Certified Kubernetes Security Specialist (CKS) Preparation Guide - Curriculum v1.26
The objective of this repository is help you for taking the Certified Kubernetes Security Specialist (CKS) exam using online resources, especially using resources from Kubernetes Official Documentation.
The references were selected for the Exam Curriculum 1.26, and there are exclusive information for API objects and annotations. For more information, please see CNCF Curriculum.
Please, feel free to place a pull request whether something is not up-to-date, should be added or contains wrong information/reference.
There are other Kubernetes certification exam preparation guides available:
The exam is kind of "put your hands on", where you have some problems to fix within 120 minutes.
My tip: Spend your time wisely. Use the Notebook feature (provided in exam's UI) to keep track of your progress, where you might take notes of each question, put some annotations in order to help you. Additionally, don't get stuck, move to the next problem, and take it back when you finish all the other problems.
Exam Cost: $375 and includes one free retake.
It's important to mention that you have access to Kubernetes Official Documentation during the exam. So get yourself familiar with Kubernetes online documentation, and know where to find all specific topics listed below. It might be helpful for you during the exam.
For information about the exam, please refer Certified Kubernetes Security Specialist (CKS) Program.
Exam objectives that outline of the knowledge, skills and abilities that a Certified Kubernetes Security Specialist (CKS) can be expected to demonstrate.
Use Network security policies to restrict cluster level access
Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
Properly set up Ingress objects with security control
Protect node metadata and endpoints
Kubernetes Documentation > Tasks > Administer a Cluster > Securing a Cluster
# all pods in namespace cannot access metadata endpoint
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cloud-metadata-deny
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 169.254.169.254/32
Minimize use of, and access to, GUI elements
Verify platform binaries before deploying
Kubernetes Documentation > Tasks > Install Tools > Install and Set Up kubectl on Linux
Note: Check the step 2 - validate binary
Restrict access to Kubernetes API
Use Role Based Access Controls to minimize exposure
Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
Update Kubernetes frequently
Minimize host OS footprint (reduce attack surface)
Minimize IAM roles
Minimize external access to the network
Appropriately use kernel hardening tools such as AppArmor, seccomp
Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts
Manage kubernetes secrets
Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers
Implement pod to pod encryption by use of mTLS
Minimize base image footprint
Secure your supply chain: whitelist allowed image registries, sign and validate images
Use static analysis of user workloads (e.g. kubernetes resources, docker files)
Scan images for known vulnerabilities
Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
Detect threats within physical infrastructure, apps, networks, data, users and workloads
Detect all phases of attack regardless where it occurs and how it spreads
Perform deep analytical investigation and identification of bad actors within environment
Ensure immutability of containers at runtime
readOnlyRootFilesystem
: Mounts the container's root filesystem as read-only
Use Audit Logs to monitor access
Tip: Use kubectl Cheatsheet during the exam. You don't need to decorate everything.
Practice a lot with Kubernetes:
Some links that contain tips that might help you from different perspectives of the CKS exam.