How to prepare for the upcoming Certified Kubernetes Security Specialist (CKS)
4 min read

How to prepare for the upcoming Certified Kubernetes Security Specialist (CKS)

CNCF published the new Certified Kubernetes Security Specialists CKS which will be general available before November 2020, we had a look at the curriculum and how to prepare for the yet know content.
How to prepare for the upcoming Certified Kubernetes Security Specialist (CKS)


Earlier this year CNCF announced that there will be changes for the Certified Kubernetes Administrator (CKA), we roughly compared the old and new curriculum and saw that some of the Security topics will be dropped with the new CKA exam. This led us to the consumption that the CNCF will bring a Security specialized certification. And here it is!

Certified Kubernetes Security Specialist (CKS)

In the announcement of the CNCF the CKS is described as

... testing competence across best practices for securing container-based applications and Kubernetes platforms during build, deployment, and runtime. The new certification is designed to enable cloud native professionals to demonstrate security skills to current and potential employers.

From the current timeline, they assume it will be general available before KubeCon/CloudNativeCon NA in November. On the training and certification page of the Linux Foundation is written that the CKS will run on K8s 1.19. The v1.19 release is planned for the 25th of August. Therefore we expect to have the first exams in Mid October.

CKS required competencies and domains

Before we come to the summary of potentially relevant learning resources for CKS lets, have a look at the yet given outline (this can still change) and weight per domain.

  • Cluster Setup – 10%‌‌Best practice configuration to control the environment's access, rights and platform conformity.
  • Cluster Hardening – 15%‌‌Protecting K8s API and utilize RBAC.
  • System Hardening – 15%‌‌Improve the security of OS & Network; restrict access through IAM.
  • Minimize Microservice Vulnerabilities – 20%‌‌Utlizing on K8s various mechanisms to isolate, protect and control workload.
  • Supply Chain Security – 20%‌‌Container oriented security, trusted resources, optimized container images, CVE scanning.
  • Monitoring, Logging and Runtime Security – 20%‌‌Analyse and detect threads.

From our experience, this looks pretty good and covers the directly K8s impacting domains, and covers pretty much the whole stack from installation & OS to K8s configuration, container itself and Day2 relevant analytics. Also, I'm a little bit concerned about how this should fit into a 2h exam.

CKS Exam Preparation

One of the precondition to take the CKS is to have a valid CKA. If this is some while ago, start with the CKA prep to refresh your knowledge. A first good starting point for securing Kubernetes is the Task section of the official K8s documentation.

Cluster Setup

Cluster Hardening

System Hardening

Minimize Microservice Vulnerabilities

Supply Chain Security

  • Minimize base image footprint‌‌
    NCD: Good starting point for this is the 7 best practices for build containers. In general, we prefer to start by small container images like alpine and only add what is needed.
  • Secure your supply chain: whitelist allowed registries, sign and validate images‌‌
    NCD: Open Policy Agent has an exampole how to restrict pulling images from registries. Also docker describes an easy way to do so. In any case it might make sense to familarize with Kubernetes Admission Control in to get the concepts.
  • Use static analysis of user workloads (e.g.Kubernetes resources, Docker files)‌‌
    NCD: potentially something like kubehunter.
  • Scan images for known vulnerabilities‌‌
    NCD: scanning images by hand could be fun, but more likely, you will have the possibility to use clair.

Monitoring, Logging and Runtime Security

  • Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities‌‌
  • Detect threats within physical infrastructure, apps, networks, data, users and workloads
  • Detect all phases of attack regardless where it occurs and how it spreads
  • Perform deep analytical investigation and identification of bad actors within environment
  • Ensure immutability of containers at runtime
    NCD: potentially something like falco could help.
  • Use Audit Logs to monitor access


The given links are our assumptions and ideas - we neither have insights into the exam requirements, nor do we know how exactly it will look like. We are guessing about possibilities and try to collect resources.

As soon as we had our hands on it, we will correct our assumptions.

Do you have ideas for improvement? Which resources did we miss? Reach out to us via Twitter or discuss with us on Reddit - any feedback is welcome :)

Happy kubeing!

Photo by Bernard Hermant on Unsplash