A Certified Kubernetes Security Specialist (CKS) is an accomplished Kubernetes practitioner (must be CKA certified) who has demonstrated competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.
About This Certification
CKS is a performance-based certification exam that tests candidates’ knowledge of Kubernetes and cloud security in a simulated, real world environment. Candidates must have taken and passed the Certified Kubernetes Administrator (CKA) exam prior to attempting the CKS exam. CKS may be purchased but not scheduled until CKA certification has been achieved. CKA Certification must be active (non-expired) on the date the CKS exam (including Retakes) is scheduled.
What It Demonstrates
Obtaining a CKS demonstrates a candidate possesses the requisite abilities to secure container-based applications and Kubernetes platforms during build, deployment and runtime, and is qualified to perform these tasks in a professional setting.
The certification exam tests specific domains and competencies including:
Domains & Competencies
Weight
Cluster Setup – Use Network security policies to restrict cluster level access – Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi) – Properly set up Ingress objects with security control – Protect node metadata and endpoints – Minimize use of, and access to, GUI elements – Verify platform binaries before deploying
10%
Cluster Hardening – Restrict access to Kubernetes API – Use Role Based Access Controls to minimize exposure – Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones – Update Kubernetes frequently
15%
System Hardening – Minimize host OS footprint (reduce attack surface) – Minimize IAM roles – Minimize external access to the network – Appropriately use kernel hardening tools such as AppArmor, seccomp
15%
Minimize Microservice Vulnerabilities – Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts – Manage Kubernetes secrets – Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers) – Implement pod to pod encryption by use of mTLS
20%
Supply Chain Security – Minimize base image footprint – Secure your supply chain: whitelist allowed registries, sign and validate images – Use static analysis of user workloads (e.g.Kubernetes resources, Docker files) – Scan images for known vulnerabilities
20%
Monitoring, Logging, and Runtime Security – Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities – Detect threats within physical infrastructure, apps, networks, data, users and workloads – Detect all phases of attack regardless where it occurs and how it spreads – Perform deep analytical investigation and identification of bad actors within environment – Ensure immutability of containers at runtime – Use Audit Logs to monitor access
20%
Exam Details & Resources
This exam is an online, proctored, performance-based test that requires solving multiple tasks from a command line running Kubernetes. Candidates have 2 hours to complete the tasks.
Certified Kubernetes Security Specialist (CKS) candidates must have taken and passed the Certified Kubernetes Administrator (CKA) exam prior to attempting the CKS exam.
CKS may be purchased but not scheduled until CKA certification has been achieved. CKA Certification must be active (non-expired) on the date the CKS exam (including Retakes) is scheduled.
The exam is based on Kubernetes v1.23 The CKS exam environment will be aligned with the most recent K8s minor version within approximately 4 to 8 weeks of the K8s release date
Please review the Candidate Handbook, Curriculum Overview and Exam Tips along with other recommended resources below.
(non-expired) CKA certification is a prerequisite for this exam.
Who Is It For
This certification is for Kubernetes engineers, cloud engineers and other IT professionals responsible for building, deploying, and configuring cloud native applications with Kubernetes.
About This Certification
CKAD has been developed by The Linux Foundation and the Cloud Native Computing Foundation (CNCF), to help expand the Kubernetes ecosystem through standardized training and certification. This exam is an online, proctored, performance-based test that consists of a set of performance-based tasks (problems) to be solved in a command line.
What It Demonstrates
The Certified Kubernetes Application Developer (CKAD) can design, build and deploy cloud-native applications for Kubernetes. A CKAD can define application resources and use Kubernetes core primitives to create/migrate, configure, expose and observe scalable applications. The exam assumes working knowledge of container runtimes and microservice architecture.
The successful candidate will be comfortable: – working with (OCI-compliant) container images – applying Cloud Native application concepts and architectures – working with and validating Kubernetes resource definitions
This exam curriculum includes these general domains and their weights on the exam:
Application Design and Build – 20%
Define, build and modify container images
Understand Jobs and CronJobs
Understand multi-container Pod design patterns (e.g. sidecar, init and others)
Utilize persistent and ephemeral volumes
Application Deployment – 20%
Use Kubernetes primitives to implement common deployment strategies (e.g. blue/green or canary)
Understand Deployments and how to perform rolling updates
Use the Helm package manager to deploy existing packages
Application Observability and Maintenance – 15%
Understand API deprecations
Implement probes and health checks
Use provided tools to monitor Kubernetes applications
Utilize container logs
Debugging in Kubernetes
Application Environment, Configuration and Security – 25%
Discover and use resources that extend Kubernetes (CRD)
Understand authentication, authorization and admission control
Understanding and defining resource requirements, limits and quotas
Understand ConfigMaps
Create & consume Secrets
Understand ServiceAccounts
Understand SecurityContexts
Services and Networking – 20%
Demonstrate basic understanding of NetworkPolicies
Provide and troubleshoot access to applications via services
Use Ingress rules to expose applications
Exam Details & Resources
This exam is an online, proctored, performance-based test that consists of a set of performance-based tasks (problems) to be solved in a command line. Candidates have 2 hours to complete the tasks.
The exam is based on Kubernetes v1.24. The CKAD exam environment will be aligned with the most recent K8s minor version within approximately 4 to 8 weeks of the K8s release date
This certification is for Kubernetes administrators, cloud administrators and other IT professionals who manage Kubernetes instances.
About This Certification
CKA was created by The Linux Foundation and the Cloud Native Computing Foundation (CNCF) as a part of their ongoing effort to help develop the Kubernetes ecosystem. The exam is an online, proctored, performance-based test that requires solving multiple tasks from a command line running Kubernetes.
What It Demonstrates
A certified K8s administrator has demonstrated the ability to do basic installation as well as configuring and managing production-grade Kubernetes clusters. They will have an understanding of key concepts such as Kubernetes networking, storage, security, maintenance, logging and monitoring, application lifecycle, troubleshooting, API object primitives and the ability to establish basic use-cases for end users.
The Certification focuses on the skills required to be a successful Kubernetes Administrator in industry today. This includes these general domains and their weights on the exam:
Domains & Competencies
Weight
Storage – Understand storage classes, persistent volumes – Understand volume mode, access modes and reclaim policies for volumes – Understand persistent volume claims primitive – Know how to configure applications with persistent storage
Workloads & Scheduling – Understand deployments and how to perform rolling update and rollbacks – Use ConfigMaps and Secrets to configure applications – Know how to scale applications – Understand the primitives used to create robust, self-healing, application deployments – Understand how resource limits can affect Pod scheduling – Awareness of manifest management and common templating tools
15%
Cluster Architecture, Installation & Configuration – Manage role based access control (RBAC) – Use Kubeadm to install a basic cluster – Manage a highly-available Kubernetes cluster – Provision underlying infrastructure to deploy a Kubernetes cluster – Perform a version upgrade on a Kubernetes cluster using Kubeadm – Implement etcd backup and restore
25%
Services & Networking – Understand host networking configuration on the cluster nodes – Understand connectivity between Pods – Understand ClusterIP, NodePort, LoadBalancer service types and endpoints – Know how to use Ingress controllers and Ingress resources – Know how to configure and use CoreDNS – Choose an appropriate container network interface plugin
20%
Exam Details & Resources
This exam is an online, proctored, performance-based test that requires solving multiple tasks from a command line running Kubernetes.
The exam is based on Kubernetes v1.27 The CKA exam environment will be aligned with the most recent K8s minor version within approximately 4 to 8 weeks of the K8s release date
This cheatsheet with useful commands and information that will be handy to review before taking the exam. This cheatsheet NOT the exam answer , just for your revision and reference ONLY!!!
Core Concepts
View resources in namespace dev:
kubectl get pods -n dev
View all pods in all namespaces:
kubectl get pods -A
View all resources in all namespaces:
kubectl get all -A
Generate a pod yaml file with nginx image and label env=prod:
kubectl run nginx --image=nginx --labels=env=pro --dry-run=client -o yaml > nginx_pod.yaml
Who Is It For A Certified Kubernetes Security Specialist (CKS) is an accomplished Kubernetes practitioner (must be CKA certified) who has demonstrated...
Who Is It For This certification is for Kubernetes engineers, cloud engineers and other IT professionals responsible for building, deploying, and configuring...
Who Is It For This certification is for Kubernetes administrators, cloud administrators and other IT professionals who manage Kubernetes instances. About This...