CKS Exam Study Guide (Certified Kubernetes Security Specialist)

Certified Kubernetes Security Specialist Exam Study Guide

Prepare for the CKS Kubernetes Exam

Preparing for the CKS Certified Kubernetes Security Specialist exam? Don’t know where to start? This post is the CKS Kubernetes Security Specialist Certification Exam Preparation Study Guide (with links to each exam objective).

I have curated a list of articles from the Kubernetes documentation and other blogs on the web for each objective of the CKS Certification exam. Please share the post within your circles so it helps them to prepare for the exam.

CKS Kubernetes Security Exam Coupon

Coupon: Use Code SUMMER25

CKS Kubernetes Security Specialist Course

Udemy Kubernetes Security Course and Simulator
Pluralsight Configuring & Managing Kubernetes Security

CKS Kubernetes Security Specialist Materials

Linux Foundation Kubernetes Security Essentials
Amazon e-book (PDF) Learn everything about Kubernetes Security

CKS Kubernetes Security Exam Prerequisites

You should have attempted & cleared the Certified Kubernetes Administrator (CKA) exam prior to attempting the CKS exam.

Check out all the other DevOps/Kubernetes certificate study guides

Full Disclosure: Some of the links in this post are affiliate links. I receive a commission when you purchase through them.

Cluster Setup – 10%

Use Network security policies to restrict cluster level access

Using Network Policies to control traffic flow

Securing a Kubernetes cluster

Declare Network Policy to govern how pods communicate

Enforcing Network Policies in Kubernetes

Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)

Understand what are the Center for Internet Security (CIS) Benchmarks

Kube-bench: A tool for running Kubernetes CIS Benchmark tests

CIS Benchmarks for etcd & kubelet

Properly set up Ingress objects with security control

What is Ingress?

What are Ingress Controllers?

Set up Ingress on Minikube Ingress Controller

Protect node metadata and endpoints

Restricting cloud metadata API access

Setting up secure endpoints in Kubernetes

Protecting cluster metadata (GKE)

Minimize use of, and access to, GUI elements

Web-based Kubernetes User Interface

On Securing the Kubernetes Dashboard

Verify platform binaries before deploying

Kubernetes platform binaries

Cluster Hardening – 15%

Restrict access to Kubernetes API

Hardening your cluster’s security

Controlling Access to the Kubernetes API

Use Role-Based Access Controls to minimize exposure

Authorization modes for Kubernetes API server

Using RBAC Authorization

[Video]: Understand Role-Based Access Control in Kubernetes

Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones

Kubernetes Access Control: Exploring Service Accounts

Kubernetes: Creating Service Accounts and Kubeconfigs

Configure Service Accounts for Pods

Disable default service account by deployments in Kubernetes

Kubernetes shouldn’t mount a default service account

Securing Kubernetes Clusters by Eliminating Risky Permissions

Update Kubernetes frequently

Upgrading kubeadm clusters

kubeadm upgrade

System Hardening – 15%

Minimize host OS footprint (reduce attack surface)

Reduce Kubernetes Attack Surfaces

Minimize IAM roles

What is the Principle of Least Privilege (POLP)?

Minimize external access to the network

Secure hosts with OS-level firewall (ufw)

Use security groups to secure network (Azure)

Amazon EKS security group considerations

Appropriately use kernel hardening tools such as AppArmor, seccomp

Kubernetes Hardening Best Practices

Restrict a Container’s Access to Resources with AppArmor

Restrict a Container’s Syscalls with Seccomp

Minimize Microservice Vulerabilities – 20%

Setup appropriate OS-level security domains e.g. using PSP, OPA, security contexts

Pod Security Policies

[Video]: Open Policy Agent Introduction

OPA Gatekeeper: Policy and Governance for Kubernetes

Enforce policies on Kubernetes objects with OPA

Configure a Security Context for a Pod or Container

Manage Kubernetes secrets

Use secrets to store sensitive information

Managing Secrets in Kubernetes

Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)

What is gVisor?

Implementing secure Containers using Google’s gVisor

Use gVisor to run Kubernetes pods

Kata containers and Kubernetes: How do they fit together?

How to use Kata Containers with Kubernetes?

Implement pod to pod encryption by use of mTLS

Mutual TLS Authentication (mTLS) De-Mystified

Traffic encryption using mTLS

Using Istio to improve end-to-end security

cks kubernetes security

Amazon link (affiliate)

Supply Chain Security – 20%

Minimize base image footprint

Why build small container images in Kubernetes

Use the smallest base image possible

Secure your supply chain: whitelist allowed registries, sign and validate images

Admission Controllers: What are they?

How to reject docker registries in Kubernetes?

Ensure images only from approved sources are run

Restrict pulling images from Registry

Container image signatures in Kubernetes

Use static analysis of user workloads (e.g.Kubernetes resources, Docker files)

Static analysis with Kube-score

Kubernetes static code analysis with Checkov

Static analysis with Clair

Scan images for known vulnerabilities

Scan your Docker images for vulnerabilities

Scan your Docker containers for vulnerabilities with Clair

Monitoring, Logging and Runtime Security – 20%

Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities

How to detect a Kubernetes vulnerability using Falco

Kubernetes Security monitoring at scale

Detect threats within the physical infrastructure, apps, networks, data, users, and workloads

Common Kubernetes config security threats

Guidance on Kubernetes threat modeling

Threat matrix for Kubernetes

Detect all phases of attack regardless of where it occurs and how it spreads

Investigating Kubernetes attack scenarios in Threat Stack

Anatomy of a Kubernetes attack – How untrusted Docker images fails us

Perform deep analytical investigation and identification of bad actors within the environment

Kubernetes security 101: Risks and Best practices

Ensure immutability of containers at runtime

Leverage Kubernetes to ensure that containers are immutable

Why we should use immutable Docker images?

With immutable infrastructure, your systems can rise from the dead

Use Audit Logs to monitor access

Kubernetes auditing

How to monitor Kubernetes audit logs?

Kubernetes audit logging

This brings us to the end of the Certified Kubernetes Security Specialist (CKS) Exam Preparation Study Guide.

What do you think? Let me know in the comments section if I have missed out on anything. Also, I love to hear from you about how your preparation is going on!

In case you are preparing for other DevOps / Kubernetes certification exams, check out the Kubernetes study guides for those exams.

Follow Me to Receive Updates on CKS Exam

Want to be notified as soon as I post? Subscribe to the RSS feed / leave your email address in the subscribe section. Share the article to your social networks with the below links so it can benefit others.

Share the CKS Study Guide in Your Networks

You may also like


  1. Thanks for putting this page together. I was interested in this certification and found this useful