Curated resources help you prepare for the CNCF/Linux Foundation CKS 2021 "Kubernetes Certified Security Specialist" Certification exam. Please provide feedback or requests by raising issues, or making a pull request. All feedback for improvements are welcome. thank you.
Online curated resources that will help you prepare for taking the Kubernetes Certified Kubernetes Security Specialist CKS Certification exam.
Resources are primarly cross referenced back to the allowed CKS sites during the exam as per CNCF/Linux Foundation exam allowed search rules. Videos and other third party resources e.g. blogs will be provided as an optional complimentary material and any 3rd party material not allowed in the exam will be designated with :triangular_flag_on_post: in the curriculum sections below.
Ensure you have the right version of Kubernetes documentation selected (e.g. v1.26 as of January 2023) especially for API objects and annotations, however for third party tools, you might find that you can still find references for them in old releases and blogs e.g. Falco install.
Offical exam objectives you review and understand in order to pass the test.
Duration : two (2) hours
Number of questions: 15-20 hands-on performance based tasks
Passing score: 67%
Certification validity: two (2) years
Prerequisite: valid CKA
Cost: $375 USD, One (1) year exam eligibility, with a free retake within the year.
Linux Foundation offer several discounts around the year e.g. CyberMonday, Kubecon attendees among other special holidays/events
This includes all available language translations of these pages (e.g. https://kubernetes.io/zh/docs)
According to official Linux Foundation documentation and as of June 2022, there was a change in the exam platform. It is just an exam platform, so the exam questions will not change, but there were a few things that seemed to concern you, so I will write them down:
The new ExamUI includes improved features such as:
:large_blue_circle: Securing a Cluster
Use Network security policies to restrict cluster level access
:triangular_flag_on_post: Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
Properly set up Ingress objects with security control
Protect node metadata and endpoints
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-only-cloud-metadata-access
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 169.254.169.254/32
Verify platform binaries before deploying
Use Role-Based Access Controls to minimize exposure
Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-robot
automountServiceAccountToken: false
apiVersion: v1
kind: Pod
metadata:
name: cks-pod
spec:
serviceAccountName: default
automountServiceAccountToken: false
Minimize host OS footprint (reduce attack surface)
Minimize IAM roles
Minimize external access to the network
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-external-egress
spec:
podSelector: {}
policyTypes:
- Egress
egress:
to:
- namespaceSelector: {}
Appropriately use kernel hardening tools such as AppArmor, seccomp
Minimize base image footprint
Secure your supply chain: whitelist allowed image registries, sign and validate images
Perform behavioural analytics of syscall process and file activities at the host and container level to detect malicious activities
Detect threats within a physical infrastructure, apps, networks, data, users and workloads
Detect all phases of attack regardless where it occurs and how it spreads
Perform deep analytical investigation and identification of bad actors within the environment