Kubernetes Certified: Security Specialist
Exam Questions | Case study, short answer, repeated answer, MCQs |
Number of Questions | 40-50 |
Time to Complete | 120 minutes |
Exam Fee | 375 USD |
About Certified Kubernetes Security Specialist (CKS)
Certified Kubernetes Security Specialist (CKS) is a performance-based certification exam that assesses candidates’ understanding of Kubernetes and cloud security in a realistic, simulated environment. Prior to taking the CKS test, candidates must have passed the Certified Kubernetes Administrator (CKA) certification. CKS can be purchased, but it cannot be scheduled until CKA certification is obtained.
On the day of the CKS exam (including retakes), the CKA certification must be active (not expired).
Who is it for?
A Certified Kubernetes Security Specialist (CKS) is a skilled Kubernetes practitioner (must be CKA certified) who has demonstrated proficiency in a wide range of best practices for protecting container-based applications and Kubernetes platforms during development, deployment, and runtime.
What is demonstrate?
Obtaining a CKS certifies a candidate’s ability to secure container-based applications and Kubernetes platforms during development, deployment, and runtime, and that they are qualified to do so in a professional setting.
The CKS curriculum (areas of study and weight of each area) is as follows at the time of writing:
- Cluster Setup
- Cluster Hardening
- System Hardening
- Minimize Microservice Vulnerabilities
- Supply Chain Security
- Monitoring, Logging and Runtime Security
Recommended Knowledge
- Use Network security policies to restrict cluster level access
- Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
- Properly set up Ingress objects with security control
- Protect node metadata and endpoints
- Minimize use of, and access to, GUI elements
- Verify platform binaries before deploying
- Restrict access to Kubernetes API
- Use Role Based Access Controls to minimize exposure
- Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
- Update Kubernetes frequently
- Minimize host OS footprint (reduce attack surface)
- Minimize IAM roles
- Minimize external access to the network
- Appropriately use kernel hardening tools such as AppArmor, seccomp
- Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts
- Manage Kubernetes secrets
- Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
- Implement pod to pod encryption by use of mTLS
- Minimize base image footprint
- Secure your supply chain: whitelist allowed registries, sign and validate images
- Use static analysis of user workloads (e.g.Kubernetes resources, Docker files)
- Scan images for known vulnerabilities
- Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
- Detect threats within physical infrastructure, apps, networks, data, users, and workloads
- Detect all phases of attack regardless where it occurs and how it spreads
- Perform deep analytical investigation and identification of bad actors within environment
- Ensure immutability of containers at runtime
- Use Audit Logs to monitor access
The following general domains and their weights on the exam are included in this exam curriculum:
Domain | Percentage | |
Domain 1 | Cluster Setup | 10% |
Domain 2 | Cluster Hardening | 15% |
Domain 3 | System Hardening | 15% |
Domain 4 | Minimize Microservice Vulnerabilities | 20% |
Domain 5 | Supply Chain Security | 20% |
Domain 6 | Monitoring, Logging and Runtime Security | 20% |
DevOps Certified:
Kubernetes Security Specialist (CKS): First Edition - 2022
- Covers Complete & Official Exam Blueprint
- Summarized content
- Case study based approach
- Ready to practice labs
- Exam tips
- Mind maps
- 100% passing guarantee