CKS Exam Study Guide: Resources to Pass Certified Kubernetes Security Specialist

In this Certified Kubernetes Security Specialist (CKS) Exam study guide, I have listed all the resources you can use to pass the CKS certification exam.

Table of Contents show

What Is the Certified Kubernetes Security Specialist Exam?

CKS is one of the best Kubernetes Certifications that is focused on the security aspects of Kubernetes.

The official CNCF certification page says,

The Certified Kubernetes Security Specialist (CKS) program provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment, and runtime.

The CKS exam curriculum is well structured, with topics related to Kubernetes security. In fact, you can use the curriculum as a checklist for your existing Kubernetes implementations.

Register For CKS Exam [Save 25% Today]

Your first step towards CKS Certification is registering for the exam on the Linux Foundation portal. When you register you get free access to two sessions of killer.sh CKS practice exams that will help you clear the CKAD exam.

Note: Save 25% today on CKA | CKAD | CKS certification using the Voucher code given below. This offer expires soon.

CKS Exam Voucher: Use coupon DCUBE20 at checkout

Certified Kubernetes Security Specialist (CKS) Exam Preparation Guide

We will look at the detailed CKS resources list and links to the official documentation you could use during the CKS exam.

CKS Exam Prerequisites

The only prerequisite is that you should have a valid CKA certification to sit for the CKS Exam.

If you have not passed the CKA exam, refer to our CKA exam guide for all useful resources.

Even if you don’t have the CKA certification, you can purchase the CKS exam as a bundle (CKA + CKS). You can save up to $206 using the bundle with an additional 21% discount. However, you need to first pass the CKS and then you can appear for the CKS exam.

CKS Exam Details

Following is the important information about CKS Exam.

Exam Duration2 hrs
Pass Percentage67%
Kubernetes Version v1.29
CKS Validity2 Years
CKS Certification Exam Cost$395

As CKS is an open-book exam, you can use the following Kubernetes and third-party tools documentation that is part of the CKS exam.

Kubernetes Documentation

  1. https://kubernetes.io/docs/home/
  2. https://github.com/kubernetes/
  3. https://kubernetes.io/blog/

Allowed Third-Party Tools & Documentation for CKS exam

Important Note: The following domains are allowed in the exam. However, you are not allowed to visit any other domains that are mentioned in the documents.

  1. https://github.com/aquasecurity/trivy
  2. https://docs.sysdig.com/
  3. https://falco.org/docs/
  4. https://gitlab.com/apparmor/apparmor/-/wikis/Documentation

Please refer to the official Kubernetes exam FAQ section for more details

CKS Exam Syllabus

CKS Exam aims to test your skills in different security aspects. The following table shows the different domains and their weightage for the CKS certification.

TopicWeightage
Cluster Setup10%
Cluster Hardening15%
System Hardening15%
Minimize Microservice Vulnerabilities20%
Supply Chain Security20%
Monitoring, Logging, and Runtime Security20%

Setting up CKS Practice Labs

It would be best to have a practice cluster to learn and try out all the concepts involved in CKS certification. I have the following suggestion for CKS practice labs.

  1. Killercoda CKS Playground
  2. Minikube
  3. Kubernetes Setup using Kubeadm [Recomended Lan setup for CKS]
  4. Kubernetes Vagrant Setup using Kubeadm
  5. GKE Cluster using free Google Cloud Credits
  6. EKS Service on AWS using a Free tier program
  7. AKS service on Azure using free cloud credits
  8. Kubernetes Cluster on Digital Ocean[ Get $100 Digital Ocean Free Credits]

Note: To get notification on the above-mentioned setup and other CKS tutorial articles, Signup to the CKS newsletter

Certified Kubernetes Security Specialist Certification Courses

If you want to sign up for a course for your CKS preparation, the following are the courses you will ever need.

There is free course available on youtube by the creater of Killercoda. This course is enough for passing the CKS exam. You can parallely practice the scenarios on Killercoda.

If you are looking for course with multiple practicla labs, we recomend CKS Course from KodeKloud by Mumshad With Practice Labs

    Both authors have done a great job creating the course content with good practice labs.

    Also, along with the certification registration, you will get access to two free CKS mock exams from killer.sh

    CKS Syllabus Wise Resources

    Let’s have a look at the official syllabus-wise resources for the CKS exam. All the topics mentioned are as per the official Linux Foundation Certified Kubernetes Security Specialist Exam Syllabus.

    Cluster Setup [10%]

    Under cluster setup, the focus is more on the security aspects of the cluster components. This section carries 10% weightage in the CKS questions.

    Ensure you have a very good understanding of Kubernetes architecture and components workflow before you start the hands-on learning.

    Kubernetes Network Policies

    By default, when you set up a Kubernetes cluster, pods in all the namespaces can talk to each other.

    This is not a secure setup because you might be running a different type of workload in a cluster that requires isolation in terms of networking.

    Kubernetes network policies help you to enable rules for pod network communication.

    Use Network security policies to restrict cluster-level accessKubernetes Network Security Policy Documentation
    Associated TaskDeclaring Kubernetes Network Policy
    Network Policy Editoreditor.cilium.io

    Kubernetes CIS benchmark

    Center for Internet Security (CIS) with the Kubernetes community has created the benchmarks for Kubernetes security standards.

    Organizations can use the Kubernetes CIS benchmarks to achieve security and compliance requirements.

    If you want to know more about CIS, please read CIS FAQs

    See Kubernetes CIS benchmark to download the latest CIS benchmarks for kubernetes.

    Kube-bench is an open-source utility maintained by Aquasec to run all the CIS benchmark checks against a Kubernetes cluster.

    Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)CIS Kubernetes benchmark using Kube-bench

    Ingress Security

    From a security standpoint, for Ingress, the primary focus is on configuring ingress with TLS configurations

    Also, it would help if you looked at setting up the namespace scoped and cluster-wide ingress.

    You should also look at setting up multiple ingress/ingress controllers using the Ingressclass

    Properly set up Ingress objects with security controlIngress documentation
    Understanding IngressThe complete ingress guide
    Understanding Ingress controllerNginx ingress controller setup guide

    Kubernetes Node Metadata & Endpoints

    Metadata concealment is required for a cloud-based Kubernetes setup where the instances expose the instance metadata information, including credentials.

    This means the pods running on each instance would have access to the metadata server endpoint to retrieve information.

    Pod’s access to the Metadata server can be controlled via Network policies.

    Protect node metadata and endpointsRestricting cloud metadata API access
    Configuring Network PoliciesGuide to configuring network policies

    Note: When you use managed Kubernetes services on the cloud (GKE, EKS, AKS), it comes with options to disable metadata access for pods.

    Securing Kubernetes GUI

    It is essential to secure Kubernetes dashboard access as it is accessed by cluster users from different networks in an organization. Also, many Kubernetes hacking incidents happened due to the wrong security configurations of the Kubernetes dashboard.

    You need to learn all the best practices and configurations involved in setting up a secure Kubernetes dashboard. For example, limiting access to the dashboard with specific internal networks, user access with limited privileges to the dashboards, etc.

    Minimize the use of, and access to, GUI elementsKubernetes Web UI Configurations
    Blog on Securing Kubernetes DashboardHow to Secure Kubernetes Dashboard

    Verify platform binaries before deploying

    Learn to verify the Kubernetes binaries using the checksum. The kubernetes Github release page has the version numbers and SHA ids to verify the binary.

    Kubernetes BinariesGithub Kubernetes Releases

    Cluster Hardening [15%]

    Kubernetes Cluster Hardening carries 15% weightage in the CKS exam. Let’s have a look at the individual concepts under cluster hardening.

    Restrict access to Kubernetes API

    Restricting API access is very important when it comes to Kubernetes Production Implementation. Third-party services and services running inside the cluster should access the Kubernetes API with only the required privileges.

    The primary topics under this section would be bootstrap tokens, RBAC, ABAC, service account, and admission webhooks.

    Cluster API access methodsWays to access Kubernetes cluster API
    Kubernetes API Access SecurityControlling access to Kubernetes API
    AuthenticationKubernetes Authentication Overview
    AuthorizationKubernetes Authorization Overview
    Admission Controllers Admission Controllers Overview
    Admission WebhooksAdmission Webhooks Overview
    CertificatesCertificate Signing Requests Overview
    Note AuthorizationNode Authorization Overview
    TaskAccessing Kubernetes API from a Pod

    Use Role-Based Access Controls to minimize exposure

    With Kubernetes RBAC, you can define fine-grained control on who can access the Kubernetes API to enforce the principle of least privilege. Allowing unnecessary cluster-wide access to everyone is a common mistake done during Kubernetes implementations.

    Two main concepts in RBAC are,

    1. Role: List of allowed API access
    2. RoleBinding – Binding a role to a user, group, or service account.
    Roles, ClusterRoles, RoleBindings and ClusterRoleBindingsRBAC detailed documentation

    Exercise caution in using service accounts e.g., disable defaults, minimize permissions on newly created ones.

    Service accounts are the best way to provide access to applications/pods which require Kubernetes API access.

    Every namespace has a default service account, and it gets attached to the pod if you don’t specify any service account explicitly. The default service account does not have any privileges. But if you bind a role to it, it will get all the access listed in the role, and it applies to all the pods in the namespace.

    Standard practice is to deploy different workloads with different service accounts to enforce the principle of least privilege.

    Service AccountService Account Management Guide
    TaskConfigure service account for a Pod

    Update Kubernetes frequently

    Whenever you upgrade a Kubernetes cluster, you should follow the recommended practices to make sure you have the application’s availability.

    Also, you should have mechanisms to validate the cluster components, security configurations, and application status post-upgrade.

    Cluster UpgradeUpgrading Kubernetes cluster using Kubeadm
    TaskUpgrade a cluster

    System Hardening [15%]

    System hardening aims at reducing vulnerabilities in applications and infrastructure components that reduce the attack surface.

    The common system hardening activities are

    1. Applying timely patches
    2. Removing all non-essential utilities
    3. Limiting access with firewall rules and utilities.
    4. Logging all system activities.

    When it comes to CKS, we have the following list of system hardening activities.

    Minimize host OS footprint (reduce attack surface)

    1. Removing unwanted binaries and services that are not required for cluster operation.
    2. Adding correct firewall rules to restrict host access on opened ports
    3. Containers should have fewer privileges on the host OS. Run container as a non-root user
    Restricting Kernel ModulesPreventing Container Loading unwanted Kernel modules

    Minimize IAM roles

    This is to achieve the principle of least privilege.

    Refer to the topic related to RBAC for role-related concepts. It is also a topic that you have learned for the CKA exam as well.

    Normally IAM is applicable for cloud implementations that integrate with kubernetes RBAC.

    Minimize external access to the network

    Loadbalancer is a common component that allowed external access to the Kubernetes cluster.

    Loadbalancer Access RestrictionRestrict Loadbalancer access from external networks

    Appropriately use kernel hardening tools such as AppArmor, seccomp

    AppArmor (“Application Armor”) is a Linux kernel security module that allows the system administrator to restrict programs’ capabilities with per-program profiles.

    AppArmor is part of the official CKS allowed documentation.

    AppArmorRestrict a Container’s Access to Resources with AppArmor
    SeccompRestrict a Container’s Syscalls with Seccomp
    TaskSecuring a Pod Using Apparmor
    TaskSet the Seccomp Profile for a Container

    Minimize Microservice Vulnerabilities [20%]

    As the title suggests, this section is more about service-to-service communications. You need to learn all the core concepts and Kubernetes objects involved in securing communication between pods.

    Setup appropriate OS-level security domains e.g. using PSP, OPA, Security contexts

    PSP is getting deprecated from Kubernetes version V1.21. But it is a good topic from a learning perspective.

    Open Policy Agent is a great utility for implementing fine-grained controls for microservices.

    PSPPod Security Policy
    OPAOPA Gatekeeper: Policy and Governance for Kubernetes
    Security Context TaskConfigure a Security Context for a Pod or Container

    Manage Kubernetes secrets

    Kubernetes secret is one of the ways to save sensitive information inside the pod. But, it is not encrypted. It is saved in a base64 encoded format. However, you can encrypt the data at rest.

    Kubernetes Secret Kubernetes Secret Overview
    TaskDistribute Credentials Securely Using Secrets

    Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)

    Kata Containers and gVisor helps in workload isolation. It can be implemented using the Kubernetes RuntimeClass where you can specify the required runtime for the workload.

    Pod Security StandardsSandboxed Pods
    Workload IsolationWorkload Isolation using gVisor and kata containers

    Implement pod-to-pod encryption by use of mTLS

    There is no documentation on enabling mTLS between pods. However, you can use the kubernetes certificates.k8s.io API to generate certificates to use in the pod-to-pod encryption.

    For example, if you have two Java services, you can convert the certificates you generate from the certificate API and convert it to JKS format using keytool and enable the pod-to-pod encryption with java settings.

    Task: Generating TLS CertificateManage TLS Certificates in a Cluster

    Supply Chain Security [20%]

    Minimize base image footprint

    There is no specific documentation on base image optimization on kubernetes.io. However, you can use the following blog for learning purposes.

    Base Image OptimisationTop 20 Dockerfile best practices

    Secure your supply chain: whitelist allowed registries, sign and validate images

    It’s important to verify the pulled base images are from valid sources. This can be achieved using ImagePolicyWebhook admission controller.

    ImagePolicyWebhookUsing ImagePolicyWebhook Admission Controller

    Use static analysis of user workloads (e.g.Kubernetes resources, Docker files)

    Static analysis of user workloadsStatically Analyse YAML

    Scan images for known vulnerabilities

    Aquasec trivy is recommended in the Kubernetes CKS exam documentation. You can use Trivy to scan images for vulnerabilities.

    TrivyGetting started with Trivy for vulnerability scanning.

    Monitoring, Logging, and Runtime Security [20%]

    Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities

    Syscalls with SeccompRestrict a Container’s Syscalls with Seccomp

    Detect threats within a physical infrastructure, apps, networks, data, users, and workloads

    Falco is the Kubernetes threat detection engine. It can alert find unexpected application behavior and alert threats on time.

    Threat detectionUsing Falco for threat detection


    Detect all phases of attack regardless of where it occurs and how it spreads

    Falco might help here. Need to study more about it.

    Perform deep analytical investigation and identification of bad actors within the environment

    Audit logging helps investigate issues in Kubernetes.

    InvestigationImplementing Kubernetes Auditing

    Ensure immutability of containers at runtime

    You can make the pods immutable by making everything the pod uses ReadOnly. For example, read-only filesystem, configmaps, and secrets.

    Immutable file systemPSP readOnlyRootFilesystem

    Use Audit Logs to monitor access

    Audit logs capture all the events associated with Kubernetes objects. The audit logs can be used by the monitoring systems to create alerts for unexpected actions.

    Kubernetes AuditingEnabling Kubernetes Auditing

    Kubernetes Security Books

    Following are the Kubernetes books related to security you can use for CKS preparation.

    1. Container Security by Liz Rice
    2. Kubernetes Security by Liz Rice

    Conclusion

    CKS is one of the sought-after certifications for aspiring DevOps engineers.

    This is the ultimate guide to the Certified Kubernetes Security Specialist exam (CKS). I have covered the most important resources required to ace the CKS exam

    If you plan to do the CKS certification, you should not aim to pass the certification with practice exams and exam dumps.

    It would really help if you focused on learning all the core Kubernetes Security-related concepts, industry use cases, and best practices.

    I will constantly be updating this CKS exam guide with useful resources and tips to pass the CKS exam. Also, most of the CKS topics are covered in the Kubernetes learning roadmap.

    Also, If you are interested in DevOps certifications, check out our comprehensive guide on the best devops certifications.

    4 comments
    1. How you passed exam cause I tried 2nd time and due to PSI slowness and I was too frustrated. I waited around 10 seconds after typing on keyboard to appear on the screen. Scrolling through doc and forgot about it, Screen freezed for 20 seconds. Btw I have good knowledge about domains. I passed killer.sh many times with almost maximum points. Psi secure browser is nightmare. I have no pleasent in front of such as stress. It is enough for me. It is loosing time money and health.

      Do you have some advice how to do everything imperative without documentation.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You May Also Like