You'll find here everything to know for the CKS exam. It has been written in December 2023, with the intention to be straight to the point.
The program provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.
🚩 A valid CKA certification is required to try this exam
🌐 Training Portal (Linux Foundation), PSI Exams Portal, Exam Instructions
- 1. Cluster setup
- 2. Cluster hardening
- 3. System hardening
- 4. Minimize microservice vulnerabilities
- 5. Supply chain security
- 6. Monitoring, logging and runtime security
| Component | Links |
|---|---|
| Kubernetes | kubernetes.io/docs, kubernetes.io/blog |
| etcd | etcd.io/docs |
| AppArmor | gitlab.com/apparmor/apparmor/-/wikis/Documentation |
| Falco | falco.org/docs |
| Trivy | aquasecurity.github.io/trivy |
📌 Source: Resources Allowed: All LF Certification Programs
✨ kubectl cheatsheet, kubectl reference, crictl for debugging
⚗️ Refresher: Linux, Kubernetes
Always works (but slow): copy/paste right mouse context menu actions
In the Terminal: Ctrl+Shift+C and Ctrl+Shift+V
Other apps like Firefox: Ctrl+C and Ctrl+V
In the Terminal also: mark text with the mouse and then press the mouse-middle key to insert (only works while staying in the Terminal)
You can try with this Killercoda scenario.
- Kubernetes
- Kubernetes blog
- AWS
- Google Cloud
- ✅ A Cloud Guru: CKS (code)
- A Cloud Guru: Kubernetes Security
- KodeKloud: CKS (Course notes)
- LinkedIn Learning: Securing Containers and Kubernetes Ecosystem
Linux Foundation: Kubernetes Security Essentials (LFS260)(doesn't help passing the certification)- O'Reilly: CKS certification guide
- Udemy: CKS 2023
| Name | Paragraph | Kubernetes definition |
|---|---|---|
| AppArmor | 3.4 Kernel hardening | annotations.container.apparmor.security.beta.kubernetes.io |
| etcd | ||
| Falco | 6.1 Behavioral analytics | |
| gVisor | 4.3 Sandboxes | spec.runtimeClassName |
| Kata Containers | 4.3 Sandboxes | spec.runtimeClassName |
| kube-bench | 1.2 CIS benchmark | |
| OPA Gatekeeper | 4.1 Security domains | ConstraintTemplate |
| seccomp | 3.4 Kernel hardening | securityContext.seccompProfile |
| SELinux | securityContext.seLinuxOptions |
|
| Trivy | 5. Supply chain security |
💡 CKS exam gives access to 2 sessions with Killer Shell (example)
- CNCF Cloud Native Security Whitepaper
- NSA, CISA release Kubernetes Hardening Guidance - March 15, 2022
- Sysdig Kubernetes Security Guide
- CKS KodeKloud Mock Exam 1 - Learn With GGS - Dec 6, 2021
- Kubesimplify - Kubernetes security concepts and demos - September 25, 2020
- CNCF Tutorial - Getting Started With Cloud Native Security - September 4, 2020
- Kubernetes Forum Seoul 2019 - Kubernetes Security Best Practices - Dec 10, 2019
- Code in Action - Learn Kubernetes Security - Jul 8, 2020
- Spectro Cloud Webinar - Certified Kubernetes Security Specialist - May 4, 2022