Certified Kubernetes Security Specialist
Validates expertise in securing container-based applications and Kubernetes platforms during build, deployment, and runtime. Covers cluster setup and hardening, system hardening with kernel security modules, microservice vulnerability minimization through Pod Security Standards, supply chain security including image signing and scanning, and monitoring, logging and runtime security. The CKS is a performance-based exam requiring CKA certification as a prerequisite and hands-on problem solving within a 2-hour time limit.
Exam domains
- Supply Chain Security20%
Minimize base image footprint — distroless images (gcr.io/distroless/static, distroless/base, distroless/cc, distroless/nodejs, distroless/python3), Alpine for shell-needed cases, scratch for static binaries, multi-stage builds dropping build deps in final stage, scan with Trivy/Grype/Clair for vulnerabilities. Understand your supply chain — SBOM (Software Bill of Materials) formats SPDX and CycloneDX, generators (syft, trivy sbom), CI/CD pipeline as attack surface, artifact repositories (image registries, Helm chart repos, OCI artifacts), provenance via SLSA framework levels 1-4. Secure your supply chain — permitted registries enforced via admission policy (Kyverno ClusterPolicy, OPA/Gatekeeper ConstraintTemplate, ImagePolicyWebhook), sign and validate artifacts (cosign, notation, in-toto attestations, Sigstore Rekor transparency log, fulcio root CA, keyless signing via OIDC), validate signatures at admission via Kyverno verifyImages or Connaisseur, image digest pinning (image: nginx@sha256:... over image: nginx:1.25). Perform static analysis of user workloads and container images — kubesec.io / kubesec scoring, KubeLinter from StackRox, kube-score, kubeaudit, Trivy/Grype/Clair for image CVE scans, Hadolint for Dockerfile linting, SAST/DAST on application code, integrate at CI gate and pre-admission.
- Minimize Microservice Vulnerabilities20%
Use appropriate pod security standards — Pod Security Admission (built-in admission controller since 1.25 GA) with three profiles (privileged, baseline, restricted) and three modes (enforce, audit, warn) selected via namespace labels (pod-security.kubernetes.io/enforce=restricted, etc.). Restricted profile blocks runAsRoot, hostPath, hostNetwork/PID/IPC, privileged=true, allowPrivilegeEscalation=true, missing seccompProfile=RuntimeDefault, capabilities ALL not dropped, runAsNonRoot=true required. Manage Kubernetes secrets — Secrets stored in etcd; encrypt at rest via EncryptionConfiguration (aescbc, kms providers), use external secret managers (HashiCorp Vault, AWS Secrets Manager via Secret Store CSI Driver, Sealed Secrets, External Secrets Operator), avoid storing secrets in ConfigMaps or env vars where possible (mount as files), automountServiceAccountToken: false where not needed, RBAC restrict who can read Secrets. Understand and implement isolation techniques — multi-tenancy via namespaces + ResourceQuota + NetworkPolicy + RBAC; sandboxed containers via gVisor / Kata Containers (RuntimeClass selecting non-default container runtime); virtual clusters (vcluster); per-tenant node pools with taints. Implement Pod-to-Pod encryption — Cilium WireGuard or IPsec mode for transparent in-cluster encryption (CiliumNetworkPolicy can require encryption), Istio mTLS via PeerAuthentication policy, Linkerd automatic mTLS, application-level TLS for east-west traffic.
Sources
Questions are grounded in 100 references from official and authoritative materials.