The Certified Kubernetes Security Specialist (CKS) program was created by the Cloud Native Computing Foundation (CNCF), in collaboration with The Linux Foundation, to help develop the Kubernetes ecosystem
The Certified Kubernetes Security Specialist (CKS) program provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime. CKA certification is required to sit for this exam.
CKS Certified Kubernetes Security Specialist is not an easy exam, the exam has tasks instead of questions like other exams.
Questions provide details on what needs to be implemented, candidates are expected to configure it in the provided environment.
Candidates should have hands-on experience with Kubernetes.
This guide will help you prepare for CKA exam.
This is a live document, we will be updating it regularly, consider adding it to your bookmarks.
The A Certified Kubernetes Security Specialist (CKS) certification is designed to provide assurance that certification holders are accomplished Kubernetes practitioners (as evidenced by holding the CKA credential) who have demonstrated competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.
Certified Kubernetes Security Specialist (CKS) candidates must have taken and passed the Certified Kubernetes Administrator (CKA) exam prior to attempting the CKS exam.
CKS may be purchased but not scheduled until CKA certification has been achieved.
CKA Certification must be active (non-expired) on the date the CKS exam (including Retakes) is scheduled.
CKS is an excellent certification to get if you’re interested in Kubernetes security.
It’s hands-on, so you’ll be learning actual Kubernetes skills rather than merely remembering ideas and instructions as you work toward this certification.
The CKS, on the other hand, has a precondition.
Before you may take the CKS test, you must first achieve your Certified Kubernetes Administrator (CKA).
So, if you already have your CKA and want to learn more about Kubernetes security, check out the CKS!
If you want to learn more about Kubernetes, the CKS is a wonderful certification to get.
We also have a CKA study guide if you need to acquire your CKA first!
CKA exam cost $375 with one free retake.
You can book exam at here
We have labs covering CKS exam
Candidates who register for the Certified Kubernetes Security Specialist (CKS) exams will have access to an exam simulator, provided by Killer.sh.
Login to My Portal at linux foundation website and click Start/Resume to view your exam preparation checklist.
The link to the Simulator is available on the “Schedule Exam” checklist item.
Candidates will have two attempts (per exam registration).
Each attempt grants 36 hours of access starting from the time of activation.
The exam simulations include 20-25 questions similar to the ones candidates can expect to encounter on the real exam.
Please review the FAQ section of the Killer.sh site for further information.
You can also try tasks at Kubernetes.io
|Minimize Microservice Vulnerabilities||20%|
|Supply Chain Security||20%|
|Monitoring, Logging, and Runtime Security||20%|
CNCF: Kubernetes Security Essentials (LFS260)
This is a $299 course offered by CNCF
You can also consider buying a bundle of this course and exam from CNCF for $575 and save $100
Offer code SHARELEARN15 will bring it down to $454.
EDx: Introduction to Kubernetes
This is free course by EDX, recommended by CNCF
Udemy: Kubernetes CKS 2021 Complete Course - Theory - Practice
You need 67% or above must be earned to pass.
Exams are scored automatically, usually within 24 hours of completion.
Results will be emailed within 24 hours from the time that the Exam was completed.
Exams are graded for results.
There may be more than one way to perform a task on an Exam and unless otherwise specified,
the candidate can pick any available path to complete the task as long as it produces the correct result.
During the CKS exam, candidates may:
review the Exam content instructions that are presented in the command line terminal.
review Documents installed by the distribution (i.e. /usr/share and its subdirectories)
use their Chrome or Chromium browser to open one additional tab in order to access
https://kubernetes.io/docs/ and their subdomains
https://github.com/kubernetes/ and their subdomains
https://kubernetes.io/blog/ and their subdomains
This includes all available language translations of these pages (e.g. https://kubernetes.io/zh/docs/ )
Trivy documentation https://aquasecurity.github.io/trivy/
Sysdig documentation https://docs.sysdig.com/
Falco documentation https://falco.org/docs/
This includes all available language translations of these pages (e.g. https://falco.org/zh/docs/ )
The allowed sites above may contain links that point to external sites.
It is the responsibility of the candidate not to click any links to navigate to a domain that is not allowed
Check Next pages for resources for specific topic in CKS Certified Kubernetes Security Specialist exam
Minimize Microservice Vulnerabilities
Supply Chain Security
Monitoring, Logging, and Runtime Security
Kubernetes 1.19, but it gives great understanding.
Each task on this exam must be completed on a designated cluster/configuration context.
Sixteen clusters comprise the exam environment, one for each task. Each cluster is made up of one master node and one worker node.
An infobox at the start of each task provides you with the cluster name/context and the hostname of the master and worker node.
You can switch the cluster/configuration context using a command such as the following:
kubectl config use-context <cluster/context name>
Nodes making up each cluster can be reached via ssh, using a command such as the following:
You have elevated privileges on any node by default, so there is no need to assume elevated privileges.
You must return to the base node (hostname cli) after completing each task.
Nested−ssh is not supported.
You can use kubectl and the appropriate context to work on any cluster from the base node. When connected to a cluster member via ssh, you will only be able to work on that particular cluster via kubectl.
For your convenience, all environments, in other words, the base system and the cluster nodes, have the following additional command-line tools pre-installed and pre-configured:
kubectl with kalias and Bash autocompletion
yq and jqfor YAML/JSON processing
tmux for terminal multiplexing
curl and wget for testing web services
man and man pages for further documentation
Further instructions for connecting to cluster nodes will be provided in the appropriate tasks
The CKS environment is currently running etcd v3.5
The CKS environment is currently running Kubernetes v1.22
The CKS exam environment will be aligned with the most recent K8s minor version within approximately 4 to 8 weeks of the K8s release date.
Clutter-free work area
No objects such as paper, writing implements, electronic devices, or other objects on top of surface
No objects such as paper, trash bins, or other objects below the testing surface
No paper/print outs hanging on walls
Paintings and other wall décor is acceptable
Candidates will be asked to remove non-décor items prior to the exam being released
Space must be well lit so that proctor is able to see candidate’s face, hands, and surrounding work area
No bright lights or windows behind the examinee
Candidate must remain within the camera frame during the examinationSpace must be private where there is no excessive noise.
Public spaces such as coffee shops, stores, open office environments, etc. are not allowed.
Please see the Candidate Handbook for additional information covering policies, procedures and rules during the exam
Candidates are required to provide a non-expired Primary ID that contains Candidate’s photograph, signature and full name (see acceptable forms of ID in the table below)
The name on your Primary ID must exactly match the verified name on your exam checklist.
If the Candidate’s full name on their Primary ID contains non-latin characters, then the Candidate must ALSO provide a non-expired Secondary ID containing their full name in Latin Characters and signature, OR a notarized English translation of their Primary ID along with the non-latin character Primary ID
(non-expired and including photograph and signature):
Government-issued driver’s license/permit
Government-Issued local language ID (with photo and signature)
National Identity card
State or province-issued identity card
住民基本台帳 (Basic resident register with Photo) or マイナンバーカード(My number card)
(non-expired and including signature with Candidate name in Latin characters)
Debit (ATM) Card
Health Insurance Card
U.S. Social Security Card
Employee ID Card
Student ID Card
Japanese Health Insurance Card
Some government issued ID such as a passport, driver’s license, military ID or state/country card may be a biometric type and may or may not contain a signature. In these cases Primary ID will be accepted without a signature on condition that you also present a Secondary ID which does contain your signature (e.g. bank, credit or debit card)
For candidates testing in Japan, a Driver’s License (with name and recent recognizable photo) is acceptable as a primary ID as long as it is accompanied with a Japanese health insurance card (健康保険証). In Japan, the Japanese health insurance card (健康保険証) is an acceptable form of secondary ID
The certification exam is proctored remotely via streaming audio, video, and screen sharing feeds.
The screen sharing feed allows proctors to view candidates’ desktops (including all monitors).
The audio, video, and screen sharing feeds will be stored for a limited period of time in the event that there is a subsequent need for review.
How do I renew CKS Certified Kubernetes Security Specialist certification? Candidates have the option to retake and pass the exam to renew their certification. Certification Renewal must be completed prior to the certification expiration date. The CKA renewed certification will be valid for a further 3 years effective from the date the exam is passed.
CNCF understand that taking the exams via remote desktop and a new platform environment may cause a lag time for some, however there are trade offs needed to offer this exam remotely.
CNCF will continually monitor and seek to improve the testing experience over time.
When eligible, CNCF do offer free retakes for those who do not pass the first time, regardless of why.
This is a live document, we will be updating it regularly, consider adding it to your bookmarks.
join us on upcoming Kubernetes or CKA workshop, training and or bootcamp