The Certified Kubernetes Security Specialist (CKS) program was created by the Cloud Native Computing Foundation (CNCF), in collaboration with The Linux Foundation, to help develop the Kubernetes ecosystem.

The Cloud Native Computing Foundation is committed to growing the community of Kubernetes-knowledgeable security specialists, thereby enabling continued growth across the broad set of organizations using the technology.

CKS may be purchased but not scheduled until CKA certification has been achieved. CKA Certification must be active (non-expired) on the date the CKS exam is scheduled.

The certification exam tests specific domains and competencies including:

• Cluster Setup

• Cluster Hardening

• System Hardening

• Minimize Microservice Vulnerabilities

• Supply Chain Security

• Monitoring, Logging, and Runtime Security

The program is built for experienced DevOps Engineers, System Administrators or Security Specialists with good knowledge of containers, docker and microservices. During classes the most important points will be demonstrated in labs, where the candidates can see how the theory can be applied to solve problems in a Kubernetes cluster.

However you will need about 20 hours to study the syllabus and at least 60-80 hours of practice, to reflect on the total material and solve exercises before the exams.

The online, proctored, performance-based test consists of a set of performance-based items (problems) to be solved in a command line and is expected to take approximately two (2) hours to complete.

Examination fee: 375$ /330€ + 24% VAT

Below is the curriculum outline of the Knowledge, Skills and Abilities that a Certified Kubernetes Security Specialist (CKS) can be expected to demonstrate.

1. Cluster Setup
1.1 Use Network security policies to restrict cluster level access
1.2 Use CIS benchmark to review the security configuration of Kubernetes components
(etcd, kubelet, kubedns, kubeapi)
1.3 Properly set up Ingress objects with security control
1.4 Protect node metadata and endpoints
1.5 Minimize use of, and access to, GUI elements
1.6 Verify platform binaries before deploying

2. Cluster Hardening
2.1 Restrict access to Kubernetes API
2.2 Use Role Based Access Controls to minimize exposure
2.3 Exercise caution in using service accounts e.g. disable defaults, minimize permissions on
newly created ones
2.4 Update Kubernetes frequently

3. System Hardening
3.1 Minimize host OS footprint (reduce attack surface)
3.2 Minimize IAM roles
3.3 Minimize external access to the network
3.4 Appropriately use kernel hardening tools such as AppArmor, seccomp

4. Minimize Microservice Vulnerabilities
4.1 Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts
4.2 Manage kubernetes secrets
4.3 Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
4.4 Implement pod to pod encryption by use of mTLS

5. Supply Chain Security
5.1 Minimize base image footprint
5.2 Secure your supply chain: whitelist allowed image registries, sign and validate images
5.3 Use static analysis of user workloads (e.g. kubernetes resources, docker files)
5.4 Scan images for known vulnerabilities

6. Monitoring, Logging and Runtime Security
6.1 Perform behavioral analytics of syscall process and file activities at the host and container
level to detect malicious activities
6.2 Detect threats within physical infrastructure, apps, networks, data, users and workloads
6.3 Detect all phases of attack regardless where it occurs and how it spreads
6.4 Perform deep analytical investigation and identification of bad actors within environment
6.5 Ensure immutability of containers at runtime
6.6 Use Audit Logs to monitor access