Certified Kubernetes Security Specialist (CKS)
The CKS certification tests your ability to secure Kubernetes clusters and workloads. It’s hands-on, intense, and assumes you already understand Kubernetes deeply (CKA is a prerequisite).
🧠 Exam Overview
- Format: Hands-on lab with scenarios
- Duration: 2 hours
- Passing score: 67%
- Prerequisite: Active CKA certification
- Open book: Access to kubernetes.io + GitHub repos
📋 Domains & Weights
| Domain | Weight |
|---|---|
| Cluster Setup | 10% |
| System Hardening | 15% |
| Minimize Microservice Vulnerabilities | 20% |
| Supply Chain Security | 20% |
| Monitoring, Logging & Runtime Security | 25% |
| RBAC & Network Policies | 10% |
✅ What You Should Master
1. Cluster Setup (10%)
- TLS certificates & CA bundles
- Encrypt secrets at rest (KMS +
EncryptionConfiguration) - Audit policy config and log location
- API server flags:
--audit-log-path,--enable-admission-plugins
2. System Hardening (15%)
- Restrict host access: block
hostPath,hostNetwork,privileged - Use
securityContext: runAsNonRoot,readOnlyRootFilesystem,allowPrivilegeEscalation: false- Restrict capabilities (
capabilities.drop: ["ALL"]) - Pod Security Admission (PSA) with restricted profile
- Runtime namespace protections (AppArmor / seccomp)
3. Minimize Microservice Vulnerabilities (20%)
- Scan images with Trivy, Grype, or Dockle
- Sign images with cosign and verify before deployment
- Use scratch/minimal base images
- Avoid running as root in Dockerfiles
- Validate liveness/readiness probe security
4. Supply Chain Security (20%)
- Use trusted registries and signed images
- Scan YAML manifests for insecure configurations (e.g.,
kubesec,kube-score) - Admission control:
- Validating/mutating webhooks
- Gatekeeper/OPA policies
- ImagePullPolicy:
Always
5. Monitoring, Logging & Runtime Security (25%)
- Audit policy and log filtering
- Tools:
- Falco (real-time threat detection)
- Sysdig, AuditD, or
ausearch - Monitor execs, privilege escalation, network anomalies
- Understand and tune Falco rules
6. RBAC & Network Policies (10%)
- Create
Role,ClusterRole,RoleBinding,ClusterRoleBinding - Apply
NetworkPolicyto restrict Pod traffic (ingress/egress) - Avoid
*verbs and*resources in RBAC - Restrict access by namespace and API group
⚙️ Practice Tips
- Practice scanning + signing images:
trivy image nginx:latestcosign sign --key cosign.key myrepo/app:1.0- Create test policies for:
- PSA
- RBAC +
kubectl auth can-i - NetworkPolicy deny-by-default rules
- Trigger and detect audit events
- Write Falco rules for suspicious behaviors
🧪 Test Environment Tips
- Use bookmarks:
- Pod Security Standards
- Audit Logging
- Sysdig Falco
- Open multiple terminals: cluster work, docs lookup, test scripts
- Save frequently used YAML snippets
📚 Recommended Resources
- Kubernetes Official Docs
- Killer.sh Simulator (CKS)
- KodeKloud CKS Course
- Linux Foundation CKS Training
- Sysdig Falco + GitHub rules
Summary
CKS is all about applying security best practices under pressure. You’ll configure audit logs, write PodSecurity controls, patch RBAC, restrict networks, and scan or sign container images - all in live clusters.
Hands-on practice is key. Read YAML fast. Think like an attacker.