CNCF discount

The Certified Kubernetes Security Specialist (CKS) program was created by the Cloud Native Computing Foundation (CNCF), in collaboration with The Linux Foundation, to help develop the Kubernetes ecosystem

The Certified Kubernetes Security Specialist (CKS) program provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime. CKA certification is required to sit for this exam.

CKS Certified Kubernetes Security Specialist is not an easy exam, the exam has tasks instead of questions like other exams.

Questions provide details on what needs to be implemented, candidates are expected to configure it in the provided environment.

Candidates should have hands-on experience with Kubernetes.

This guide will help you prepare for CKA exam.

This is a live document, we will be updating it regularly, consider adding it to your bookmarks.

The A Certified Kubernetes Security Specialist (CKS) certification is designed to provide assurance that certification holders are accomplished Kubernetes practitioners (as evidenced by holding the CKA credential) who have demonstrated competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.

Certified Kubernetes Security Specialist (CKS) candidates must have taken and passed the Certified Kubernetes Administrator (CKA) exam prior to attempting the CKS exam.

CKS may be purchased but not scheduled until CKA certification has been achieved.

CKA Certification must be active (non-expired) on the date the CKS exam (including Retakes) is scheduled.

CKS is an excellent certification to get if you’re interested in Kubernetes security.

It’s hands-on, so you’ll be learning actual Kubernetes skills rather than merely remembering ideas and instructions as you work toward this certification.

The CKS, on the other hand, has a precondition.

Before you may take the CKS test, you must first achieve your Certified Kubernetes Administrator (CKA).

So, if you already have your CKA and want to learn more about Kubernetes security, check out the CKS!

If you want to learn more about Kubernetes, the CKS is a wonderful certification to get.

We also have a CKA study guide if you need to acquire your CKA first!

CKA exam cost $375 with one free retake.

You can book exam at here

We have labs covering CKS exam

Candidates who register for the Certified Kubernetes Security Specialist (CKS) exams will have access to an exam simulator, provided by Killer.sh.

Login to My Portal at linux foundation website and click Start/Resume to view your exam preparation checklist.

The link to the Simulator is available on the “Schedule Exam” checklist item.

Candidates will have two attempts (per exam registration).

Each attempt grants 36 hours of access starting from the time of activation.

The exam simulations include 20-25 questions similar to the ones candidates can expect to encounter on the real exam.

Please review the FAQ section of the Killer.sh site for further information.

You can also try tasks at Kubernetes.io

Candidates get 2 hrs to complete CKA exam.

CKA certification is valid for 2 years and successfully completing the exam.

candidates will be test on Kubernetes v1.22 and etcd v3.5

Candidates will get 15-20 performance based tasks.
DomainWeight
Cluster Setup10%
Cluster Hardening15%
System Hardening15%
Minimize Microservice Vulnerabilities20%
Supply Chain Security20%
Monitoring, Logging, and Runtime Security20%

Check Free LABS at https://www.sharelearn.net/practice/k8slabs/


CNCF: Kubernetes Security Essentials (LFS260)
This is a $299 course offered by CNCF

You can also consider buying a bundle of this course and exam from CNCF for $575 and save $100
Offer code SHARELEARN15 will bring it down to $454.

EDx: Introduction to Kubernetes
This is free course by EDX, recommended by CNCF

Udemy: Kubernetes CKS 2021 Complete Course - Theory - Practice

Related Kubernetes security resources

White Papers

You need 67% or above must be earned to pass.

Exams are scored automatically, usually within 24 hours of completion.

Results will be emailed within 24 hours from the time that the Exam was completed.

Exams are graded for results.

There may be more than one way to perform a task on an Exam and unless otherwise specified,
the candidate can pick any available path to complete the task as long as it produces the correct result.

During the CKS exam, candidates may:

review the Exam content instructions that are presented in the command line terminal.

review Documents installed by the distribution (i.e. /usr/share and its subdirectories)

use their Chrome or Chromium browser to open one additional tab in order to access

Kubernetes Documentation:

https://kubernetes.io/docs/ and their subdomains

https://github.com/kubernetes/ and their subdomains

https://kubernetes.io/blog/ and their subdomains

This includes all available language translations of these pages (e.g. https://kubernetes.io/zh/docs/)

Tools:

Trivy documentation https://aquasecurity.github.io/trivy/

Sysdig documentation https://docs.sysdig.com/

Falco documentation https://falco.org/docs/

This includes all available language translations of these pages (e.g. https://falco.org/zh/docs/)

App Armor:

Documentation https://gitlab.com/apparmor/apparmor/-/wikis/Documentation

The allowed sites above may contain links that point to external sites.

It is the responsibility of the candidate not to click any links to navigate to a domain that is not allowed

Check Next pages for resources for specific topic in CKS Certified Kubernetes Security Specialist exam

Cluster Setup

Cluster Hardening

System Hardening

Minimize Microservice Vulnerabilities

Supply Chain Security

Monitoring, Logging, and Runtime Security

Use Network security policies to restrict cluster level access

Resources Allowed During exam

3rd Party Resources


Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)

3rd Party Resources


Properly set up Ingress objects with security control

Resources Allowed During exam


Protect node metadata and endpoints

Resources Allowed During exam

3rd Party Resources


Minimize use of, and access to, GUI elements

Resources Allowed During exam

3rd Party Resources


Verify platform binaries before deploying

Resources Allowed During exam


Cluster Hardening (15%)

Restrict access to Kubernetes API

Resources Allowed During exam

3rd Party Resources


Use Role Based Access Controls to minimize exposure

Resources Allowed During exam

3rd Party Resources


Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones

Resources Allowed During exam

3rd Party Resources


Update Cluster frequently

Resources Allowed During exam


System Hardening (15%)

Minimize host OS footprint (reduce attack surface)

Resources Allowed During exam

3rd Party Resources


Minimize IAM roles

3rd Party Resources

Minimize external access to the network

Resources Allowed During exam

3rd Party Resources

Appropriately use kernel hardening tools such as AppArmor, seccomp

Resources Allowed During exam

3rd Party Resources


Minimize Microservice Vulnerabilities (20%)

Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts

Resources Allowed During exam

3rd Party Resources


Manage kubernetes secrets

Resources Allowed During exam

3rd Party Resources


Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)

Resources Allowed During exam

3rd Party Resources


Implement pod to pod encryption by use of mTLS

Resources Allowed During exam

3rd Party Resources


Supply Chain Security (20%)

Minimize base image footprint

3rd Party Resources


Secure your supply chain: whitelist allowed image registries, sign and validate images

Resources Allowed During exam

3rd Party Resources


Use static analysis of user workloads (e.g. kubernetes resources, docker files)

Resources Allowed During exam

3rd Party Resources


Scan images for known vulnerabilities

3rd Party Resources

Monitoring, Logging and Runtime Security (20%)

Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities

Resources Allowed During exam

3rd Party Resources


Detect threats within physical infrastructure, apps, networks, data, users and workloads

3rd Party Resources


Detect all phases of attack regardless where it occurs and how it spreads

3rd Party Resources


Perform deep analytical investigation and identification of bad actors within environment

3rd Party Resources


Ensure immutability of containers at runtime

Resources Allowed During exam

3rd Party Resources


Use Audit Logs to monitor access

Resources Allowed During exam

3rd Party Resources


CKS Exams is delivered online and Candidates must provide their own computer with current version of Chrome browser.
Make sure you have third party cookies turned on for the duration of the exam.
Reliable internet access
Ensure others on the same internet connection are not performing activities that use excessive bandwidth (i.e. holding conference calls, streaming content, gaming, etc.)
A wired connection is often more stable and robust than a wireless connectionTurn off bandwidth-intensive services (e.g. file sync, dropbox, BitTorrent)
Microphone
Please check to make sure it is working before you start your exam session.
Webcam
Ensure the webcam is capable of being moved as the proctor may ask you to pan your surroundings to check for potential violations of exam policy.
Try holding up your ID while viewing your webcam feed to ensure your placement and resolution are sufficient for the person viewing your feed to read your ID.
If you will be testing from an employer-provide ISP or will use an employer provided machine, please ensure that streaming will be allowed using WebRTC.
Candidates are not allowed to have other applications or browser windows running except the one on which the Exam is being shown.
Candidates should run the compatibility check tool to verify that their hardware meets the minimum requirements.
Sixteen clusters comprise the exam environment, one for each task. Each cluster is made up of one master node and one worker node.

Each task on this exam must be completed on a designated cluster/configuration context.

Sixteen clusters comprise the exam environment, one for each task. Each cluster is made up of one master node and one worker node.

An infobox at the start of each task provides you with the cluster name/context and the hostname of the master and worker node.

You can switch the cluster/configuration context using a command such as the following:

kubectl config use-context <cluster/context name>

Nodes making up each cluster can be reached via ssh, using a command such as the following:

ssh

You have elevated privileges on any node by default, so there is no need to assume elevated privileges.

You must return to the base node (hostname cli) after completing each task.

Nested−ssh is not supported.

You can use kubectl and the appropriate context to work on any cluster from the base node. When connected to a cluster member via ssh, you will only be able to work on that particular cluster via kubectl.

For your convenience, all environments, in other words, the base system and the cluster nodes, have the following additional command-line tools pre-installed and pre-configured:

kubectl with kalias and Bash autocompletion

yq and jqfor YAML/JSON processing

tmux for terminal multiplexing

curl and wget for testing web services

man and man pages for further documentation

Further instructions for connecting to cluster nodes will be provided in the appropriate tasks

The CKS environment is currently running etcd v3.5

The CKS environment is currently running Kubernetes v1.22

The CKS exam environment will be aligned with the most recent K8s minor version within approximately 4 to 8 weeks of the K8s release date.

Clutter-free work area
No objects such as paper, writing implements, electronic devices, or other objects on top of surface
No objects such as paper, trash bins, or other objects below the testing surface

Clear walls
No paper/print outs hanging on walls
Paintings and other wall décor is acceptable
Candidates will be asked to remove non-décor items prior to the exam being released

Lighting
Space must be well lit so that proctor is able to see candidate’s face, hands, and surrounding work area
No bright lights or windows behind the examinee

Other
Candidate must remain within the camera frame during the examinationSpace must be private where there is no excessive noise.
Public spaces such as coffee shops, stores, open office environments, etc. are not allowed.
Please see the Candidate Handbook for additional information covering policies, procedures and rules during the exam

Candidates are required to provide a non-expired Primary ID that contains Candidate’s photograph, signature and full name (see acceptable forms of ID in the table below)
The name on your Primary ID must exactly match the verified name on your exam checklist.
If the Candidate’s full name on their Primary ID contains non-latin characters, then the Candidate must ALSO provide a non-expired Secondary ID containing their full name in Latin Characters and signature, OR a notarized English translation of their Primary ID along with the non-latin character Primary ID

Primary ID
(non-expired and including photograph and signature):
Passport
Government-issued driver’s license/permit
Government-Issued local language ID (with photo and signature)
National Identity card
State or province-issued identity card
住民基本台帳 (Basic resident register with Photo) or マイナンバーカード(My number card)

Secondary ID
(non-expired and including signature with Candidate name in Latin characters)
Debit (ATM) Card
Credit Card
Health Insurance Card
U.S. Social Security Card
Employee ID Card
Student ID Card
Japanese Health Insurance Card

Additional Allowances:
Some government issued ID such as a passport, driver’s license, military ID or state/country card may be a biometric type and may or may not contain a signature. In these cases Primary ID will be accepted without a signature on condition that you also present a Secondary ID which does contain your signature (e.g. bank, credit or debit card)
For candidates testing in Japan, a Driver’s License (with name and recent recognizable photo) is acceptable as a primary ID as long as it is accompanied with a Japanese health insurance card (健康保険証). In Japan, the Japanese health insurance card (健康保険証) is an acceptable form of secondary ID

The certification exam is proctored remotely via streaming audio, video, and screen sharing feeds.

The screen sharing feed allows proctors to view candidates’ desktops (including all monitors).

The audio, video, and screen sharing feeds will be stored for a limited period of time in the event that there is a subsequent need for review.

How do I renew CKS Certified Kubernetes Security Specialist certification? Candidates have the option to retake and pass the exam to renew their certification. Certification Renewal must be completed prior to the certification expiration date. The CKA renewed certification will be valid for a further 3 years effective from the date the exam is passed.

CNCF understand that taking the exams via remote desktop and a new platform environment may cause a lag time for some, however there are trade offs needed to offer this exam remotely.

CNCF will continually monitor and seek to improve the testing experience over time.

When eligible, CNCF do offer free retakes for those who do not pass the first time, regardless of why.

This is a live document, we will be updating it regularly, consider adding it to your bookmarks.

join us on upcoming Kubernetes or CKA workshop, training and or bootcamp