Training The Linux Foundation

Exam goals

code: CKS

The Certified Kubernetes Security Specialist (CKS) program provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime. CKA certification is required to sit for this exam.

Who Is It For:

A Certified Kubernetes Security Specialist (CKS) is an accomplished Kubernetes practitioner (must be CKA certified) who has demonstrated competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.

About This Certification:

CKS is a performance-based certification exam that tests candidates' knowledge of Kubernetes and cloud security in a simulated, real world environment. Candidates must have taken and passed the Certified Kubernetes Administrator (CKA) exam prior to attempting the CKS exam. CKS may be purchased but not scheduled until CKA certification has been achieved.

CKA Certification must be active (non-expired) on the date the CKS exam (including Retakes) is scheduled.

What It Demonstrates:

Obtaining a CKS demonstrates a candidate possesses the requisite abilities to secure container-based applications and Kubernetes platforms during build, deployment and runtime, and is qualified to perform these tasks in a professional setting.

Conspect Show list

Domains & Competencies:

  • Cluster Setup10%
    • Use Network security policies to restrict cluster level access
    • Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
    • Properly set up Ingress objects with security control
    • Protect node metadata and endpoints
    • Minimize use of, and access to, GUI elements
    • Verify platform binaries before deploying
  •  Cluster Hardening15%
    • Restrict access to Kubernetes API
    • Use Role Based Access Controls to minimize exposure
    • Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
    • Update Kubernetes frequently
  • System Hardening15%
    • Minimize host OS footprint (reduce attack surface)
    • Minimize IAM roles
    • Minimize external access to the network
    • Appropriately use kernel hardening tools such as AppArmor, seccomp
  •  Minimize Microservice Vulnerabilities20%
    • Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts
    • Manage Kubernetes secrets
    • Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
    • Implement pod to pod encryption by use of mTLS
  •  Supply Chain Security20%
    • Minimize base image footprint
    • Secure your supply chain: whitelist allowed registries, sign and validate images
    • Use static analysis of user workloads (e.g.Kubernetes resources, Docker files)
    • Scan images for known vulnerabilities
  • Monitoring, Logging and Runtime Security20%
    • Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
    • Detect threats within physical infrastructure, apps, networks, data, users and workloads
    • Detect all phases of attack regardless where it occurs and how it spreads
    • Perform deep analytical investigation and identification of bad actors within environment
    • Ensure immutability of containers at runtime
    • Use Audit Logs to monitor access

This exam is an online, proctored, performance-based test that requires implementing multiple solutions within a Remote Desktop Linux environment. Visual Studio Code, Vim and Webstorm (kindly sponsored by JetBrains) are included as editors in this environment.

The exam includes tasks simulating on-the-job scenarios, and Candidates have 2 hours to complete the tasks

Download conspect training as PDF

Additional information

  • Active (non-expired) CKA certification is a prerequisite for this exam.
Difficulty level
Duration 1 day

Other training The Linux Foundation | Exam

Training thematically related




Open Source

Contact form

Please fill form below to obtain more info about this training.

* Fields marked with (*) are required !!!

Information on data processing by Compendium - Centrum Edukacyjne Spółka z o.o.

395 USD


Sign up for exam

Traditional training

Sessions organised at Compendium CE are usually held in our locations in Kraków and Warsaw, but also in venues designated by the client. The group participating in training meets at a specific place and specific time with a coach and actively participates in laboratory sessions.

Dlearning training

You may participate from at any place in the world. It is sufficient to have a computer (or, actually a tablet, or smartphone) connected to the Internet. Compendium CE provides each Distance Learning training participant with adequate software enabling connection to the Data Center. For more information, please visit site


Paper materials

Traditional materials: The price includes standard materials issued in the form of paper books, printed or other, depending on the arrangements with the manufacturer.

Electronic materials

Electronic materials: These are electronic training materials that are available to you based on your specific application: Skillpipe, eVantage, etc., or as PDF documents.

Ctab materials

Ctab materials: the price includes ctab tablet and electronic training materials or traditional training materials and supplies provided electronically according to manufacturer's specifications (in PDF or EPUB form). The materials provided are adapted for display on ctab tablets. For more information, check out the ctab website.

Upcoming The Linux Foundation training

Training schedule
The Linux Foundation