Certification Prep: CKS — Certified Kubernetes Security Specialist

Metadata

Field	Value
Issuer	CNCF (Cloud Native Computing Foundation)
Exam Code	CKS
Format	Performance-based (live cluster tasks)
Duration	2 hours
Passing Score	67%
Cost	$395 USD
Retake Policy	One free retake included
Prerequisite	Active CKA certification
Kubernetes Version	Current stable (check CNCF site)
Wiki Coverage	~70%

Exam Domains & Wiki Mapping

Cluster Setup (10%)

Objective	Topic Pack	Coverage
Use Network Policies to restrict cluster-level access	k8s-networking, policy-engines	✅ Full
Use CIS benchmark to review security configuration	security-scanning, linux-hardening	⚠️ Partial
Properly set up Ingress with TLS	k8s-services-and-ingress, tls-pki	✅ Full
Protect node metadata and endpoints	k8s-networking, cloud-deep-dive	⚠️ Partial
Minimize use of, and access to, GUI elements	k8s-ops	⚠️ Partial
Verify platform binaries before deploying	supply-chain-security	✅ Full

Cluster Hardening (15%)

Objective	Topic Pack	Coverage
Restrict access to Kubernetes API	k8s-rbac	✅ Full
Use RBAC to minimize exposure	k8s-rbac	✅ Full
Exercise caution in using service accounts (disable automount, use bound tokens)	k8s-rbac	✅ Full
Restrict access to the Kubernetes API from external networks	k8s-networking, firewalls	⚠️ Partial
Update Kubernetes frequently to stay current	k8s-node-lifecycle, k8s-ops	✅ Full
Minimize IAM roles and external access	k8s-rbac, aws-iam	⚠️ Partial

System Hardening (15%)

Objective	Topic Pack	Coverage
Minimize host OS footprint (reduce attack surface)	linux-hardening	✅ Full
Minimize IAM roles	aws-iam, k8s-rbac	⚠️ Partial
Minimize external access to the network	firewalls, iptables-nftables	✅ Full
Appropriately use kernel hardening tools (AppArmor, seccomp)	selinux-apparmor, linux-hardening	✅ Full
Use AppArmor profiles for containers	selinux-apparmor	⚠️ Partial
Use seccomp profiles to restrict syscalls	linux-hardening, cgroups-namespaces	⚠️ Partial

Minimize Microservice Vulnerabilities (20%)

Objective	Topic Pack	Coverage
Set up appropriate OS-level security domains (PSA, SecurityContext)	k8s-rbac, linux-hardening	⚠️ Partial
Manage Kubernetes Secrets	secrets-management, hashicorp-vault	✅ Full
Use container runtime sandboxes (gVisor, kata)	containers-deep-dive	❌ Gap
Implement Pod-to-Pod encryption (mTLS)	istio, service-mesh	⚠️ Partial
Use static analysis of workloads (kubesec, OPA)	policy-engines, security-scanning	✅ Full
Understand and use Pod Security Standards	k8s-rbac, policy-engines	⚠️ Partial

Supply Chain Security (20%)

Objective	Topic Pack	Coverage
Minimize base image footprint	container-images, container-images	✅ Full
Secure your supply chain (sign images, allowlist registries)	supply-chain-security	✅ Full
Use image scanning to find known vulnerabilities (Trivy, Grype)	container-images, security-scanning	✅ Full
Scan images for vulnerabilities in CI/CD pipeline	cicd, container-images	✅ Full
Use ImagePolicyWebhook to restrict unapproved images	policy-engines	⚠️ Partial
Understand and apply SBOM and provenance	supply-chain-security	⚠️ Partial

Monitoring, Logging and Runtime Security (20%)

Objective	Topic Pack	Coverage
Perform behavioral analytics of syscall process and file activities at host and container level	falco	✅ Full
Detect threats within physical infrastructure, apps, networks, data, users, and workloads	falco, monitoring-fundamentals	✅ Full
Detect and handle runtime threats in containers	falco, containers-deep-dive	✅ Full
Ensure immutability of containers at runtime	linux-hardening, containers-deep-dive	✅ Full
Use audit logs to monitor access	audit-logging, k8s-ops	✅ Full
Understand and use mutable vs immutable infrastructure	containers-deep-dive, linux-hardening	✅ Full

Study Plan

Phase 1: Foundations (Weeks 1–2)

Goal: Solid grounding in Kubernetes security primitives and Linux hardening.

• Week 1: RBAC, Pod Security, and Secrets
• Read: k8s-rbac — Roles, ClusterRoles, bindings, service account hardening
• Read: secrets-management — Kubernetes Secrets, Vault integration, encryption at rest
• Read: hashicorp-vault — external secret management
• Read: policy-engines — OPA Gatekeeper, Kyverno, Pod Security Admission
• Practice: Audit an existing cluster's RBAC — find overprivileged service accounts

• Practice: Enable encryption at rest for Secrets, verify with etcd read

• Week 2: Linux hardening and kernel security

• Read: linux-hardening — minimal OS, disabled services, syscall filtering
• Read: selinux-apparmor — AppArmor profiles for containers
• Read: cgroups-namespaces — isolation primitives
• Read: firewalls, iptables-nftables — network-level hardening
• Practice: Write and apply AppArmor profiles to pods
• Practice: Create seccomp profiles, restrict dangerous syscalls
• Practice: Harden a node: disable unnecessary services, configure firewall rules

Phase 2: Deep Dive (Weeks 3–4)

Goal: Supply chain security, runtime detection, and network hardening.

• Week 3: Supply chain and image security
• Read: supply-chain-security — image signing, allowlisting, provenance
• Read: container-images — Trivy, Grype, CI integration
• Read: container-images — minimal base images, multi-stage builds
• Read: container-images — distroless, scratch, Alpine considerations
• Practice: Set up Trivy scanning in a CI pipeline
• Practice: Configure ImagePolicyWebhook to block unsigned images

• Practice: Build and scan a distroless container image

• Week 4: Runtime security and monitoring

• Read: falco — rules, alerts, syscall monitoring
• Read: audit-logging — Kubernetes audit policy configuration
• Read: k8s-networking — NetworkPolicy for microsegmentation
• Read: istio, service-mesh — mTLS for pod-to-pod encryption
• Practice: Deploy Falco, write custom rules to detect shell-in-container
• Practice: Configure Kubernetes audit logging, analyze audit events
• Practice: Implement network policies for a multi-tier application

Phase 3: Exam Simulation (Week 5)

Goal: Speed and confidence with security tasks under time pressure.

• Take full-length practice exams (killer.sh included with registration)
• Focus on tasks that combine multiple domains (e.g., "harden this cluster" = RBAC + NetworkPolicy + AppArmor)
• Drill: fix misconfigured security contexts under time pressure
• Review: AppArmor profile syntax, seccomp profile JSON format, Falco rule syntax
• Practice: NetworkPolicy creation from scratch — this is heavily tested

Gap Analysis

Gap	Exam Weight	Recommended External Resource
Container runtime sandboxes (gVisor, kata containers)	Medium (within 20%)	gVisor documentation, kata-containers.io
Pod Security Standards (PSA Restricted mode in depth)	Medium (within 20%)	kubernetes.io Pod Security Standards reference
ImagePolicyWebhook admission controller	Low (within 20%)	Kubernetes admission controllers documentation
CIS Kubernetes Benchmark (full walkthrough)	Low (within 10%)	CIS Benchmark PDF, kube-bench tool
mTLS with service mesh (hands-on)	Medium (within 20%)	Istio security task docs, Linkerd mTLS guide
Seccomp profile creation from scratch	Medium (within 15%)	Kubernetes seccomp tutorial, OCI seccomp spec
SBOM generation and verification	Low (within 20%)	Syft and cosign documentation

Exam-Day Strategy

Environment Setup (First 2 Minutes)

# Standard aliases
alias k=kubectl
alias kn='kubectl config set-context --current --namespace'

# CKS-specific: know where security configs live
# /etc/kubernetes/manifests/ — static pod manifests
# /etc/kubernetes/pki/ — cluster certificates
# /var/log/ — audit logs (if configured)

# Verify access
kubectl get nodes
kubectl config get-contexts

Time Management

• CKS tasks are often more complex than CKA/CKAD — expect fewer tasks
• Average ~8–10 minutes per task
• Security tasks often involve editing files on nodes via SSH, not just kubectl
• Budget extra time for tasks involving AppArmor/seccomp (filesystem work)

Question Triage

1. Read the full question — CKS questions often have multiple sub-parts
2. Identify the domain: is this RBAC, network, runtime, or supply chain?
3. For cluster-level tasks: check if you need to SSH to a node
4. For policy tasks: know whether to use NetworkPolicy, PSA, or OPA/Kyverno
5. For scanning tasks: know your tool flags (trivy image, kubesec scan)

Common Traps

• Forgetting to restart kubelet after editing static pod manifests in /etc/kubernetes/manifests/
• AppArmor: the annotation is per-container, not per-pod — container.apparmor.security.beta.kubernetes.io/<container-name>
• NetworkPolicy: if no policies exist, all traffic is allowed; adding one policy makes everything else default-deny for that pod
• Audit logging: the audit policy file must be mounted into the API server static pod
• Seccomp: profile must exist on the node filesystem before referencing it in a pod spec

If You're Stuck

• Check kubernetes.io docs — search for the security feature name
• For AppArmor: aa-status on the node shows loaded profiles
• For audit: kubectl logs kube-apiserver-<node> -n kube-system shows policy errors
• For Falco: journalctl -u falco for rule loading issues
• Skip and flag — CKS has fewer questions, but each is worth more

Cross-References

• Prerequisite: CKA Prep — CKA certification is required before taking CKS
• Learning Paths: Security Path
• Skill Checks: skillchecks/
• Drills: drills/ — security-focused exercises
• Production Readiness: production-readiness/
• Falco Deep Dive: falco
• Supply Chain: supply-chain-security

Pages that link here

• AWS IAM - Primer
• Audit Logging Primer
• CI/CD Pipelines - Primer
• Certification Exam Prep
• Certification Prep: CKA — Certified Kubernetes Administrator
• Cloud Provider Deep-Dive (AWS & GCP) - Primer
• Container Base Images — Primer
• Containers Deep Dive - Primer
• Drills
• Firewalls - Primer
• HashiCorp Vault - Primer
• Istio Service Mesh — Primer
• Kubernetes Networking - Primer
• Kubernetes Node Lifecycle - Primer
• Kubernetes Services & Ingress - Primer