Master Kubernetes CKS Exam 1.28 Curriculum

Let’s have a look at the official syllabus-wise resources for the CKS exam. All the topics mentioned are as per the official Linux Foundation Certified Kubernetes Security Specialist Exam CKS Exam Curriculum.

CKS Exam aims to test your skills in different security aspects. The following table shows the different domains and their weightage for the CKS Exam Curriculum.

Cluster Setup 10%

This section carries 10% weightage in the CKS Exam Curriculum

Under Cluster setup , The security features of the cluster components are more the center of attention. The CKS questions accord this portion a 10% weighting.

Use Network security policies to restrict cluster-level access

• Kubernetes Network Security Policy Documentation
• Traffic using network policies
• Securing Kubernetes clusters
• Declare network policies to control how Pods communicate
• Strengthen the cluster network strategy

Use CIS benchmarks to check the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)

The benchmarks for Kubernetes security requirements were developed by the Center for Internet Security (CIS) and the Kubernetes community.

The Kubernetes CIS benchmarks can help organisations meet compliance and security needs.

• CIS Kubernetes benchmark using Kube-bench

Configure the security settings of the ingress

• Ingress documentation
• what Ingress is
• What are Ingress Controllers?
• Set up ingress on Minikube ingress controller
• What are Ingress Controllers?

Protect node metadata and endpoints

• Restrict access to metadata via API
• Restricting cloud metadata API access
• Guide to configuring network policies

Minimize the use and access to the dashboard

Kubernetes dashboard access must be secured because cluster users from many networks inside an organization use it. Additionally, numerous Kubernetes hacking issues were caused by incorrect Kubernetes dashboard security configurations.

You must get knowledgeable about all the configurations and best practices needed to build up a safe Kubernetes dashboard.

• Web-based Kubernetes user interface
• Setting up security for the Kubernetes dashboard

Verify platform binaries before deployment

Learn how to use the checksum to validate the Kubernetes binaries. The version numbers and SHA ids needed to validate the binaries are available on the Kubernetes Github release page.

• Verify kubernetes binaries 

Cluster Hardening 15%

This section carries 15 % weightage in the CKS Exam Curriculum

Restrict access to the Kubernetes API

When it comes to Kubernetes production implementation, restricting API access is crucial. Only services with the necessary permissions should have access to the Kubernetes API, including those running within the cluster.

Bootstrap tokens, RBAC, ABAC, service accounts, and admission webhooks would be the main topics under this area.

• Ways to access Kubernetes cluster API
• Controlling access to Kubernetes API
• Kubernetes Authentication Overview
• Kubernetes Authorization Overview
• Admission Controllers Overview
• Admission Webhooks Overview
• Understand the process of accessing kubernetes api
• Control access to the Kubernetes API

Use RBAC to minimize resource exposure

To uphold the principle of least privilege, Kubernetes RBAC enables you to create fine-grained control over who has access to the Kubernetes API. A common error made during Kubernetes implementations is granting unnecessary cluster-wide access to everyone.

• Understand the authorization module of the kubernetes api server
• Authorize with RBAC

Exercise caution in using service accounts e.g., disable defaults, minimize permissions on newly created ones

The ideal way to grant applications or pods that need access to the Kubernetes API is through service accounts.

If you don’t specifically specify a service account, the default service account for each namespace will be associated to the pod. There are no privileges associated with the standard service account. However, if you assign a role to it, all of the access indicated in the role will be granted to it, and it will be applicable to every pod in the namespace.

To uphold the principle of least privilege, it is common practice to deploy various workloads with several service accounts.

• Service Account Management Guide
• Configure service account for a Pod
• Access Control: Exploring Service Account SA
• Kubernetes: Create Service Accounts and Kubeconfigs
• Set the service account SA for Pods
• Kubernetes should not mount the default service account
• Secure Kubernetes clusters by eliminating dangerous permissions

Update Kubernetes frequently

To ensure the availability of the application, you should adhere to the suggested measures whenever you upgrade a Kubernetes cluster.

• Upgrading a cluster with kubeadm
• kubeadm upgrade

System Hardening 15%

This section carries 15 % weightage in the CKS Exam Curriculum

System hardening tries to decrease attack surfaces by addressing vulnerabilities in infrastructure and application components

The typical system hardening tasks include :

• patching up as needed
• removing all auxiliary utilities
• limiting access using tools and firewall rules.
• logging every system action.

We have the following list of system hardening efforts for CKS.

Minimize host OS footprint (reduce attack surface

• Preventing Container Loading unwanted Kernel modules

Minimize IAM roles

• Learn what is the Principle of Least Privilege (POLP)
• Refer to RBAC section

Minimize external network access

• Restrict Loadbalancer access from external networks

Appropriate use of kernel hardening tools, such as AppArmor, seccomp

• Restrict a Container’s Access to Resources with AppArmor
• Restrict a Container’s Syscalls with Seccomp
• Securing a Pod Using Apparmor
• Set the Seccomp Profile for a Container

Minimize Microservice Vulnerabilities 20%

This section carries 20% weightage in the CKS Exam Curriculum

This section focuses mainly on service-to-service communications, as the title suggests. The fundamental ideas and Kubernetes objects involved in safeguarding communication between pods must all be mastered.

Improve security with PSP, OPA, security context

• Learn what is Open Policy Agent (OPA)
• Configuration of OPA Gatekeeper
• Configure a Security Context for a Pod or Container

Manage Kubernetes secrets

• Kubernetes Secret Overview
• Secrets to store sensitive information
• Encrypting Secret data at rest

Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)

• Sandboxed Pods
• Workload Isolation using gVisor and kata containers
• What is gVisor? install gvisor
• Secure Containers with Google’s gVisor
• Running Pods with gVisor
• Kata containers and Kubernetes: how do they fit together?
• How to use Kata containers with Kubernetes?

Implement Pod-to-Pod encryption using mTLS

The process of enabling mTLS across pods is not documented. However, you can create certificates for use in the pod-to-pod encryption using the Kubernetes certificates.k8s.io API.

• Manage TLS Certificates in a Cluster

Supply Chain Security 20%

This section carries 20% weightage in the CKS Exam Curriculum

The course outline for the Linux Foundation emphasises the following key ideas :

• Minimize base image footprint
• Secure your supply chain: whitelist allowed registries, sign and validate images
• Use static analysis of user workloads (e.g. Kubernetes resources, Dockerfiles)
• Scan images for known vulnerabilities 

Considering that this area accounts for 20% of the total points, it is reasonable to anticipate 3-5 supply chain security-related questions. 
The various ideas that the CKS will emphasize in the supply chain security area are summarized below.

Minimize base image footprint

• How to create smaller images
• Dockerfiles Best practices

Secure the supply chain: whitelist allowed image repositories, sign and verify images

• Understanding Admission Controllers
• Using ImagePolicyWebhook Admission Controller
• Understand and configure ImagePolicyWebhooks to ensure that only images from approved sources are run
• Sign and verify images

Use static analysis of user workloads (e.g.Kubernetes resources, Docker files)

• Statically Analyse YAML

Scan images for known vulnerabilities

• Getting started with Trivy for vulnerability scanning.
• See my post about Trivy Notes

Monitoring, Logging and Runtime Security 20%

The sixth and last section of the CKS Exam focuses on cluster monitoring, logging, and runtime security. 
The Linux Foundation emphasises the following fundamental ideas :

• Conduct behavioral analytics on host- and container-level syscall process and file activity to look for malicious activity.
• Detect threats within a physical infrastructure, apps, networks, data, users, and workloads
• Detect every stage of an attack, no matter where it starts or how it spreads.
• Conduct in-depth analysis to find problematic actors in the environment and identify them.
• At runtime, make sure containers are immutable.
• Monitoring access with audit logging

20% of the points scored are allocated to this section, and it is reasonable to expect 3-5 questions concerning runtime security, logging, and monitoring. During the exam
The various concepts that the CKS will highlight in the monitoring, logging, and runtime security are outlined below.

Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities

• Restrict a Container’s Syscalls with Seccomp

Detect threats in physical infrastructure, applications, networks, data, users and workloads

A threat detection engine in Kubernetes is called Falco. It can easily identify threats and notify users to any abnormal program behavior.

• Using Falco for threat detection
• Kubernetes configuration security threats
• Kubernetes Threat Modeling Guide

Detect all phases of an attack, no matter where it occurs and how it spreads

• Using Falco for threat detection
• Kubernetes attack scenarios in the threat stack
• Anatomy of a Kubernetes Attack – How Untrusted Docker Images Broke Us Down
• Why do we use immutable Docker images?
• With immutable infrastructure, your system can come back to life

Perform deep analytical investigation and identification of bad actors within the environment

• Implementing Kubernetes Auditing

Ensure immutability of containers at runtime

Instead of using PodSecurityPolicy, you can enforce similar restrictions on Pods using either or both:

• Pod Security Admission
• a 3rd party admission plugin, that you deploy and configure yourself

Kubernetes Audit

• Enabling Kubernetes Auditing

Coupon Ends Soon ... ⏳

Certified Kubernetes Security Specialist (CKS)

$395 $316



• Upon registration, you have ONE YEAR to schedule and complete the exam.
• The CKA exam is conducted online and remotely proctored.
• To pass the exam, you must achieve a score of 67% or higher.
• The CKS Certification remains valid for a period of 2 years.
• You are allowed a maximum of 2 attempts to take the test. However, if you miss a scheduled exam for any reason, your second attempt will be invalidated.
• Free access to killer.sh for the CKS practice exam.

CKS Exam Voucher: Use coupon Code TECK20 at checkout

Buy Now and SAVE 20%

We earn a commission if you make a purchase, at no additional cost to you.