}}

The Certified Kubernetes Security Specialist (CKS) program was created by the Cloud Native Computing Foundation (CNCF), in collaboration with The Linux Foundation, to help develop the Kubernetes ecosystem

The Certified Kubernetes Security Specialist (CKS) program provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime. CKA certification is required to sit for this exam.

CKS Certified Kubernetes Security Specialist is not an easy exam, the exam has tasks instead of questions like other exams.

Questions provide details on what needs to be implemented, candidates are expected to configure it in the provided environment.

Candidates should have hands-on experience with Kubernetes.

This guide will help you prepare for CKA exam.

This is a live document, we will be updating it regularly, consider adding it to your bookmarks.

The A Certified Kubernetes Security Specialist (CKS) certification is designed to provide assurance that certification holders are accomplished Kubernetes practitioners (as evidenced by holding the CKA credential) who have demonstrated competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.

Certified Kubernetes Security Specialist (CKS) candidates must have taken and passed the Certified Kubernetes Administrator (CKA) exam prior to attempting the CKS exam.

CKS may be purchased but not scheduled until CKA certification has been achieved.

CKA Certification must be active (non-expired) on the date the CKS exam (including Retakes) is scheduled.

CKS is an excellent certification to get if you’re interested in Kubernetes security.

It’s hands-on, so you’ll be learning actual Kubernetes skills rather than merely remembering ideas and instructions as you work toward this certification.

The CKS, on the other hand, has a precondition.

Before you may take the CKS test, you must first achieve your Certified Kubernetes Administrator (CKA).

So, if you already have your CKA and want to learn more about Kubernetes security, check out the CKS!

If you want to learn more about Kubernetes, the CKS is a wonderful certification to get.

We also have a CKA study guide if you need to acquire your CKA first!

CKA exam cost $375 with one free retake.

You can book exam at here

We have labs covering CKS exam

Candidates who register for the Certified Kubernetes Security Specialist (CKS) exams will have access to an exam simulator, provided by Killer.sh.

Login to My Portal at linux foundation website and click Start/Resume to view your exam preparation checklist.

The link to the Simulator is available on the “Schedule Exam” checklist item.

Candidates will have two attempts (per exam registration).

Each attempt grants 36 hours of access starting from the time of activation.

The exam simulations include 20-25 questions similar to the ones candidates can expect to encounter on the real exam.

Please review the FAQ section of the Killer.sh site for further information.

You can also try tasks at Kubernetes.io

Candidates get 2 hrs to complete CKA exam.

CKA certification is valid for 2 years and successfully completing the exam.

candidates will be test on Kubernetes v1.22 and etcd v3.5

Check Free LABS at https://www.sharelearn.net/practice/k8slabs/

CNCF: Kubernetes Security Essentials (LFS260)
This is a $299 course offered by CNCF

You can also consider buying a bundle of this course and exam from CNCF for $575 and save $100
Offer code SHARELEARN15 will bring it down to $454.

EDx: Introduction to Kubernetes
This is free course by EDX, recommended by CNCF

Udemy: Kubernetes CKS 2021 Complete Course - Theory - Practice

Related Kubernetes security resources

• Kubernetes Security Essentials (LFS260)
• Cloud Native Security Tutorial
• Killer Shell CKS Simulator
• Sysdig Kubernetes Security Guide
• Kubernetes Security Best Practices - Ian Lewis, Google
• Kubernetes security concepts and demos
• Tutorial: Getting Started With Cloud Native Security - Liz Rice, Aqua Security & Michael Hausenblas
• 11 Ways (Not) to Get Hacked
• Kubernetes Goat
• Kubernetes CTF on vagrant environment
• NSA/CISA Kubernetes Hardening Guidance 08/2021

White Papers

• CNCF cloud-native security white paper Nov 2020

You need 67% or above must be earned to pass.

Exams are scored automatically, usually within 24 hours of completion.

Results will be emailed within 24 hours from the time that the Exam was completed.

Exams are graded for results.

There may be more than one way to perform a task on an Exam and unless otherwise specified,
the candidate can pick any available path to complete the task as long as it produces the correct result.

During the CKS exam, candidates may:

review the Exam content instructions that are presented in the command line terminal.

review Documents installed by the distribution (i.e. /usr/share and its subdirectories)

use their Chrome or Chromium browser to open one additional tab in order to access

Kubernetes Documentation:

https://kubernetes.io/docs/ and their subdomains

https://github.com/kubernetes/ and their subdomains

https://kubernetes.io/blog/ and their subdomains

This includes all available language translations of these pages (e.g. https://kubernetes.io/zh/docs/ )

Tools:

Trivy documentation https://aquasecurity.github.io/trivy/

Sysdig documentation https://docs.sysdig.com/

Falco documentation https://falco.org/docs/

This includes all available language translations of these pages (e.g. https://falco.org/zh/docs/ )

App Armor:

Documentation https://gitlab.com/apparmor/apparmor/-/wikis/Documentation

The allowed sites above may contain links that point to external sites.

It is the responsibility of the candidate not to click any links to navigate to a domain that is not allowed

Check Next pages for resources for specific topic in CKS Certified Kubernetes Security Specialist exam

Cluster Setup

Cluster Hardening

System Hardening

Minimize Microservice Vulnerabilities

Supply Chain Security

Monitoring, Logging, and Runtime Security

Cluster Hardening (15%)

System Hardening (15%)

Minimize Microservice Vulnerabilities (20%)

Supply Chain Security (20%)

Monitoring, Logging and Runtime Security (20%)

• Root privileges can be obtained by running ‘sudo −i’.
• Rebooting of your server IS permitted at any time.
• Do not stop or tamper with the certerminal process as this will END YOUR EXAM SESSION.
• Do not block incoming ports 8080/tcp, 4505/tcp and 4506/tcp. This includes firewall rules that are found within the distribution’s default firewall configuration * files as well as interactive firewall commands.
• Use Ctrl+Alt+W instead of Ctrl+W.
• Ctrl+W is a keyboard shortcut that will close the current tab in Google Chrome.
• Ctrl+C & and Ctrl+V are not supported in your exam terminal.
• To copy and paste text, please use
• For Linux: select text for copy and middle button for paste (or both left and right simultaneously if you have no middle button).
• For Mac: ⌘+C to copy and ⌘+V to paste.
• For Windows: Ctrl+Insert to copy and Shift+Insert to paste.
• In addition, you might find it helpful to use the Notepad (see top menu under ‘Exam Controls’) to manipulate text before pasting to the command line.
• Installation of services and applications included in this exam may require modification of system security policies to successfully complete.
• Only a single terminal console is available during the exam. Terminal multiplexers such as GNU Screen and tmux can be used to create virtual consoles.

Each task on this exam must be completed on a designated cluster/configuration context.

Sixteen clusters comprise the exam environment, one for each task. Each cluster is made up of one master node and one worker node.

An infobox at the start of each task provides you with the cluster name/context and the hostname of the master and worker node.

You can switch the cluster/configuration context using a command such as the following:

kubectl config use-context <cluster/context name>

Nodes making up each cluster can be reached via ssh, using a command such as the following:

ssh

You have elevated privileges on any node by default, so there is no need to assume elevated privileges.

You must return to the base node (hostname cli) after completing each task.

Nested−ssh is not supported.

You can use kubectl and the appropriate context to work on any cluster from the base node. When connected to a cluster member via ssh, you will only be able to work on that particular cluster via kubectl.

For your convenience, all environments, in other words, the base system and the cluster nodes, have the following additional command-line tools pre-installed and pre-configured:

kubectl with kalias and Bash autocompletion

yq and jqfor YAML/JSON processing

tmux for terminal multiplexing

curl and wget for testing web services

man and man pages for further documentation

Further instructions for connecting to cluster nodes will be provided in the appropriate tasks

The CKS environment is currently running etcd v3.5

The CKS environment is currently running Kubernetes v1.22

The CKS exam environment will be aligned with the most recent K8s minor version within approximately 4 to 8 weeks of the K8s release date.

Clutter-free work area
No objects such as paper, writing implements, electronic devices, or other objects on top of surface
No objects such as paper, trash bins, or other objects below the testing surface

Clear walls
No paper/print outs hanging on walls
Paintings and other wall décor is acceptable
Candidates will be asked to remove non-décor items prior to the exam being released

Lighting
Space must be well lit so that proctor is able to see candidate’s face, hands, and surrounding work area
No bright lights or windows behind the examinee

Other
Candidate must remain within the camera frame during the examinationSpace must be private where there is no excessive noise.
Public spaces such as coffee shops, stores, open office environments, etc. are not allowed.
Please see the Candidate Handbook for additional information covering policies, procedures and rules during the exam

Candidates are required to provide a non-expired Primary ID that contains Candidate’s photograph, signature and full name (see acceptable forms of ID in the table below)
The name on your Primary ID must exactly match the verified name on your exam checklist.
If the Candidate’s full name on their Primary ID contains non-latin characters, then the Candidate must ALSO provide a non-expired Secondary ID containing their full name in Latin Characters and signature, OR a notarized English translation of their Primary ID along with the non-latin character Primary ID

Primary ID
(non-expired and including photograph and signature):
Passport
Government-issued driver’s license/permit
Government-Issued local language ID (with photo and signature)
National Identity card
State or province-issued identity card
住民基本台帳 (Basic resident register with Photo) or マイナンバーカード(My number card)

Secondary ID
(non-expired and including signature with Candidate name in Latin characters)
Debit (ATM) Card
Credit Card
Health Insurance Card
U.S. Social Security Card
Employee ID Card
Student ID Card
Japanese Health Insurance Card

Additional Allowances:
Some government issued ID such as a passport, driver’s license, military ID or state/country card may be a biometric type and may or may not contain a signature. In these cases Primary ID will be accepted without a signature on condition that you also present a Secondary ID which does contain your signature (e.g. bank, credit or debit card)
For candidates testing in Japan, a Driver’s License (with name and recent recognizable photo) is acceptable as a primary ID as long as it is accompanied with a Japanese health insurance card (健康保険証). In Japan, the Japanese health insurance card (健康保険証) is an acceptable form of secondary ID

The certification exam is proctored remotely via streaming audio, video, and screen sharing feeds.

The screen sharing feed allows proctors to view candidates’ desktops (including all monitors).

The audio, video, and screen sharing feeds will be stored for a limited period of time in the event that there is a subsequent need for review.

How do I renew CKS Certified Kubernetes Security Specialist certification? Candidates have the option to retake and pass the exam to renew their certification. Certification Renewal must be completed prior to the certification expiration date. The CKA renewed certification will be valid for a further 3 years effective from the date the exam is passed.

CNCF understand that taking the exams via remote desktop and a new platform environment may cause a lag time for some, however there are trade offs needed to offer this exam remotely.

CNCF will continually monitor and seek to improve the testing experience over time.

When eligible, CNCF do offer free retakes for those who do not pass the first time, regardless of why.

This is a live document, we will be updating it regularly, consider adding it to your bookmarks.

join us on upcoming Kubernetes or CKA workshop, training and or bootcamp