Prepare for the CKS Kubernetes Exam
Preparing for the CKS Certified Kubernetes Security Specialist exam? Don’t know where to start? This post is the CKS Kubernetes Security Specialist Certification Exam Preparation Study Guide (with links to each exam objective).
I have curated a list of articles from the Kubernetes documentation and other blogs on the web for each objective of the CKS Certification exam. Please share the post within your circles so it helps them to prepare for the exam.
CKS Kubernetes Security Exam Coupon
Coupon: Use Code SUMMER25
CKS Kubernetes Security Specialist Course
| Udemy | Kubernetes Security Course and Simulator |
| Pluralsight | Configuring & Managing Kubernetes Security |
CKS Kubernetes Security Specialist Materials
| Linux Foundation | Kubernetes Security Essentials |
| Amazon e-book (PDF) | Learn everything about Kubernetes Security |
CKS Kubernetes Security Exam Prerequisites
You should have attempted & cleared the Certified Kubernetes Administrator (CKA) exam prior to attempting the CKS exam.
Check out all the other DevOps/Kubernetes certificate study guides
Full Disclosure: Some of the links in this post are affiliate links. I receive a commission when you purchase through them.
Cluster Setup – 10%
Use Network security policies to restrict cluster level access
Using Network Policies to control traffic flow
Declare Network Policy to govern how pods communicate
Enforcing Network Policies in Kubernetes
Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
Understand what are the Center for Internet Security (CIS) Benchmarks
Kube-bench: A tool for running Kubernetes CIS Benchmark tests
CIS Benchmarks for etcd & kubelet
Properly set up Ingress objects with security control
Set up Ingress on Minikube Ingress Controller
Protect node metadata and endpoints
Restricting cloud metadata API access
Setting up secure endpoints in Kubernetes
Protecting cluster metadata (GKE)
Minimize use of, and access to, GUI elements
Web-based Kubernetes User Interface
On Securing the Kubernetes Dashboard
Verify platform binaries before deploying
Cluster Hardening – 15%
Restrict access to Kubernetes API
Hardening your cluster’s security
Controlling Access to the Kubernetes API
Use Role-Based Access Controls to minimize exposure
Authorization modes for Kubernetes API server
[Video]: Understand Role-Based Access Control in Kubernetes
Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
Kubernetes Access Control: Exploring Service Accounts
Kubernetes: Creating Service Accounts and Kubeconfigs
Configure Service Accounts for Pods
Disable default service account by deployments in Kubernetes
Kubernetes shouldn’t mount a default service account
Securing Kubernetes Clusters by Eliminating Risky Permissions
Update Kubernetes frequently
System Hardening – 15%
Minimize host OS footprint (reduce attack surface)
Reduce Kubernetes Attack Surfaces
Minimize IAM roles
What is the Principle of Least Privilege (POLP)?
Minimize external access to the network
Secure hosts with OS-level firewall (ufw)
Use security groups to secure network (Azure)
Amazon EKS security group considerations
Appropriately use kernel hardening tools such as AppArmor, seccomp
Kubernetes Hardening Best Practices
Restrict a Container’s Access to Resources with AppArmor
Restrict a Container’s Syscalls with Seccomp
Minimize Microservice Vulerabilities – 20%
Setup appropriate OS-level security domains e.g. using PSP, OPA, security contexts
[Video]: Open Policy Agent Introduction
OPA Gatekeeper: Policy and Governance for Kubernetes
Enforce policies on Kubernetes objects with OPA
Configure a Security Context for a Pod or Container
Manage Kubernetes secrets
Use secrets to store sensitive information
Managing Secrets in Kubernetes
Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
Implementing secure Containers using Google’s gVisor
Use gVisor to run Kubernetes pods
Kata containers and Kubernetes: How do they fit together?
How to use Kata Containers with Kubernetes?
Implement pod to pod encryption by use of mTLS
Mutual TLS Authentication (mTLS) De-Mystified
Using Istio to improve end-to-end security
Amazon link (affiliate)
Supply Chain Security – 20%
Minimize base image footprint
Why build small container images in Kubernetes
Use the smallest base image possible
Secure your supply chain: whitelist allowed registries, sign and validate images
Admission Controllers: What are they?
How to reject docker registries in Kubernetes?
Ensure images only from approved sources are run
Restrict pulling images from Registry
Container image signatures in Kubernetes
Use static analysis of user workloads (e.g.Kubernetes resources, Docker files)
Static analysis with Kube-score
Kubernetes static code analysis with Checkov
Scan images for known vulnerabilities
Scan your Docker images for vulnerabilities
Scan your Docker containers for vulnerabilities with Clair
Monitoring, Logging and Runtime Security – 20%
Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
How to detect a Kubernetes vulnerability using Falco
Kubernetes Security monitoring at scale
Detect threats within the physical infrastructure, apps, networks, data, users, and workloads
Common Kubernetes config security threats
Guidance on Kubernetes threat modeling
Detect all phases of attack regardless of where it occurs and how it spreads
Investigating Kubernetes attack scenarios in Threat Stack
Anatomy of a Kubernetes attack – How untrusted Docker images fails us
Perform deep analytical investigation and identification of bad actors within the environment
Kubernetes security 101: Risks and Best practices
Ensure immutability of containers at runtime
Leverage Kubernetes to ensure that containers are immutable
Why we should use immutable Docker images?
With immutable infrastructure, your systems can rise from the dead
Use Audit Logs to monitor access
How to monitor Kubernetes audit logs?
This brings us to the end of the Certified Kubernetes Security Specialist (CKS) Exam Preparation Study Guide.
What do you think? Let me know in the comments section if I have missed out on anything. Also, I love to hear from you about how your preparation is going on!
In case you are preparing for other DevOps / Kubernetes certification exams, check out the Kubernetes study guides for those exams.
Follow Me to Receive Updates on CKS Exam
Want to be notified as soon as I post? Subscribe to the RSS feed / leave your email address in the subscribe section. Share the article to your social networks with the below links so it can benefit others.
