The objective of this repository is help you for taking the Certified Kubernetes Security Specialist (CKS) exam using online resources, especially using resources from Kubernetes Official Documentation.
The references were selected for the Exam Curriculum 1.23, and there are exclusive information for API objects and annotations. For more information, please see CNCF Curriculum.
Please, feel free to place a pull request whether something is not up-to-date, should be added or contains wrong information/reference.
There are other Kubernetes certification exam preparation guides available:
The exam is kind of "put your hands on", where you have some problems to fix within 120 minutes.
My tip: Spend your time wisely. Use the Notebook feature (provided in exam's UI) to keep track of your progress, where you might take notes of each question, put some annotations in order to help you. Additionally, don't get stuck, move to the next problem, and take it back when you finish all the other problems.
Exam Cost: $375 and includes one free retake.
It's important to mention that you have access to Kubernetes Official Documentation during the exam. So get yourself familiar with Kubernetes online documentation, and know where to find all specific topics listed below. It might be helpful for you during the exam.
For information about the exam, please refer Certified Kubernetes Security Specialist (CKS) Program.
Exam objectives that outline of the knowledge, skills and abilities that a Certified Kubernetes Security Specialist (CKS) can be expected to demonstrate.
-
Use Network security policies to restrict cluster level access
-
Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
-
Properly set up Ingress objects with security control
-
Protect node metadata and endpoints
-
Kubernetes Documentation > Tasks > Administer a Cluster > Securing a Cluster
# all pods in namespace cannot access metadata endpoint apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: cloud-metadata-deny namespace: default spec: podSelector: {} policyTypes: - Egress egress: - to: - ipBlock: cidr: 0.0.0.0/0 except: - 169.254.169.254/32
-
-
Minimize use of, and access to, GUI elements
-
Verify platform binaries before deploying
-
Kubernetes Documentation > Tasks > Install Tools > Install and Set Up kubectl on Linux
Note: Check the step 2 - validate binary
-
-
Restrict access to Kubernetes API
-
Use Role Based Access Controls to minimize exposure
-
Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
-
Update Kubernetes frequently
-
Minimize host OS footprint (reduce attack surface)
- Remove unnecessary packages
- Identify and address open ports
- Shut down any unnecessary services
-
Minimize IAM roles
-
Minimize external access to the network
-
Appropriately use kernel hardening tools such as AppArmor, seccomp
-
Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts
-
Manage kubernetes secrets
-
Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers
-
Implement pod to pod encryption by use of mTLS
-
Minimize base image footprint
- Remove exploitable and non-sssential software
- Use multi-stage Dockerfiles to keep software compilation out of runtime images
- Never bake any secrets into your images
- Image scanning
-
Secure your supply chain: whitelist allowed image registries, sign and validate images
-
Use static analysis of user workloads (e.g. kubernetes resources, docker files)
- Secure base images
- Remove unnecessary packages
- Stop containers from using elevated privileges
-
Scan images for known vulnerabilities
-
Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
-
Detect threats within physical infrastructure, apps, networks, data, users and workloads
-
Detect all phases of attack regardless where it occurs and how it spreads
-
Perform deep analytical investigation and identification of bad actors within environment
-
Ensure immutability of containers at runtime
-
readOnlyRootFilesystem
: Mounts the container's root filesystem as read-only
-
Use Audit Logs to monitor access
- Certified Kubernetes Security Specialist (CKS) - A Cloud Guru (formerly Linux Academy)
- KodeKloud - Certified Kubernetes Security Specialist (CKS)
Tip: Use kubectl Cheatsheet during the exam. You don't need to decorate everything.
Practice a lot with Kubernetes:
Some links that contain tips that might help you from different perspectives of the CKS exam.