JT
JT Exams
Log inStart Free Trial
SecurityCKS

CKS: Certified Kubernetes Security Specialist

CKS is the hardest Kubernetes certification — it requires a valid CKA first, and the exam focuses exclusively on security hardening. You need to know how to lock down clusters, detect threats, and apply defence-in-depth at every layer: OS, container runtime, Kubernetes API, and network. Expect tasks that require you to find and fix security misconfigurations under time pressure.

13 min
4 sections · 6 exam key points

Cluster Setup and Hardening

API server hardening: disable anonymous authentication (--anonymous-auth=false), restrict insecure port (--insecure-port=0), enable audit logging (--audit-policy-file, --audit-log-path), use NodeRestriction admission plugin (prevents kubelets from modifying other nodes' objects). kubelet hardening: --protect-kernel-defaults=true, --read-only-port=0, --anonymous-auth=false, certificate rotation (--rotate-certificates). Node OS hardening: use CIS benchmarks, disable unused kernel modules, apply AppArmor/seccomp profiles, restrict SSH access. CIS Benchmark tool: kube-bench automates checking nodes and control plane components against CIS Kubernetes Benchmark. Running it (docker run --pid=host -v /etc:/etc ... aquasec/kube-bench) is a common exam task — interpret the FAIL/WARN output.

Pod Security and Admission

Pod Security Standards (PSA): three levels — Privileged (unrestricted), Baseline (prevents known privilege escalations), Restricted (hardened, drops all capabilities). Enforced at namespace level via labels: pod-security.kubernetes.io/enforce: restricted. PSA replaced PodSecurityPolicy (PSP) in Kubernetes 1.25. Admission controllers: OPA Gatekeeper (Rego policies, ConstraintTemplate + Constraint resources), Kyverno (YAML-native policies). Common security policies: block privileged containers, require non-root user, require read-only root filesystem, require resource limits, restrict hostPath mounts. SecurityContext: runAsNonRoot, runAsUser/Group, fsGroup, allowPrivilegeEscalation: false, capabilities (add/drop, drop ALL is the baseline), readOnlyRootFilesystem, seccompProfile (RuntimeDefault or Localhost with a custom profile path).

Network Policies and mTLS

NetworkPolicy enforcement requires a CNI plugin that supports it (Calico, Cilium, Weave — Flannel does not). Baseline network hardening: deny-all ingress and egress policies per namespace, then add specific allow rules. Service mesh mTLS: Istio enforces mutual TLS between services using PeerAuthentication (STRICT mode = mTLS required) and DestinationRule (TLS mode ISTIO_MUTUAL). Envoy sidecar proxies handle the TLS handshake transparently. mTLS prevents lateral movement even after a pod is compromised. Falco: runtime security tool that detects anomalous syscall activity. Rules written in YAML define conditions (fd.name startswith /etc and evt.type = open) and output (alert, log). Common exam task: write or modify a Falco rule to alert on shell spawned in a container.

Supply Chain Security and Runtime Hardening

Image signing and verification: Cosign signs OCI images, Sigstore provides the transparency log. Policy engines (Kyverno, Gatekeeper) can require signed images before admission. Always use specific image digests (image@sha256:...) rather than mutable tags in production to prevent image substitution attacks. Trivy: scans container images, Kubernetes manifests, and git repos for CVEs. Common exam usage: trivy image <image-name> --severity HIGH,CRITICAL to identify vulnerabilities. Distroless and minimal base images (Alpine, scratch) reduce attack surface. Audit logging: configure the audit policy to log RequestResponse for sensitive operations (secrets, exec, attach). Log to a file or webhook. Review logs for anomalous access patterns. Immutable container filesystems: combine readOnlyRootFilesystem with emptyDir or tmpfs mounts for writable directories the app needs.

Key exam facts — CKS

  • CKA is a prerequisite for CKS — you must have a valid CKA certificate before taking CKS
  • Pod Security Standards replaced PSP in Kubernetes 1.25 — know PSA labels and the three enforcement levels
  • kube-bench and Falco are exam tools — know how to run them and interpret their output
  • NetworkPolicy deny-all baseline: empty podSelector {} selects all pods; empty ingress/egress array denies all traffic
  • Trivy scans images for CVEs — know how to filter by severity and understand what CRITICAL means
  • Audit log levels: None, Metadata (request info only), Request (+ request body), RequestResponse (+ response body)

Common exam traps

AppArmor profiles are stored in Kubernetes and automatically available to pods on any node

AppArmor profiles are loaded on the node, not in the cluster — the node must have the profile before a pod can use it

Falco detects misconfigurations in Kubernetes YAML manifests before deployment

Falco uses kernel syscall hooks (eBPF or kernel module) — it detects runtime behaviour, not static misconfigurations

Pinning an image to a digest provides complete protection against supply chain attacks

Image digest pinning prevents tag mutation attacks but does not prevent a malicious image being published with that digest

Practice this topic

CKSpractice questions

Test yourself on CKS

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

CKA

CKA

CKAD

CKAD