A Great CKS Kubernetes Security Exam preparation guide to help you pass
Recapping how was my exam, and the study process I followed, so it can help you pass too
If at first you don’t succeed, Just keep trying.
I hope to share my exam experience, offer some study tips and resources as well as offer some insights into your very own exam ReadinessProbe
(You see what I did there?)
What Is the Certified Kubernetes Security Specialist Exam?
According to the CNFC, the CKS Exam “provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.”
With a great number of features that are available in the vanilla standalone Kubernetes versus the managed service offering, you earn a great deal of SecOps brownie points by staying on top of the security posture of your Kubernetes Cluster, whatever the cloud platform.
The Certified Kubernetes Administrator certification is a prerequisite for the Certified Kubernetes Security Certification. As you likely have seen through the Kubernetes documentation, there is a great amount of implementation detail in every aspect of admission control, advanced policies, and never-ending custom resource definitions, which can be created and managed by third parties
This certification is yet another great opportunity to validate your skills and knowledge, which now has security as an integral part of the Kubernetes focused certification track.
It is a personal challenge to wrap up the CNCF Kubernetes Certification track [CKA,CKAD and now CKS]. That and Containerisation and Service Mesh are my keen area of on-going interest.
Exam Experiences
From my point of view, this was a tough-but-fair certification accomplishment.
I have been working in Kubernetes and containerisation for around three years, with recent work effort in service mesh implementation. The CKA, being a pre-requisite for the CKS exam, provides a great foundational framework to get started with.
This certification not only covers general kubernetes cluster administration knowledge, but there’s also a certain degree of depth particularly in self-managed master api-server configuration you should be well versed in.
The exam material brings together the security best practices of the Dockerfile
manifest management as well as static (SAST), and runtime (DAST) vulnerability assessment and prevention. Interestingly, some of the tools featured are developed by teams and vendors outside the immediate kubernetes configuration ecosystem. This is why this is a great all rounder of certification and should seriously be considered for senior professionals working in this space.
I’ve written a number of blog posts in the past which touch on some of the CKS tested elements like Taints & Toleration [Why separate your Kubernetes workload with nodepool segregation and affinity options] and Cluster Network Security posts in particular. Finally, from a Service Mesh perspective — a tad more advanced but good-to-know if you want to dive deeper on the topic. And if you want to dive deeper with KubeCon and ServiceMeshCon, I have recently covered the best key conference takeaway notes here, and deeper-yet on GitOps, here.
Exam Prep
The exam prep to be a great validator of existing knowledge, and highlight the areas which, while not used regularly, such as Pod Security Policies, was found to be most helpful to clarify and learn the gaps for.
The depth and breadth of the exam knowledge is sensible with the following areas covered to a great degree:
- Best Practice Docker Image development and Docker Framework model
- Knowledge of the following particular set of tools (e.g. CIS Kube-bench, Trivy, Sysdig/Falco, AppArmor, Seccomp, OPA/Gatekeeper)
- Extensive API Server familiarity including debugging of issues, in both extension and tuning (Admission control, Audit)
- Knowledge of linux fundamentals, particular to security with cGroup mapping is desired — fantastic blog link for more details
- A thorough knowledge of Kubernetes Architecture and component interaction (RBAC, NetworkPolicies, PSP, etc.)
Study Resources
I have found the following resources extremely helpful preparing for the CKS exam. Start with videos over weekend, easier to get into the study mode. Follow-up by the reading material. you can mix and match that as it works better.
Videos to consume, and get into the study zone:
- Kubernetes Security Best Practices 101 — Youtube Video
- Secure Your Containers — Youtube Video
- Getting to Grips with Kubernetes RBAC — Youtube Video
- Using effective RBAC — Youtube Video
- Understanding Pod security policies — Youtube Video
- Intro to Falco — Youtube Video
- Intro to Secomp — Youtube Video
Supplemental Reading Material:
- Network policies editor by Cillium Networks — amazing visual representation and creation of network policies on this one!
- Kubernetes Pentest Methodology 2019 — but still relevant, great post to read
- Securing Kubernetes Clusters — Eliminate Risky Permissions
- Full CKS Udemy course By Kim
- Cluster Security Best Practices — Medium Post
- StackRox CKS study guide
- Awesome CKS notes by EchoBoomer
Practice exam with the CKS exam Sim:
- CKS exam simulator — Killer.sh
Main Exam Tips
- Take care with time keeping The exam does not have a countdown timer, which would be extremely helpful. There is a time bar, but it’s hard to assess where it is at, we’re used to seeing the actual time remaining after all.
- Watch out for question/exam environment bugs I wish I could say it was straight forward questions, but be prepared to have an exam window crash, exam restarted and, worse, some questions will be referring to question components incorrectly named. i.e. “Allow” versus “Ally”, if in doubt IMO save it with both names.
Kubernetes-native exam material
- Admission controllers
Ensure you are familiar with different types such as
PodSecurityPolicy
andImagePolicyWebhook
. Implement and understand how they work with the API server and how they can provide added security to the cluster. https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/ - Immutable containers
Find ways to make containers immutable using
securitycontext
and avoid mutable configuration, such as allowing shell access to a container. Immutable containers are good as we always know the state! NetworkPolicies
For extra security and more control over traffic flowing between pods use Network Policies. By default all pods in a cluster can talk to each other, get more granular and create specific rules to define traffic flow.PodSecurityPolicies*
This enables fine-tuned resource authorisation. This could be one of greatest assets in secure workload runtime. (This is be deprecated* soon in favour of OPA, some blog post read on this) https://kubernetes.io/docs/concepts/policy/pod-security-policy/gVisor
— Kernel Sandbox This is a kernel sandboxing and abstraction implementation, helping prevent malicious applications and images from overloading the underlying Host machine Kernel.
Third-Party Tools Examinable material
The following are mentioned thoroughly in the CKS criteria.
These are some examples of open source tools and projects, outside the immediate kubernetes ecosystem that are recommended to get hands-on with in order to successfully pass the exam.
- AquaSec OpenSource Kube-Bench
Easy to execute against your cluster. Pull down binaries on worker (and master) nodes and run the binary
kube-bench
worker|master to have your cluster inspection report. This would be a great starting point. - Aquasec/trivy Image scanning tool — is a very simple image scanning tool.
- AppArmor Practice loading new profiles and then using it with your pods. AppArmor would be pre-installed.
- Falco
Practice finding all
falco
rules and search for specific ones and change their output and capture specific output.
Start with — Booking that Exams
If you’re anything like me, you will probably organise your time schedule to ensure you sit the exam, by booking the exam first. Remember that pre-requisite is the CKA certification.
One Final Tip to remember — it’s an open book exam. BUT you wont have time to start “searching” for answers. You need to already know where to go and get them. Practice that search, and you’ll be fine.
Already passed the exam? How did it go, share your experience in the comments section below. In fact, get in touch, you may want to get working on cloud native Kubernetes work stream right away. We’re always hiring!