CKS
Coming Soon
Expected availability announced soon
This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.
CKS Certified Kubernetes® Security Specialist
The Certified Kubernetes Security Specialist (CKS) exam validates expertise in securing Kubernetes clusters, covering setup, hardening, microservice vulnerability reduction, and supply‑chain protection for production environments.
120
Minutes
67/100
Passing Score
$395
Exam Cost
3
Languages
Who Should Take This
It is intended for Kubernetes administrators, DevOps engineers, and security professionals who already hold the Certified Kubernetes Administrator (CKA) credential and regularly manage production clusters. These candidates seek specialist‑level knowledge to implement hardening controls, mitigate microservice risks, and enforce supply‑chain integrity across their deployments.
What's Covered
1
Network policies, CIS benchmarks, ingress security, node metadata protection, and Kubernetes audit logging configuration.
2
RBAC design, service account security, API server restriction, and Kubernetes upgrade procedures for security patches.
3
AppArmor, Seccomp profiles, kernel hardening, read-only filesystems, and Linux capability management.
4
Pod Security Standards, OPA Gatekeeper, secrets management, runtime sandboxing, and security contexts.
5
Image scanning, image signing, supply chain verification, admission controllers, SBOM generation, and registry security.
6
Falco runtime detection, audit log analysis, immutable containers, behavioral profiling, and forensic investigation.
Exam Structure
Question Types
- Performance-Based Tasks In A Live Kubernetes Environment
Scoring Method
Percentage-based scoring of completed tasks with a 67% minimum passing threshold
Delivery Method
PSI online proctored performance-based exam
Prerequisites
Must hold a valid CKA (Certified Kubernetes Administrator) certification
Recertification
Recertify every 2 years by passing the current version of the exam.
What's Included in AccelaStudy® AI
Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats
Course Outline
50 learning goals
1
Cluster Setup
2 topics
Network Security and CIS Benchmarks
- Implement NetworkPolicy resources to restrict Pod-to-Pod traffic using ingress and egress rules with namespace selectors, pod selectors, and CIDR-based filtering
- Implement default-deny NetworkPolicy rules for both ingress and egress traffic and explain how they enforce zero-trust networking within Kubernetes namespaces
- Implement CIS Kubernetes Benchmark checks using kube-bench and remediate findings related to API server, etcd, kubelet, and scheduler configuration hardening
- Implement Ingress TLS termination and configure Ingress resources to enforce HTTPS connections and restrict access to exposed services
- Implement node metadata protection by restricting cloud provider metadata API access from Pods using NetworkPolicy or firewall rules to prevent SSRF-based credential theft
Verification and Auditing
- Implement Kubernetes audit logging by configuring audit policy files with rules that capture security-relevant API server events at appropriate verbosity levels
- Analyze the Kubernetes cluster setup against security best practices to verify platform binaries, validate TLS certificate configurations, and ensure secure component communication
2
Cluster Hardening
3 topics
RBAC and API Access Control
- Describe the Kubernetes RBAC model including Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings and explain how they enforce least-privilege access to API resources
- Implement fine-grained RBAC policies that restrict access to specific API groups, resources, verbs, and resource names for users and service accounts
- Analyze RBAC configurations to identify over-permissioned roles, wildcard permissions, and privilege escalation paths and recommend least-privilege corrections
Service Account Security
- Implement service account security by disabling auto-mounting of service account tokens, creating dedicated service accounts per workload, and restricting token audiences
- Implement bound service account token volumes with expiration and audience restrictions to limit the blast radius of compromised service account credentials
- Analyze service account token exposure risks and evaluate mitigation strategies including projected volumes, OIDC federation, and external secrets management integration
Kubernetes Upgrade and API Restriction
- Implement Kubernetes version upgrade procedures to apply security patches and explain the version skew policy between control plane and node components
- Implement API server access restrictions using authentication plugins, authorization modes, and admission controllers to secure the Kubernetes API attack surface
3
System Hardening
2 topics
Host-Level Security
- Implement AppArmor profiles for containers to restrict file access, network capabilities, and system calls and apply profiles to Pods using annotations
- Implement Seccomp profiles to filter system calls available to containers and apply custom Seccomp profiles to Pods using the securityContext configuration
- Implement host OS hardening by minimizing installed packages, disabling unnecessary services, and configuring kernel parameters to reduce the node attack surface
- Analyze the effectiveness of different mandatory access control mechanisms and evaluate when to use AppArmor, Seccomp, or SELinux based on security requirements and operational constraints
Filesystem and Privilege Minimization
- Implement read-only root filesystems for containers using securityContext.readOnlyRootFilesystem and configure emptyDir volumes for required writable paths
- Implement Linux capability dropping and addition using securityContext to run containers with the minimum required kernel capabilities
- Analyze the security impact of privileged containers, hostPath mounts, and hostNetwork access and evaluate when these escalated permissions are justified versus avoidable
4
Minimize Microservice Vulnerabilities
3 topics
Pod Security and Admission Control
- Describe Pod Security Standards (Privileged, Baseline, Restricted) and explain how Pod Security Admission enforces security profiles at the namespace level
- Implement Pod Security Admission labels on namespaces to enforce, audit, and warn against Pod security standard violations
- Implement OPA Gatekeeper constraint templates and constraints to enforce custom admission policies including image registry restrictions, label requirements, and resource limits
- Analyze the differences between Pod Security Admission and OPA Gatekeeper and evaluate when each admission control mechanism is appropriate for organizational security requirements
Secrets Management and Runtime Isolation
- Implement Kubernetes Secrets with encryption at rest using EncryptionConfiguration and explain the limitations of base64-encoded Secrets without encryption
- Implement external secrets management integration using CSI Secret Store Driver with HashiCorp Vault or cloud provider secret managers for production-grade secret handling
- Describe container runtime sandboxing with gVisor and Kata Containers and explain how they provide additional isolation layers beyond standard Linux container boundaries
- Implement RuntimeClass configuration to assign workloads to sandboxed container runtimes based on security requirements and evaluate the performance trade-offs of runtime sandboxing
- Analyze secrets exposure vectors including environment variable leakage, volume mount access, and etcd compromise and evaluate defense-in-depth strategies for sensitive data protection
Security Context and Pod-Level Controls
- Implement security contexts at the Pod and container level to enforce runAsNonRoot, runAsUser, fsGroup, and allowPrivilegeEscalation settings for defense-in-depth
- Analyze multi-container Pod security configurations and evaluate how init containers, sidecar containers, and ephemeral containers affect the overall Pod security posture
5
Supply Chain Security
3 topics
Image Security and Scanning
- Implement container image vulnerability scanning using Trivy or similar tools to identify known CVEs in base images, application dependencies, and OS packages
- Implement image hardening practices including minimal base images, multi-stage builds, non-root users, and removal of unnecessary tools to reduce the container attack surface
- Implement static analysis of Kubernetes manifests and Dockerfiles using tools like kubesec and hadolint to detect security misconfigurations before deployment
Image Signing and Admission
- Describe image signing and verification using cosign and Sigstore and explain how cryptographic signatures establish provenance and integrity for container images
- Implement ImagePolicyWebhook or ValidatingAdmissionWebhook to enforce image pull policies that restrict deployments to signed images from trusted registries
- Implement container image digest pinning to ensure immutable image references and prevent tag mutability attacks in production deployments
- Analyze supply chain attack vectors including compromised base images, dependency confusion, and registry tampering and evaluate end-to-end supply chain security strategies
Software Bill of Materials
- Describe Software Bill of Materials (SBOM) standards including SPDX and CycloneDX and explain how SBOMs enable vulnerability tracking and compliance auditing across the software supply chain
- Implement SBOM generation for container images and evaluate how to integrate SBOM analysis into CI/CD pipelines for continuous supply chain visibility
6
Monitoring, Logging, and Runtime Security
3 topics
Runtime Threat Detection
- Describe Falco architecture and explain how it uses kernel-level system call monitoring to detect anomalous runtime behavior in containers and host systems
- Implement Falco rules to detect security-relevant events including shell execution in containers, sensitive file access, unexpected network connections, and privilege escalation attempts
- Analyze Falco alerts and runtime security events to investigate potential container compromises and determine appropriate incident response actions
Audit Logging and Forensics
- Analyze Kubernetes audit logs to trace API call sequences, identify unauthorized access attempts, and reconstruct security incident timelines
- Implement immutable container filesystems and logging configurations to preserve forensic evidence and prevent attackers from tampering with audit trails
- Analyze container forensics workflows including capturing container state, examining processes and network connections, and correlating events across audit logs and runtime alerts
Behavioral Analysis and Response
- Implement container behavioral profiling to establish baseline process, network, and filesystem activity patterns for anomaly detection
- Analyze runtime security monitoring strategies and evaluate the trade-offs between signature-based detection, behavioral analysis, and eBPF-based observability for threat detection
Hands-On Labs
15 labs
~410 min total
Console Simulator
Practice in a simulated cloud console or Python code sandbox — no account needed. Each lab runs entirely in your browser.
Certification Benefits
Salary Impact
$160,000
Average Salary
Related Job Roles
Kubernetes Security Engineer
Cloud Security Architect
Platform Security Engineer
DevSecOps Engineer
Site Reliability Engineer
Industry Recognition
The CKS is the most advanced CNCF Kubernetes certification, validating deep expertise in securing Kubernetes environments. As container security becomes a board-level concern, CKS holders are highly sought after for roles requiring hands-on Kubernetes security implementation and incident response capabilities.
Scope
Included Topics
- All domains in the CKS (Certified Kubernetes Security Specialist) exam: Cluster Setup (10%), Cluster Hardening (15%), System Hardening (15%), Minimize Microservice Vulnerabilities (20%), Supply Chain Security (20%), and Monitoring, Logging and Runtime Security (20%).
- Network policies, CIS benchmarks, ingress security, node metadata protection, and API server audit configuration.
- RBAC design, service account security, Kubernetes API restriction, and upgrade procedures for security patches.
- Host-level security including AppArmor, Seccomp profiles, kernel hardening, and minimizing host OS attack surface.
- Security contexts, Pod Security Standards, OPA/Gatekeeper admission control, secrets management, and container runtime sandboxing with gVisor and Kata Containers.
- Image scanning, image signing, supply chain verification, admission controllers for image policy, and allowlist registries.
- Falco runtime threat detection, audit log analysis, immutable container filesystems, and behavioral anomaly detection.
Not Covered
- General Kubernetes administration tasks (cluster installation, upgrade procedures, backup/restore) covered by CKA.
- Application development, Kubernetes API programming, and custom controller development covered by CKAD.
- Cloud provider-specific security services (AWS GuardDuty, Azure Defender, GCP Security Command Center) beyond Kubernetes-native security.
- Penetration testing, exploit development, and offensive security techniques.
- Compliance framework details (SOC 2, PCI DSS, HIPAA) beyond general security best practices.
Official Exam Page
Learn more at Cloud Native Computing Foundation
CKS is coming soon
Adaptive learning that maps your knowledge and closes your gaps.
Create Free Account to Be Notified