How to Ace (CKS 2.0) Certified Kubernetes Security Specialist Exam

When kubneretes became the defacto standard for container orchestration many large enterprise started adopting kubneretes and seeing its benefits to productivity but not that many have been following security best practices and this is when the demand for certification came, to educate professionals on security “how-to’s” and implement better strategies when deploying multiple kubernetes cluster and in 2020 November CKS was first introduces and become the most hardest exam across all CNCF exam, personally I struggle to pass at first try and always recover during me second attempt.

Blog/Material are adjusted for CKS Exam Program Changes October 10 2024.

Who should take this?exam?

When people hear the word “security” in a certification title their first thought is often that it must be very challenging and require great expertise to study for and pass the examination. However don’t let such thoughts deter you as diving into the details might reveal that the concepts we imagined were difficult are not so hard in reality. The goal of this certification is to provide individuals with intermediate knowledge of implementing container security best practices in a vendor-neutral way.

• Validation of Demonstrated Expertise: CKS certification proves that an individual has a deep understanding of Kubernetes security, including the ability to secure container-based applications and Kubernetes platforms during build, deployment, and runtime.
• Industry Recognition: As Kubernetes continues to be a leading platform for container orchestration, having a CKS certification is recognized by employers and peers as a mark of expertise in Kubernetes security, which is critical for roles involving cloud-native infrastructure.
• Career Advancement and Opportunities: With the increasing importance of security in software development and operations, professionals with CKS certification are well-positioned for roles such as DevSecOps engineers, cloud security architects, and Kubernetes administrators, leading to better job opportunities and career growth.
• Staying Current with Security Trends and Evolving Threats: The CKS exam requires a solid understanding of the latest security tools and techniques for Kubernetes, helping professionals stay updated with evolving security challenges in the cloud-native space and are prepared to handle emerging risks.

Compared to other certifications I would say it’s in the a bit higher on difficulty level and it is one of my favorite exam as it opens door for exploring and understanding deep kubenretes security ecosystem, Achieving your Certified Kubernetes Administrator (CKA) is a prerequisite to registering and taking your CKS exam, although your CKA certification does not have to be active when scheduling for it. For me, the order of difficulty felt like this: KCNA/CGOA/CCA/CAPA/CKAD/PCA/KCSA/CKA/CKS One thing to keep in mind is that I had already passed the CKS 2 years ago and now I was preparing for the exam second round after expiration, oh boy things has changed, exams where in browser instead now in remote desktop and live was much better and faster, I could use bookmarks for documentation, but the exam flow is the same after many years, regarding learning materials there were a lot tutorials or blogs to refer and it is easy to get lost in so many tutorials, also there are many suspiciously scam-like dumps as the exam in high demand, so don’t fall for them. Below I will mention all the courses and materials that should help in preparation.

Regarding persons who would benefit SysAdmins/Dev/Ops/SRE/Managers/Platform engineers or any one who is doing any containers worloads on production should consider it as knowing basic of kubernetes is always good thing or somebody whom wants to becombe kubestronaut?;) more about it in next blog…

Exam Format and PSI Proctored Exam?Tips

So we are ready to patch every security whole in our cluster, kick out hackers from our production system and make hard them to compromise your cluster? Then, we have a long path ahead until we reach this point. First, we need to understand what kind of exam it is compared to CKAD, CKA and others. This is an exam where the CNCF has adopted performance-based tasks and compared to other multiple-choice exams, this one, I would say, it is one of the hardest exam of CNCF. However, it is still qualified as intermediate level.

This exam is conducted online, proctored similarly to other Kubernetes certifications and is facilitated by PSI. As someone who has taken more than 20 exams with PSI, I can say that every time it’s a new journey. I HIGHLY ADVISE joining the exam 30 minutes before taking the test because there are pre-checks of ID and the room in which you are taking it needs to be checked for exam criteria. Please check these two links for the exam rules and PSI portal guide .

You’ll have 120 minutes to answer 15–20 performance-based tasks, across 8 or more cluster with access to the allowed resources (this means access to kubernetes documenation during exam), Time is generally considered sufficient, passing score is >66% if person failed CNCF gives free retake chance. Be prepared for some questions that can be quite tricky. I marked a couple of them for review and would advise doing the same because sometimes you could find a hint or partial answers in the next question. By this way, you could refer back to those questions but it should keept in mind that if you mess up one claster on particular task it also could afect after another question on same cluster. Regarding pricing, the exam costs $395, but you can often find it at a discount, such as during Black Friday promotions or near dates for CNCF events like KubeCon, Open Source Summit, etc. Exam is valid for 2 years.

The Path of?Learning

At this point, we understand what we have signed up for and are ready to dedicate time to training, but where should we start? Before taking this exam, I had a good experience with Kubernetes and its ecosystem and had experience with CKS exam, but yet I still learned a lot from this exam preparation.

At first glance, this list might seem too simple and easy but however, we need to learn the fundamentals of security first in order to understand higher-level concepts such as RBAC, Shared Responsibility Model, 4C’s, scaning tools, and hardening best practices.

I cannot emphasize enough the most crucial thing that we can do for preparing CKA/CKAD/CKS we need to be comfortable command line and working within cluster cause all questions are hands on and we need to be agile and smart on which tasks we are spend time this is where taking practice tests are important the best practices test on the market currently is Killer.sh platform which is included when buying CKA/CKAD/CKS exam, usually killer.sh mock exam is much harder that real one but if person can pass he is ready for real one, when I was preparing in 2021 there was only kodekloud platform would say it is good but not similar as killer.sh

Let break down Domains & Competencies

**Cluster Setup 15%**
    Use Network security policies to restrict cluster level access
    Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
    Properly set up Ingress with TLS
    Protect node metadata and endpoints
    Verify platform binaries before deploying

**Cluster Hardening 15%**
    Use Role Based Access Controls to minimize exposure
    Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
    Restrict access to Kubernetes API
    Upgrade Kubernetes to avoid vulnerabilities

**System Hardening 10%**
    Minimize host OS footprint (reduce attack surface)
    Using least-privilege identity and access management
    Minimize external access to the network
    Appropriately use kernel hardening tools such as AppArmor, seccomp

**Minimize Microservice Vulnerabilities 20%**
    Use appropriate pod security standards
    Manage Kubernetes secrets
    Understand and implement isolation techniques (multi-tenancy, sandboxed containers, etc.)
    Implement Pod-to-Pod encryption using Cilium

**Supply Chain Security 20%**
    Minimize base image footprint
    Understand your supply chain (e.g. SBOM, CI/CD, artifact repositories)
    Secure your supply chain (permitted registries, sign and validate artifacts, etc.)
    Perform static analysis of user workloads and container images (e.g. Kubesec, KubeLinter)

**Monitoring, Logging and Runtime Security 20%**
    Perform behavioral analytics to detect malicious activities
    Detect threats within physical infrastructure, apps, networks, data, users and workloads
    Investigate and identify phases of attack and bad actors within the environment
    Ensure immutability of containers at runtime
    Use Kubernetes audit logs to monitor access        

The Key?Concepts

The exam covers 6 domains which has not changed much over the time, would say around 85% but there are introducing some new tools such as cilium and deprecating old components like controllers as kubernetes evolve such as Pod Security Standards but for sure can say there will be more than one network policies and RBAC related questions, also controller, security benchmarking tools, configuring audit settings, AppArmor and seccomp will be for sure and keep in mind after 1.29 there was big changes which is missed sometimes also docker file security best practices with many more…

• Network Security Policies : The focus on configuring network security policies to restrict cluster-level access continues. This practice remains essential for isolating and protecting the Kubernetes cluster from unauthorized access.
• CIS Benchmarks : Using CIS (Center for Internet Security) benchmarks to review the security configurations of key Kubernetes components (such as etcd, kubelet, kubeapi, and kubedns) is still a critical component of this domain. Adhering to these benchmarks ensures the cluster is secured according to industry standards.
• Ingress Setup with TLS : One of the major updates is the emphasis on setting up ingress with Transport Layer Security (TLS). TLS is essential for encrypting data in transit and ensuring secure communication between services and clients.
• Node Metadata Protection : Protecting node metadata and endpoints remains a priority, with the continued recommendation to verify platform binaries before deployment. However, the previous guideline to minimize GUI access has been removed, shifting the focus towards more specific and actionable security measures.
• Restricting API Access : This domain emphasizes restricting access to the Kubernetes API to ensure that only authorized users can interact with the cluster.
• RBAC Policies : The use of Role-Based Access Controls (RBAC) is encouraged to minimize exposure and ensure that users and services have only the necessary permissions.
• Service Account Management : Managing service accounts carefully is still critical, as they can be a potential attack vector if misconfigured.
• Minimizing OS Footprint : Reducing the host operating system (OS) footprint to essential components remains a best practice. This helps in eliminating unnecessary software that could be exploited by attackers.
• Least-Privilege IAM : The previous guidance on minimizing IAM roles has been refined to emphasize the principle of least-privilege identity and access management (IAM) . This ensures that users and services only have the permissions necessary to perform their tasks.
• Restricting Network Access : Minimizing external access to the cluster’s network reduces the risk of external attacks.
• Kernel Hardening Tools : The use of tools like AppArmor and seccomp continues to be a crucial practice for enforcing security policies that limit the capabilities of processes running on the system.
• Pod Security Standards : A shift in focus from OS-level security domains to using pod security standards is a significant change. Pod security standards define policies that restrict what pods can do, ensuring they operate with the least privilege required.
• Managing Kubernetes Secrets : Managing Kubernetes secrets securely remains essential. This involves securely storing and accessing sensitive information like API keys, tokens, and passwords.
• Isolation Techniques : The recommendation to use container runtime sandboxes has been expanded to a broader focus on implementing isolation techniques. This includes using multi-tenancy and sandboxed containers, among other methods.
• Pod-to-Pod Encryption with Cilium : Another important update is the specific mention of using Cilium for pod-to-pod encryption. Cilium enhances Kubernetes security by providing advanced networking and security policies, including robust encryption capabilities.
• Software Bill of Materials (SBOM) : A significant addition is the focus on understanding the software bill of materials (SBOM). An SBOM is a detailed list of all components within a software product, helping in identifying vulnerabilities in third-party components.
• Kubesec and KubeLinter : Tools like Kubesec and KubeLinter have been introduced to enhance the security of Kubernetes configurations. Kubesec evaluates resource configurations for best practices, while KubeLinter analyzes YAML files and Helm charts for potential security risks.
• CI/CD Security : Securing the CI/CD pipeline is emphasized, ensuring that software builds and deployments are secure from vulnerabilities.
• Behavioral Analytics : Monitoring system calls, processes, and file activities at the host and container levels helps in detecting malicious activities.
• Threat Detection : Detecting threats in physical infrastructure, applications, networks, and data is crucial for comprehensive security.
• Audit Logs : The use of audit logs to monitor access and detect security breaches continues to be a key component in securing Kubernetes environments.

Key Learning Materials and?Tips:

In this section I will sahre observations during my last 4 year of passing exams more then 15+ at this point first lets cover recomended materials in this order:

• https://www.youtube.com/watch?v=d9xfB5qaOfg >> would say one of the best material but outdate at this point (if the conent will updated will metnion it )
• https://learn.kodekloud.com/courses/certified-kubernetes-security-specialist-cks
• https://www.youtube.com/watch?v=jvmShTBSBoA&list=PLFkEchqXDZx6Bw3B2NRVc499j1TavjOvm
• https://github.com/ramanagali/Interview_Guide/blob/main/CKS_Preparation_Guide.md
• https://github.com/SebastianUA/Certified-Kubernetes-Security-Specialist
• https://github.com/theJaxon/CKS/blob/main/README.md
• https://github.com/snigdhasambitak/cks?tab=readme-ov-file
• https://rafaelmedeiros94.medium.com/mastering-the-cks-kubernetes-exam-6-6-monitoring-logging-and-runtime-security-bfab66b231d2 >>> check all 6 part
• https://github.com/ggnanasekaran77/cks-exam-tips
• https://github.com/echoboomer/k8s-cks-notes
• https://github.com/leandrocostam/cks-preparation-guide
• https://github.com/theJaxon/CKS/blob/main/README.md
• https://github.com/ViktorUJ/cks/tree/master
• https://jonathan18186.medium.com/certified-kubernetes-security-specialist-cks-preparation-part-9-exam-hacks-e12c95626958 >>> check all 9 parts
• https://kubernetes.io/pt-br/docs/reference/kubectl/cheatsheet/
• https://www.youtube.com/watch?v=9UqkWcdy140 >>> real exam UI
• https://www.youtube.com/watch?v=3YWLuidA2JI >>> 2024 update review?
• https://ravikirans.com/cks-kubernetes-security-exam-study-guide/

Overall taking kodekloud course is good starting point then doing mock exams and nailing killer.sh practice test should be enough

Now let speak about tips and how to navigate during?exam

I had opportunity to take exam when we had share screen from our computer and work from web but due to nature of human to find easy ways to cheat this method of conducting exams was discarded and as a solution CNCF and LF introduced remote desktop where we are given access on VM, from my experience I spent more time trying to figuring out how does key binding works on that remote desktop rather than on tasks spoilers alert searching on page does not works as it should (CTRL+F) but copy&past shortcuts works as it should below is example of screen shot of exam what you could expect

Exam is done via remote desktop and this is how it looks

Start the pre-exam process 30 minutes before the scheduled time. The process includes PSI browser setup, exam environment verification, etc. Overall the pre-exam process takes anywhere between 10–15 minutes.

when the exam start I usually like to scan through the all questions to undestand which ones are the easiest and which ones are connected to each other when I will start solving them I can refere same documentation pages like how to create secret for specific paramters and how to inject secret as enviroment variable in the pod, by this way I start with easy questions so on subconscious level I already feel confident and then start dealing with hard ones.

When working with API server manifest always I repeate always take backups of existing yaml file to restore state before editing, if we mess up API server and it is not working in that cluster you will loose not only the points for that task but other ones as part of answers in this cluster

try to wrap up 15 minutes before the deadline?—?it will give you additional time to revise the solutions.

Give a couple of practice exams, identify your weak topics, and spend more time on those.

If any particular question will take more than 6–7 mins to solve, flag/mark it to solve for later and come back once you solve the rest.

Ensure you have very good and stable internet connectivity while appearing for the exam. For some reason, if you lose the connectivity you will have to go through the verification process again.

On exam day, try to keep an alternative internet source handy in case of Wi-Fi internet goes down.

During exam we are asked to create resource we have to options in this case either copy from documentation or create on the fly with kubectl cli and redirect output “kubectl create deployment nginx?—?image=nginx?—?dry-run=client -o yaml > deployment.yaml” I recommend using CLI as it will speed up creating manifest a lot.

Terminal tips:

#use alises it will help a lot cause we will type a lot, some of them are already enable and complition is turnd on (TAB TAB)
alias k='kubectl'
export do="--dry-run=client -o yaml"    # k create deploy nginx --image=nginx $do > pod.yaml
export now="--force --grace-period 0"   # k delete pod x $now


#some usefull commands to remember, thanks me later ;) 
#use "kubectl explain" to check the structure of a resource object if you do not remeber spec and could not find it in docs
kubectl explain deployment --recursive
#delete all pods in specific namespace
kubectl delete  -n [nameNAMESPACE] pod --all

#every "kubectl create [resourseNAME] --help"  will show the example command how to use it 
kubectl create configmap --help
OUTPUT >>>Examples:
          # Create a new config map named my-config based on folder bar
          kubectl create configmap my-config --from-file=path/to/bar
kubectl create secret generic --help
OUTPUT>>> Examples:
          # Create a new secret named my-secret with key1=supersecret and key2=topsecret
          kubectl create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret
#Print what resourse do we have in cluster
kubectl api-resources

#Print the supported API versions on the server, in the form of "group/version".
kubectl api-versions

#Deploy a new Pod
kubectl run my-pod –image=[podNAME]–namespace=[namepsaceNAME]

#get all pods across all namespaces
kubectl get pod --all-namespaces or k get pod -A

# Expose the Pod as a Service
kubectl expose pod my-pod –port=80 –namespace=[namepsaceNAME]

#This increas number of pods in deployment and replicasets
kubectl scale --replicas=3 deployment [deploymentNAME]
# Describe a resource

kubectl describe pod my-pod –-namespace=[namepsaceNAME]
# Check Pod logs in [namepsaceNAME]
kubectl logs my-pod –-namespace=[namepsaceNAME]

#Check events which are happening in [namepsaceNAME]
kubctl get events --nnapecpace=[namepsaceNAME] --sort-by='.metadata.creationTimestamp'

#In pod [podNAME] inside of it container [containerNAME] executes command sh passed after -- and is attached to interactive shell
kubectl exec -it [podNAME] -c [containerNAME] -- sh

#This commands shows us the current enabled admission controllers
kubectl exec -it -n kube-system kube-apiserver-controlplane -- kube-apiserver -h | grep -i enable-admission-plugins

#Will remove newlines from output usful when working with secrets
cat fileNAME | base64 -w 0

#Creates deployment yaml file to work with using image [imageNAME] and setting deployment name [deploymentNAME]
kubectl create deployment --dry-run=client --image=[imageNAME] --output=yaml [deploymentNAME] > [NAME.yml]

#create SVC
kubectl create service clusterip [serviceNAME] --tcp=[portNUMBER] --dry-run=client -o yaml
#Create Role
kubectl create role [roleNAME] --verb=list --verb=watch --resource=pods

#Create Role binding
kubectl create rolebinding [rolebindingNAME] --role=[roleNAME] --serviceaccount=[namespaceNAME]:[serviceaccountNAME]
kubectl auth can-i --help 

#Output: 
kubectl auth can-i list pods --as=system:serviceaccount:dev:foo -n prod        

Conclusion

Practice, Practice and again Practice this is key for this exam expecialy if you do not have experiance, do not wast time on questions which you dont know try to review them lates as you may find answer in other questions and remember there is free retake if you failed on first one…

The exam is relativly easy amon other perfomance based ones I would rank it in this order KCNA/CGOA/CAPA/CCA/CKAD/PCA/KCSA/CKA/CKS after conducting exam in 24 hours you will recive grading and after passing exam it feel prety satisfying overall hope it was informative and useful ??