About this Guide
1. Overview
}}The Certified Kubernetes Security Specialist (CKS) program was created by the Cloud Native Computing Foundation (CNCF), in collaboration with The Linux Foundation, to help develop the Kubernetes ecosystem
The Certified Kubernetes Security Specialist (CKS) program provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime. CKA certification is required to sit for this exam.
CKS Certified Kubernetes Security Specialist is not an easy exam, the exam has tasks instead of questions like other exams.
Questions provide details on what needs to be implemented, candidates are expected to configure it in the provided environment.
Candidates should have hands-on experience with Kubernetes.
This guide will help you prepare for CKA exam.
This is a live document, we will be updating it regularly, consider adding it to your bookmarks.
2. What is the Certified Kubernetes Security Specialist (CKS) Certification?
The A Certified Kubernetes Security Specialist (CKS) certification is designed to provide assurance that certification holders are accomplished Kubernetes practitioners (as evidenced by holding the CKA credential) who have demonstrated competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.
Certified Kubernetes Security Specialist (CKS) candidates must have taken and passed the Certified Kubernetes Administrator (CKA) exam prior to attempting the CKS exam.
CKS may be purchased but not scheduled until CKA certification has been achieved.
CKA Certification must be active (non-expired) on the date the CKS exam (including Retakes) is scheduled.
3. Is CKS Certified Kubernetes Security Specialist exam worth it?
CKS is an excellent certification to get if you’re interested in Kubernetes security.
It’s hands-on, so you’ll be learning actual Kubernetes skills rather than merely remembering ideas and instructions as you work toward this certification.
The CKS, on the other hand, has a precondition.
Before you may take the CKS test, you must first achieve your Certified Kubernetes Administrator (CKA).
So, if you already have your CKA and want to learn more about Kubernetes security, check out the CKS!
If you want to learn more about Kubernetes, the CKS is a wonderful certification to get.
We also have a CKA study guide if you need to acquire your CKA first!
4. How much does the CKS Certified Kubernetes Security Specialist exam cost? (Discount code)
CKA exam cost $375 with one free retake.
You can book exam at here
5. Where can I practice the CKS Certified Kubernetes Security Specialist exam?
We have labs covering CKS exam
Candidates who register for the Certified Kubernetes Security Specialist (CKS) exams will have access to an exam simulator, provided by Killer.sh.
Login to My Portal at linux foundation website and click Start/Resume to view your exam preparation checklist.
The link to the Simulator is available on the “Schedule Exam” checklist item.
Candidates will have two attempts (per exam registration).
Each attempt grants 36 hours of access starting from the time of activation.
The exam simulations include 20-25 questions similar to the ones candidates can expect to encounter on the real exam.
Please review the FAQ section of the Killer.sh site for further information.
You can also try tasks at Kubernetes.io
6. How long is CKS Certified Kubernetes Security Specialist exam?
Candidates get 2 hrs to complete CKA exam.
7. How long is the CKS Certified Kubernetes Security Specialist certification valid?
CKA certification is valid for 2 years and successfully completing the exam.
8. Which version of Kubernetes will be used in the CKS Certified Kubernetes Security Specialist exam?
candidates will be test on Kubernetes v1.22 and etcd v3.5
9. How many questions are there in the CKS Certified Kubernetes Security Specialist exam?
Candidates will get 15-20 performance based tasks.10. what is the CKS Certified Kubernetes Security Specialist exam syllabus?
| Domain | Weight |
|---|---|
| Cluster Setup | 10% |
| Cluster Hardening | 15% |
| System Hardening | 15% |
| Minimize Microservice Vulnerabilities | 20% |
| Supply Chain Security | 20% |
| Monitoring, Logging, and Runtime Security | 20% |
11. What courses one can enroll in to prepare for the CKS Certified Kubernetes Security Specialist exam?
Check Free LABS at https://www.sharelearn.net/practice/k8slabs/
CNCF: Kubernetes Security Essentials (LFS260)
This is a $299 course offered by CNCF
You can also consider buying a bundle of this course and exam from CNCF for $575 and save $100
Offer code SHARELEARN15 will bring it down to $454.
EDx: Introduction to Kubernetes
This is free course by EDX, recommended by CNCF
Udemy: Kubernetes CKS 2021 Complete Course - Theory - Practice
Related Kubernetes security resources
- Kubernetes Security Essentials (LFS260)
- Cloud Native Security Tutorial
- Killer Shell CKS Simulator
- Sysdig Kubernetes Security Guide
- Kubernetes Security Best Practices - Ian Lewis, Google
- Kubernetes security concepts and demos
- Tutorial: Getting Started With Cloud Native Security - Liz Rice, Aqua Security & Michael Hausenblas
- 11 Ways (Not) to Get Hacked
- Kubernetes Goat
- Kubernetes CTF on vagrant environment
- NSA/CISA Kubernetes Hardening Guidance 08/2021
White Papers
12. What is the passing score for the CKS Certified Kubernetes Security Specialist exam?
You need 67% or above must be earned to pass.
Exams are scored automatically, usually within 24 hours of completion.
Results will be emailed within 24 hours from the time that the Exam was completed.
Exams are graded for results.
There may be more than one way to perform a task on an Exam and unless otherwise specified,
the candidate can pick any available path to complete the task as long as it produces the correct result.
13. Is CKS Certified Kubernetes Security Specialist open book exam?
During the CKS exam, candidates may:
review the Exam content instructions that are presented in the command line terminal.
review Documents installed by the distribution (i.e. /usr/share and its subdirectories)
use their Chrome or Chromium browser to open one additional tab in order to access
Kubernetes Documentation:
https://kubernetes.io/docs/ and their subdomains
https://github.com/kubernetes/ and their subdomains
https://kubernetes.io/blog/ and their subdomains
This includes all available language translations of these pages (e.g. https://kubernetes.io/zh/docs/ )
Tools:
Trivy documentation https://aquasecurity.github.io/trivy/
Sysdig documentation https://docs.sysdig.com/
Falco documentation https://falco.org/docs/
This includes all available language translations of these pages (e.g. https://falco.org/zh/docs/ )
App Armor:
Documentation https://gitlab.com/apparmor/apparmor/-/wikis/Documentation
The allowed sites above may contain links that point to external sites.
It is the responsibility of the candidate not to click any links to navigate to a domain that is not allowed
14. Where can I find resources for individual topics of the CKS Certified Kubernetes Security Specialist exam?
Check Next pages for resources for specific topic in CKS Certified Kubernetes Security Specialist exam
15. What are topics covered under Cluster Setup section on the CKS exam?
Use Network security policies to restrict cluster level access
Resources Allowed During exam
3rd Party Resources
Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
3rd Party Resources
- CIS benchmark for Kubernetes
- The benchmark is not yet available for
Kubernetes 1.19, but it gives great understanding.
- The benchmark is not yet available for
- What is Center for Internet Security (CIS) Benchmarks
- Kube-bench : A tool for running Kubernetes CIS Benchmark tests
- GKE: CIS Benchmarks for etcd & kubelet
Properly set up Ingress objects with security control
Resources Allowed During exam
Protect node metadata and endpoints
Resources Allowed During exam
3rd Party Resources
Minimize use of, and access to, GUI elements
Resources Allowed During exam
3rd Party Resources
16. What are topics covered under Cluster Hardening section on the CKS exam?
Cluster Hardening (15%)
Restrict access to Kubernetes API
Resources Allowed During exam
- Controlling Access to the Kubernetes API
- Certificate Signing Requests: Create Normal User
- Generate cluster certificates (easyrsa, openssl or cfssl)
3rd Party Resources
Use Role Based Access Controls to minimize exposure
Resources Allowed During exam
3rd Party Resources
Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
Resources Allowed During exam
- Managing Service Accounts
- Default roles and role bindings
- Authorization Modes
- Configure Service Accounts for Pods
- Kubernetes should not mount default service account credentials by default
3rd Party Resources
17. What are topics covered under System Hardening section on the CKS exam?
System Hardening (15%)
Minimize host OS footprint (reduce attack surface)
Resources Allowed During exam
3rd Party Resources
Minimize IAM roles
3rd Party Resources
Minimize external access to the network
Resources Allowed During exam
3rd Party Resources
Appropriately use kernel hardening tools such as AppArmor, seccomp
Resources Allowed During exam
- Restrict a Container’s Access to Resources with AppArmor
- Restrict a Container’s Syscalls with Seccomp
3rd Party Resources
18. What are topics covered under Minimize Microservice Vulnerabilities section on the CKS exam?
Minimize Microservice Vulnerabilities (20%)
Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts
Resources Allowed During exam
- Pod Security Policies
- Configure a Security Context for a Pod or Container
- OPA Gatekeeper: Policy and Governance for Kubernetes
- Kubernetes security context, security policy, and network policy – Kubernetes security guide (part 2)
3rd Party Resources
Manage kubernetes secrets
Resources Allowed During exam
3rd Party Resources
Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
Resources Allowed During exam
- container runtime
- container runtime sandboxes examples
- Enforce tenant isolation (Limit Ranges, Quotas, PSPs) with Policies
- Affinity and anti-affinity
3rd Party Resources
Implement pod to pod encryption by use of mTLS
Resources Allowed During exam
3rd Party Resources
19. What are topics covered under Supply Chain Security section on the CKS exam?
Supply Chain Security (20%)
Minimize base image footprint
3rd Party Resources
Secure your supply chain: whitelist allowed image registries, sign and validate images
Resources Allowed During exam
- Using Admission Controllers
- Dynamic Admission Control
- A Guide to Kubernetes Admission Controllers
- Ensure images only from approved sources are run
3rd Party Resources
Use static analysis of user workloads (e.g. kubernetes resources, docker files)
Resources Allowed During exam
3rd Party Resources
20. What are topics covered under Monitoring, Logging, and Runtime Security section on the CKS exam?
Monitoring, Logging and Runtime Security (20%)
Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
Resources Allowed During exam
- Restrict a Container’s Syscalls with Seccomp
- Auditing with Falco (Obsoledted)
- How to detect a Kubernetes vulnerability using Falco
3rd Party Resources
Detect threats within physical infrastructure, apps, networks, data, users and workloads
3rd Party Resources
Detect all phases of attack regardless where it occurs and how it spreads
3rd Party Resources
- Investigating Kubernetes attack scenarios in Threat Stack
- Anatomy of a Kubernetes attack – How untrusted Docker images fails us
- Investigating Kubernetes Attack Scenarios in Threat Stack (part 1)
- The seven phases of a cyber attack
- Threat matrix for Kubernetes
- MITRE ATT&CK framework for container runtime security with Falco
- Mitigating Kubernetes attacks
Perform deep analytical investigation and identification of bad actors within environment
3rd Party Resources
Ensure immutability of containers at runtime
Resources Allowed During exam
- “ReadOnlyRootFilesystem” (securityContext, PSP)
- “readOnly” volume mount
- Principles of Container-based Application Design
3rd Party Resources
Use Audit Logs to monitor access
Resources Allowed During exam
3rd Party Resources
22. What are system requirement for CKS Certified Kubernetes Security Specialist exam?
CKS Exams is delivered online and Candidates must provide their own computer with current version of Chrome browser.Make sure you have third party cookies turned on for the duration of the exam.
Reliable internet access
Ensure others on the same internet connection are not performing activities that use excessive bandwidth (i.e. holding conference calls, streaming content, gaming, etc.)
A wired connection is often more stable and robust than a wireless connectionTurn off bandwidth-intensive services (e.g. file sync, dropbox, BitTorrent)
Microphone
Please check to make sure it is working before you start your exam session.
Webcam
Ensure the webcam is capable of being moved as the proctor may ask you to pan your surroundings to check for potential violations of exam policy.
Try holding up your ID while viewing your webcam feed to ensure your placement and resolution are sufficient for the person viewing your feed to read your ID.
If you will be testing from an employer-provide ISP or will use an employer provided machine, please ensure that streaming will be allowed using WebRTC.
Candidates are not allowed to have other applications or browser windows running except the one on which the Exam is being shown.
Candidates should run the compatibility check tool to verify that their hardware meets the minimum requirements.
23. What kind of access will I have to environment during CKS Certified Kubernetes Security Specialist exam?
- Root privileges can be obtained by running ‘sudo −i’.
- Rebooting of your server IS permitted at any time.
- Do not stop or tamper with the certerminal process as this will END YOUR EXAM SESSION.
- Do not block incoming ports 8080/tcp, 4505/tcp and 4506/tcp. This includes firewall rules that are found within the distribution’s default firewall configuration * files as well as interactive firewall commands.
- Use Ctrl+Alt+W instead of Ctrl+W.
- Ctrl+W is a keyboard shortcut that will close the current tab in Google Chrome.
- Ctrl+C & and Ctrl+V are not supported in your exam terminal.
- To copy and paste text, please use
- For Linux: select text for copy and middle button for paste (or both left and right simultaneously if you have no middle button).
- For Mac: ⌘+C to copy and ⌘+V to paste.
- For Windows: Ctrl+Insert to copy and Shift+Insert to paste.
- In addition, you might find it helpful to use the Notepad (see top menu under ‘Exam Controls’) to manipulate text before pasting to the command line.
- Installation of services and applications included in this exam may require modification of system security policies to successfully complete.
- Only a single terminal console is available during the exam. Terminal multiplexers such as GNU Screen and tmux can be used to create virtual consoles.
24. How many Kubernetes clusters are there in CKS Certified Kubernetes Security Specialist exam environment?
Sixteen clusters comprise the exam environment, one for each task. Each cluster is made up of one master node and one worker node.25. How will I know which cluster to use for a task in CKS Certified Kubernetes Security Specialist exam environment?
Each task on this exam must be completed on a designated cluster/configuration context.
Sixteen clusters comprise the exam environment, one for each task. Each cluster is made up of one master node and one worker node.
An infobox at the start of each task provides you with the cluster name/context and the hostname of the master and worker node.
You can switch the cluster/configuration context using a command such as the following:
kubectl config use-context <cluster/context name>
Nodes making up each cluster can be reached via ssh, using a command such as the following:
ssh
You have elevated privileges on any node by default, so there is no need to assume elevated privileges.
You must return to the base node (hostname cli) after completing each task.
Nested−ssh is not supported.
You can use kubectl and the appropriate context to work on any cluster from the base node. When connected to a cluster member via ssh, you will only be able to work on that particular cluster via kubectl.
For your convenience, all environments, in other words, the base system and the cluster nodes, have the following additional command-line tools pre-installed and pre-configured:
kubectl with kalias and Bash autocompletion
yq and jqfor YAML/JSON processing
tmux for terminal multiplexing
curl and wget for testing web services
man and man pages for further documentation
Further instructions for connecting to cluster nodes will be provided in the appropriate tasks
The CKS environment is currently running etcd v3.5
The CKS environment is currently running Kubernetes v1.22
The CKS exam environment will be aligned with the most recent K8s minor version within approximately 4 to 8 weeks of the K8s release date.
26. What are location requirement for CKS Certified Kubernetes Security Specialist exam?
Clutter-free work area
No objects such as paper, writing implements, electronic devices, or other objects on top of surface
No objects such as paper, trash bins, or other objects below the testing surface
Clear walls
No paper/print outs hanging on walls
Paintings and other wall décor is acceptable
Candidates will be asked to remove non-décor items prior to the exam being released
Lighting
Space must be well lit so that proctor is able to see candidate’s face, hands, and surrounding work area
No bright lights or windows behind the examinee
Other
Candidate must remain within the camera frame during the examinationSpace must be private where there is no excessive noise.
Public spaces such as coffee shops, stores, open office environments, etc. are not allowed.
Please see the Candidate Handbook for additional information covering policies, procedures and rules during the exam
27. What are ID requirement for CKS Certified Kubernetes Security Specialist exam?
Candidates are required to provide a non-expired Primary ID that contains Candidate’s photograph, signature and full name (see acceptable forms of ID in the table below)
The name on your Primary ID must exactly match the verified name on your exam checklist.
If the Candidate’s full name on their Primary ID contains non-latin characters, then the Candidate must ALSO provide a non-expired Secondary ID containing their full name in Latin Characters and signature, OR a notarized English translation of their Primary ID along with the non-latin character Primary ID
Primary ID
(non-expired and including photograph and signature):
Passport
Government-issued driver’s license/permit
Government-Issued local language ID (with photo and signature)
National Identity card
State or province-issued identity card
住民基本台帳 (Basic resident register with Photo) or マイナンバーカード(My number card)
Secondary ID
(non-expired and including signature with Candidate name in Latin characters)
Debit (ATM) Card
Credit Card
Health Insurance Card
U.S. Social Security Card
Employee ID Card
Student ID Card
Japanese Health Insurance Card
Additional Allowances:
Some government issued ID such as a passport, driver’s license, military ID or state/country card may be a biometric type and may or may not contain a signature. In these cases Primary ID will be accepted without a signature on condition that you also present a Secondary ID which does contain your signature (e.g. bank, credit or debit card)
For candidates testing in Japan, a Driver’s License (with name and recent recognizable photo) is acceptable as a primary ID as long as it is accompanied with a Japanese health insurance card
(健康保険証). In Japan, the Japanese health insurance card (健康保険証) is an acceptable form of secondary ID
28. How is the CKS Certified Kubernetes Security Specialist exam proctored?
The certification exam is proctored remotely via streaming audio, video, and screen sharing feeds.
The screen sharing feed allows proctors to view candidates’ desktops (including all monitors).
The audio, video, and screen sharing feeds will be stored for a limited period of time in the event that there is a subsequent need for review.
How do I renew CKS Certified Kubernetes Security Specialist certification? Candidates have the option to retake and pass the exam to renew their certification. Certification Renewal must be completed prior to the certification expiration date. The CKA renewed certification will be valid for a further 3 years effective from the date the exam is passed.
29. What is the recourse for someone who attributes exam failure to the testing environment?
CNCF understand that taking the exams via remote desktop and a new platform environment may cause a lag time for some, however there are trade offs needed to offer this exam remotely.
CNCF will continually monitor and seek to improve the testing experience over time.
When eligible, CNCF do offer free retakes for those who do not pass the first time, regardless of why.
30. Conclusion
This is a live document, we will be updating it regularly, consider adding it to your bookmarks.
join us on upcoming Kubernetes or CKA workshop, training and or bootcamp