Certified Kubernetes Security Specialist (CKS) #1: The Exam Environment — CKA prerequisite, tools, time management
If the 27-post CKA series had you mastering the administrator’s job of installing, operating, and fixing a cluster, the final step is how you keep that cluster secure. Among the CNCF Kubernetes certifications, the hands-on exam taken from a security specialist’s point of view is the Certified Kubernetes Security Specialist (CKS). This series unpacks every domain you need to pass CKS across 20 posts.
CKS isn’t an exam about creating new resources — it’s an exam about shrinking the attack surface of a cluster that’s already running. You confine containers at the kernel level, verify images, and catch abnormal behavior at runtime. So this first post covers not only the exam structure but also the big picture of the security tools CKS deals with and how you’ll use the docs during the exam.
What kind of certification is CKS #
CKS validates, hands-on, your ability to protect a Kubernetes cluster and the workloads on top of it from attacks. Where CKA was about keeping the cluster running, CKS focuses on shrinking that cluster’s attack surface, detecting intrusions, and containing damage. It checks whether you can finish tasks like these in an empty terminal within the time limit.
- Lay down a default deny with NetworkPolicy and open only the communication you need
- Restrict a container’s system calls with AppArmor and seccomp
- Reject dangerous Pods with Pod Security Admission
- Scan an image with Trivy and verify its signature with cosign
- Enforce policy with OPA/Gatekeeper or Kyverno
- Detect abnormal runtime behavior with Falco and analyze audit logs
Someone who passes this exam doesn’t just operate a cluster — they can find and close weaknesses from an attacker’s point of view.
Holding CKA is a prerequisite #
CKS is the only CNCF Kubernetes certification that requires you to hold a valid CKA at the time you book your exam. It takes CKA’s operational knowledge (kubeadm, etcd, RBAC, troubleshooting) for granted and stacks security on top of it. So we recommend coming into this track after you’ve finished the CKA series first.
Who gets value from it #
| Role | Why |
|---|---|
| Platform / security engineers | The top-tier proof of Kubernetes security design and operations |
| DevSecOps | Practical skill with supply-chain and runtime security tools |
| SRE / infra engineers | Building the security depth that goes beyond CKA |
| Compliance staff | Practical understanding of CIS benchmark and policy enforcement |
Of the three CNCF Kubernetes certifications (CKAD, CKA, CKS), CKS is the most specialized and tool-intensive exam. Since each of the six domains demands a different tool, getting hands-on fluency with each tool is the key to passing.
Exam structure #
The surface-level facts about the CKS exam are worth committing to memory.
| Item | Value |
|---|---|
| Format | Performance-based. You work on a real cluster |
| Number of questions | About 15–20 tasks |
| Exam time | 2 hours |
| Passing score | 67% |
| Exam fee | $395 USD (includes one retake) |
| Validity | 2 years |
| Eligibility | A valid CKA certification is required |
| Doc access | Beyond kubernetes.io/docs, browsing the docs of designated tools such as Falco, Trivy, AppArmor, and gVisor is allowed |
| Delivery | Online proctored (PSI). Remote terminal |
| Kubernetes version | The latest minor version at the time you sit (confirm when booking) |
The decisive difference from CKA #
CKA was an exam about building and fixing a cluster. CKS is an exam about making an already-running cluster more secure. So even though you use the same kubectl, the goal of the task is different. You get security-oriented tasks like “make sure this Pod doesn’t run as root,” “apply a default deny to this namespace,” or “scan this image for vulnerabilities.” There are also many tasks that have you handle Linux security tools outside Kubernetes (AppArmor, seccomp, Falco) directly on the node, so CKS needs more of a Linux system security feel than CKA.
Passing line of 67% #
CKS’s passing line is 67%, one notch higher than the 66% of CKA and CKAD. It’s graded per task, and some tasks award partial credit. Since each tool has a different way of being used, it’s easy to get stuck on one task — so the right move is to lock in points by starting with the tasks your hands know well.
The weight of the six domains #
The CKS scope is laid out across six domains in the official exam curriculum.
| # | Domain | Weight | Series mapping |
|---|---|---|---|
| 1 | Cluster Setup | 10% | #2 , #3 |
| 2 | Cluster Hardening | 15% | #4 , #5 |
| 3 | System Hardening | 15% | #6–#8 |
| 4 | Minimize Microservice Vulnerabilities | 20% | #9–#12 |
| 5 | Supply Chain Security | 20% | #13–#15 |
| 6 | Monitoring, Logging and Runtime Security | 20% | #16–#18 |
The weights are your guide to splitting study time. The last three domains (microservices, supply chain, runtime) at 20% each make up 60% combined. These three domains decide whether you pass, and since each demands a separate tool like PSA, image scanning/signing, and Falco, tool proficiency translates directly into points.
The big picture of the security tools CKS covers #
Studying for CKS is, in effect, studying the tools. Let’s lay out the tools this series will cover by domain in a single table up front.
| Area | Tool | What it does |
|---|---|---|
| Network | NetworkPolicy, Cilium | Blocking communication, Pod-to-Pod mTLS |
| Benchmark | kube-bench | Checking the CIS benchmark |
| System | AppArmor, seccomp | Restricting system calls and file access |
| Policy | Pod Security Admission, OPA/Gatekeeper, Kyverno | Rejecting dangerous Pods and manifests |
| Isolation | gVisor, Kata Containers | Kernel-isolated sandboxes |
| Image | Trivy, Kubesec, cosign, SBOM | Vulnerability scanning, signature verification |
| Runtime | Falco, audit log | Detecting abnormal behavior, auditing |
You should be able to explain in one line what attack each tool blocks — that’s how you quickly grasp the intent of a task during the exam.
Study strategy #
1) Run each tool by hand once #
CKS is a tool-by-tool exam. The person who has loaded an AppArmor profile themselves, attached a seccomp profile to a Pod, and triggered a Falco rule is the one who doesn’t get stuck in the exam room. We’ll run each tool by hand once on a local cluster.
2) Learn where things are in the docs ahead of time #
CKS allows browsing not only kubernetes.io/docs but also the official docs of Falco, Trivy, AppArmor, gVisor, and others. To be able to quickly find profile syntax or command options in the docs during the exam, learning ahead of time where things are in each tool’s docs is the way to save time.
3) Put your weight on the heavily weighted later domains #
The microservices, supply chain, and runtime domains make up 60%. The earlier Cluster Setup (10%) matters too, but what decides whether you pass is the later part, so we’ll allocate more study time to PSA, image signing, and Falco.
4) Save mock exams for the back half #
After one loop through this series, you’ll find a full-scale hands-on mock exam in #20. If you need more practice, the CKS scenarios on killercoda or the killer.sh mock environment included with your exam voucher are the trustworthy benchmark.
Registration and the testing environment #
Registration steps #
- Confirm you hold a valid CKA. CKS can’t be booked without CKA
- Buy CKS on the Linux Foundation training portal. You can take advantage of discount events
- Make use of the two killer.sh mock exams included with your voucher
- Book your exam date in the PSI proctoring system and pass the system compatibility check
Preparing for the online-proctored exam #
CKS is an online-proctored exam where you connect to a remote terminal to work.
- ID — A passport with English Romanization is safest. The name must match your registration info exactly
- Testing environment — Clear everything off the desk, use only one screen even with dual monitors, and block family and roommates from entering
- System check — Check in 30 minutes before the exam and close all background apps. A stable wired network is recommended
Wrap-up #
What this post locked in:
- CKS is the Kubernetes security specialist’s hands-on certification. An exam about shrinking the attack surface, detecting intrusions, and containing damage
- Holding a valid CKA is a prerequisite to sit. About 15–20 tasks / 2 hours / 67% / $395 (includes one retake) / valid 2 years
- Six domains — Cluster Setup (10%), Cluster Hardening (15%), System Hardening (15%), Minimize Microservice Vulnerabilities (20%), Supply Chain Security (20%), Monitoring, Logging and Runtime Security (20%)
- The tools are the exam — NetworkPolicy, kube-bench, AppArmor, seccomp, PSA, OPA/Gatekeeper, Kyverno, gVisor, Trivy, cosign, Falco
- Study strategy — run each tool by hand once. Learn where things are in the docs. Put your weight on the heavily weighted later domains
Next — NetworkPolicy in depth #
The environment is set. Now we go into network isolation, the heart of the first domain, Cluster Setup.
In #2 NetworkPolicy in depth: default deny, ingress/egress, we’ll build, firsthand, how to flip a default all-allow state into a default deny, how to restrict ingress and egress separately, the pattern of combining podSelector and namespaceSelector to open only the communication you need, and the “isolate this namespace but allow only DNS” type that comes up often in the exam.