| Number of Questions | 15-20 |
| Duration | 2 hours |
| Passing Score | 67% |
| Certification Validity | 2 years |
| Cost | $395 USD |
| Retake Policy | 1 free retake |
| Kubernetes Version | 1.30 |
| Prerequisite | Must hold valid CKA certification |
Exam Domains & Weights¶
| Domain | Weight |
|---|---|
| Cluster Setup | 10% |
| Cluster Hardening | 15% |
| System Hardening | 15% |
| Minimize Microservice Vulnerabilities | 20% |
| Supply Chain Security | 20% |
| Monitoring, Logging and Runtime Security | 20% |
Prerequisites¶
- Valid CKA certification (required)
- Strong Kubernetes administration skills
- Understanding of Linux security concepts
- Familiarity with container security
Study Resources¶
Official Resources¶
Recommended Courses¶
Practice Resources¶
- Killercoda CKS Scenarios ⭐ Highly Recommended
- killer.sh CKS Simulator - Included with exam registration
Quick Navigation¶
- 01 - Cluster Setup
- 02 - Cluster Hardening
- 03 - System Hardening
- 04 - Minimize Microservice Vulnerabilities
- 05 - Supply Chain Security
- 06 - Monitoring, Logging and Runtime Security
- Sample Practice Questions
Exam Environment¶
The CKS exam provides:
- Access to multiple Kubernetes clusters
kubectlwith auto-completion enabled- Access to Kubernetes documentation (kubernetes.io)
- A Linux terminal environment
- Root access via
sudo - Security tools pre-installed
Allowed Resources During Exam¶
Exam Tips¶
- Master security contexts - runAsUser, runAsNonRoot, capabilities
- Know Network Policies - Default deny, allow specific traffic
- Understand RBAC deeply - Least privilege principle
- Practice with security tools - Trivy, Falco, AppArmor, seccomp
- Know Pod Security Standards - privileged, baseline, restricted
- Practice image scanning - Trivy for vulnerability detection
- Understand audit logging - Configure and analyze audit logs
- Practice on Killercoda - Free hands-on scenarios
Security Tools Overview¶
| Tool | Purpose |
|---|---|
| Trivy | Container image vulnerability scanning |
| Falco | Runtime security monitoring |
| AppArmor | Linux security module for access control |
| seccomp | System call filtering |
| OPA/Gatekeeper | Policy enforcement |
| kube-bench | CIS Kubernetes benchmark |
Useful Commands¶
# Set alias
alias k=kubectl
# Enable auto-completion
source <(kubectl completion bash)
complete -o default -F __start_kubectl k
# Check API server audit logs
cat /var/log/kubernetes/audit/audit.log | jq .
# Scan image with Trivy
trivy image nginx:1.21
# Check seccomp profiles
ls /var/lib/kubelet/seccomp/
# View AppArmor profiles
aa-status
# Check Pod Security Standards
kubectl label namespace default pod-security.kubernetes.io/enforce=restricted
# RBAC verification
kubectl auth can-i --list --as system:serviceaccount:default:mysa
kubectl auth can-i create pods --as jane
# Network Policy testing
kubectl exec -it test-pod -- nc -zv target-service 80
Registration¶
Note: You must hold a valid CKA certification before taking the CKS exam.