What's Covered on the CKS Exam?

Earning Certified Kubernetes Security Specialist (CKS) certification provides validation that candidates have the knowledge and ability to harden a Kubernetes cluster and prevent vectors of attack.  The CKS exam covers a wide range of best practices for securing container-based applications and maintaining appropriate levels of security compliance.

The CKS is an intermediate-level exam offered by the Cloud Native Computing Foundation (CNCF). You must be Certified Kubernetes Administrator (CKA)-certified before taking this exam. It costs $375 (USD) and consists of 15-20 performance-based tasks. In order to pass, the candidate needs to score at least 67 out of 100 points. You get two chances to pass the exam in case you don’t the first time.

The exam is 2-hours long and is purely command line-based, meaning there are no multiple-choice answer questions to be found, With that being said, it’s important to understand what is on the exam, which is exactly what we’re about to cover.

Need Kubernetes Training?

If you haven’t used Kubernetes before or are new to the platform, CBT Nuggets has got you covered. You’ll find a variety of Kubernetes training to help you get up to speed, whether you are an administrator or developer. Check out our Kubernetes training — and then sign up for a 7-day free trial to start learning how to leverage the power of Kubernetes!

What Questions are on the CKS?

To pass the CKS, you need to prove competency in the following domains:

Let’s walk through each of these domains and discuss what you may encounter during the exam. The following descriptions are by no means all-inclusive. It’s just to give you a general idea of what to expect in each section.

1. Cluster Setup

This topic ensures a candidate can create a cluster in a secure and reliable manner. For example, you will be expected to know how to use network security policies to restrict cluster-level access. Also, for those familiar with Kubernetes, it comes with a Kubernetes Dashboard that shows all of your different resources in an easy-to-read format.

For the CKS, you will be expected to know how to restrict access to different portions of the GUI. Next, the test will ensure you have a thorough understanding of CIS security benchmarks to maintain a proper security posture. Specifically, you will need to review the security posture of different Kubernetes Components such as etcd, kubeapi, kubedns, and more.

2. Cluster Hardening

The previous domain focused on ways to create a secure cluster. However, this domain covers how to harden an existing cluster. The best way to harden anything is to shut down vectors of attack entirely, which is why this domain focuses on restricting access to the Kubernetes API. 

By securing the API, the Kubernetes administrator can decide which resources a particular role or user can utilize. For example, let’s say we only want Sara to see pods in the namespace of Neptune.

{

    "apiVersion": "abac.authorization.kubernetes.io/v1beta1",

    "kind": "Policy",

    "spec": {

        "user": "sara",

        "namespace": "neptune",

        "resource": "pods",

        "readonly": true

    }

}

That means if Sara tries to retrieve information from a pod, she won’t run into a problem — but will be unable to create or update them. This is just a tiny glimpse at cluster hardening. Lastly, make sure you know when to appropriately use service accounts. This is covered extensively in this domain.

3. System Hardening

Unlike Cluster Hardening, System Hardening has more of a network administrator feel to it. In this domain, you will be expected to minimize the host OS footprint, thereby reducing its attack surface. For example, scan the OS for open ports and always keep it up to date. Familiarize yourself with hardening tools such as AppArmor and make sure to create IAM rules on an as-need-basis with least-privileged access.

4. Minimize Microservice Vulnerabilities

Microservices are small, reusable pieces of code or containers that are (in theory) easy to maintain and duplicate. However, things can get a little hairy when you have several different containers communicating with each other all over a cluster. That is why CKS has created an entire domain to cover safe communication between microservices.

One way to mitigate vulnerabilities is to implement pod-to-pod encryption using Mutual Transport Layer Security (MTLS). It relies on X.509 certificates to authenticate each other. Generally, these certificates are doled out by a Certificate Authority such as Entrust and installed on the pods or web browsers.

5. Supply Chain Security

Recall that all container images are pulled down from a registry. The last thing you would want is a container from an unsecured registry. Who knows what malware it may contain? It’s vital that you can adequately whitelist registries, sign, and validate images for your organization to use.

This domain covers everything you need to know to secure a container workload using Docker files, and overall, minimizing the base image footprint. In this case, the base image is the resource on which all of your other images are based on.

6. Monitoring, Logging, and Runtime Security

Dollars to donuts, every certification has a domain on Logging and Monitoring — and the CKS is no different. In the final domain, you’re expected to perform an analytical investigation to detect possible intrusions. You will need to make extensive use of Audit Logs to determine malfeasance and discover bad actors. With regard to runtime security, make sure you know how to make a container immutable at runtime.

Final Thoughts

In this article, we discussed the six different domains of the Certified Kubernetes Security Specialist exam. Remember, before tackling this exam, make sure you are CKA-certified. Earning the CKS can make you a well-respected (and well-paid) security professional.