This repository is a collection of resources to prepare for the Certified Kubernetes Security Specialist (CKSS) exam.
The given references and links below are just assumptions and ideas around the CKSS curriculum.
The Kubernetes Security Specialist (CKS) certification ensure that the holder has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.
The certification is generally available to take from here as anounced during the KubeCon NA20
The CKS test will be online, proctored and performance-based with 15-20 hands-on performance based tasks, and candidates have 2 hours to complete the exam tasks.
From the CKS Exam Curriculum repository, The exam will test domains and competencies including:
- Cluster Setup (15%): Best practice configuration to control the environment's access, rights and platform conformity.
- Cluster Hardening (15%): Protecting K8s API and utilize RBAC.
- System Hardening (10%): Improve the security of OS & Network; restrict access through IAM
- Minimize Microservice Vulnerabilities (20%): Utilizing on K8s various mechanisms to isolate, protect and control workload.
- Supply Chain Security (20%): Container oriented security, trusted resources, optimized container images, CVE scanning.
- Monitoring, Logging, and Runtime Security (20%): Analyse and detect threads.
In order to take the CKS exam, you must have Valid CKA certification prior to attempting the CKS exam to demonstrate you possess sufficient Kubernetes expertise. A first good starting point for securing Kubernetes is the Task section Securing a Cluster of the official K8s documentation. The exam will be based on the version of Kubernetes as specified by the CKS Curriculum doc in the CNCF Curriculum repository
According to the LF docs, during the CKS exam the candidates may:
-
review the Exam content instructions that are presented in the command line terminal.
-
review Documents installed by the distribution (i.e. /usr/share and its subdirectories)
-
use the Firefox browser in the exam environment in order to access
-
Kubernetes Documentation:
- https://kubernetes.io/docs/ and their subdomains
- https://kubernetes.io/blog/ and their subdomains
This includes all available language translations of these pages (e.g. https://kubernetes.io/zh/docs/)
-
Tools:
- Falco documentation https://falco.org/docs/
- Bom documentation https://kubernetes-sigs.github.io/bom/cli-reference/
- etcd documentation https://etcd.io/docs/
- NGINX Ingress Controller Documentation https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/
- Cilium Documentation https://docs.cilium.io/en/stable
- Istio Documentation https://istio.io/latest/docs/
The allowed sites above may contain links that point to external sites. It is the responsibility of the candidate not to click any links to navigate to a domain that is not allowed but the exam environment is typically configured to block access to disallowed domains.
-
Use Network security policies to restrict cluster level access
Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
- CIS benchmark for Kubernetes
- What is Center for Internet Security (CIS) Benchmarks
- Kube-bench: A tool for running Kubernetes CIS Benchmark tests
- GKE: CIS Benchmarks for etcd & kubelet
Properly set up Ingress objects with TLS
Protect node metadata and endpoints
Verify platform binaries before deploying
Use Role Based Access Controls to minimize exposure
Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
- Managing Service Accounts
- Default roles and role bindings
- Authorization Modes
- Configure Service Accounts for Pods
- Kubernetes should not mount default service account credentials by default
- Kubernetes: Creating Service Accounts and Kubeconfigs
- Kubernetes Access Control: Exploring Service Accounts
- Disable default service account by deployments in Kubernetes
- Securing Kubernetes Clusters by Eliminating Risky Permissions
- Understand Role Based Access Control in Kubernetes
- Cloud Native Short Take - Kubernetes: Roles-based Access Control RBAC
Restrict access to Kubernetes API
Minimize host OS footprint (reduce attack surface)
Using least-privilege identity and access management
Minimize external access to the network
Appropriately use kernel hardening tools such as AppArmor, seccomp
Use appropriate pod security standards
Manage kubernetes secrets
Understand and implement isolation techniques (multi-tenancy, sandboxed containers, etc.)
Implement Pod-to-Pod encryption (Cilium, Istio)
Minimize base image footprint
Secure your supply chain (permitted registries, sign and validate artifacts, etc.)
Perform static analysis of user workloads and container images (e.g. Kubesec, KubeLinter)
Understand your supply chain (e.g. SBOM, CI/CD, artifact repositories)
Perform behavioral analytics to detect malicious activities
Detect threats within physical infrastructure, apps, networks, data, users and workloads
Investigate and identify phases of attack and bad actors within the environment
Ensure immutability of containers at runtime
Use Kubernetes audit logs to monitor access
- FREE CKS self-study course
- Kubernetes Security Essentials (LFS260) video course
- Cloud Native Security Tutorial
- Killer Shell CKS Simulator
- Killer Coda CKS Simulator
- Sysdig Kubernetes Security Guide
- Kubernetes Security Best Practices - Ian Lewis, Google
- Kubernetes security concepts and demos
- Tutorial: Getting Started With Cloud Native Security - Liz Rice, Aqua Security & Michael Hausenblas
- 11 Ways (Not) to Get Hacked
- Kubernetes Goat
- Kubernetes CTF on vagrant environment (archived)
- CKS 5-day Boot Camp (live, instructor-led)
- CKS 1-day Exam Prep (live, instructor-led)
- Certified Kubernetes Security Specialist 2026 video course
- NSA/CISA Kubernetes Hardening Guidance 08/2022
- LIVING DOCUMENT - I WILL UPDATE IT FREQUENTLY WHEN I HAVE NEW INFORMATIONS
- PRs are always welcome so star, fork and contribute
- please make a pull request if you would like to add or update
Ibrahim Jelliti © 2020