Study Guide

Certified Kubernetes Security Specialist Study Guide

Use the saved domain outline to connect cluster setup, cluster hardening, system hardening, minimize microservice vulnerabilities to scenario-based questions and explanations.

Download App Free Practice Exam Key Terms Glossary

How the Exam Is Structured

Certified Kubernetes Security Specialist (CKS) validates cluster setup, cluster hardening, system hardening, minimize microservice vulnerabilities. The ExamPal practice bank includes 399 premium questions and 40 free questions mapped across the official blueprint.

Domain	Weight	Focus
Domain 1: Cluster Setup	15%	Task 1.1: Use Network security policies to restrict cluster level access; Kubernetes NetworkPolicy resources (ingress/egress rules)
Domain 2: Cluster Hardening	15%	Task 2.1: Restrict access to Kubernetes API; API server flags: --anonymous-auth, --insecure-port, --authorization-mode
Domain 3: System Hardening	10%	Task 3.1: Minimize host OS footprint (reduce attack surface); Removing unnecessary packages, services, ports
Domain 4: Minimize Microservice Vulnerabilities	20%	Task 4.1: Setup appropriate OS level security domains; Pod Security Standards (Privileged, Baseline, Restricted)
Domain 5: Supply Chain Security	20%	Task 5.1: Minimize base image footprint; Distroless images, scratch images, Alpine vs Ubuntu base
Domain 6: Monitoring, Logging and Runtime Security	20%	Task 6.1: Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities; Falco for runtime threat detection

15% of exam

Domain 1: Cluster Setup

Covers foundational cluster security setup tasks, including network policy enforcement, CIS benchmark review, ingress security, node metadata protection, dashboard hardening, and binary verification. These controls reduce exposure at the cluster boundary and help ensure trusted components are deployed.

Task 1.1: Use Network security policies to restrict cluster level access

Kubernetes NetworkPolicy resources (ingress/egress rules)

Default-deny policies, namespace isolation

Calico, Cilium, Weave Net CNI plugins for NetworkPolicy enforcement

Task 1.2: Use CIS benchmark to review the security configuration of Kubernetes components

CIS Kubernetes Benchmark scoring

kube-bench tool for automated CIS audit

15% of exam

Domain 2: Cluster Hardening

Covers hardening of Kubernetes control plane access, RBAC design, service account token handling, and upgrade discipline. The domain emphasizes minimizing exposure through secure API server settings, least-privilege authorization, and timely version updates.

Task 2.1: Restrict access to Kubernetes API

API server flags: --anonymous-auth, --insecure-port, --authorization-mode

API server audit logging configuration

Task 2.2: Use Role Based Access Controls to minimize exposure

ClusterRole vs Role, ClusterRoleBinding vs RoleBinding

Aggregated ClusterRoles, default ClusterRoles (cluster-admin, edit, view)

RBAC best practices: least privilege, named subjects

10% of exam

Domain 3: System Hardening

Covers host operating system hardening, cloud IAM minimization, network exposure reduction, and kernel-level confinement tools. The domain focuses on reducing attack surface across nodes and workloads using platform and kernel controls.

Task 3.1: Minimize host OS footprint (reduce attack surface)

Removing unnecessary packages, services, ports

Minimal container-optimized OS (Bottlerocket, Flatcar, COS)

Task 3.2: Minimize IAM roles

Cloud provider IAM least-privilege for cluster nodes

IRSA (IAM Roles for Service Accounts) on EKS, Workload Identity on GKE

Task 3.3: Minimize external access to the network

20% of exam

Domain 4: Minimize Microservice Vulnerabilities

Covers workload-level security controls that reduce microservice exposure, including pod security standards, secret management, runtime sandboxes, service mesh encryption, and pod/container security context settings. The domain emphasizes preventing privilege escalation and protecting sensitive data in multi-tenant environments.

Task 4.1: Setup appropriate OS level security domains

Pod Security Standards (Privileged, Baseline, Restricted)

Pod Security Admission (PSA) labels at namespace level

Migration from PodSecurityPolicy (deprecated) to PSA

Task 4.2: Manage Kubernetes secrets

Secret encryption at rest (--encryption-provider-config)

External secret managers: HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager via ESO/CSO

20% of exam

Domain 5: Supply Chain Security

Covers securing container images and Kubernetes manifests throughout the software supply chain. Topics include minimizing base image footprint, image signing and verification, static analysis, policy enforcement, and vulnerability scanning in CI/CD.

Task 5.1: Minimize base image footprint

Distroless images, scratch images, Alpine vs Ubuntu base

Multi-stage Docker builds to reduce final image size

Task 5.2: Secure your supply chain: whitelist allowed image registries, sign and validate images

ImagePolicyWebhook admission controller

Cosign for image signing (Sigstore project)

Notary, Connaisseur for image verification

20% of exam

Domain 6: Monitoring, Logging and Runtime Security

Covers runtime detection, threat hunting, forensic investigation, container immutability, and audit logging. The domain emphasizes observing behavior across hosts, containers, workloads, and Kubernetes control plane activity to detect and investigate malicious actions.

Task 6.1: Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities

Falco for runtime threat detection

Tracee, Tetragon (eBPF-based)

Custom Falco rules, default ruleset

Task 6.2: Detect threats within physical infrastructure, apps, networks, data, users and workloads

Cloud Security Posture Management (CSPM) tools

Vulnerability management lifecycle

Key Terms to Know

These terms are loaded from the shared terminology pack and appear across the question explanations.

AWS Secrets Manager: An AWS external secret manager used for Kubernetes secret integration.
Anchore Enterprise: A commercial vulnerability scanning tool mentioned for image scanning.
AppArmor: A Linux kernel hardening framework used to apply security profiles to containers.
BoundServiceAccountTokenVolume: A Kubernetes feature for using projected service account tokens instead of legacy long-lived tokens.
CI/CD: Continuous integration and continuous delivery/deployment pipelines, mentioned as the place where scanning and admission webhook checks can be integrated.
CIS Kubernetes Benchmark: A security benchmark used to review and score the security configuration of Kubernetes components.
CNI: Container Network Interface, the plugin framework used by Kubernetes networking components. In the text, Calico, Cilium, and Weave Net are mentioned as CNI plugins that can enforce NetworkPolicy.
CSPM: Cloud Security Posture Management, a class of tools used to detect threats across infrastructure, apps, networks, data, users, and workloads.
CVE: Common Vulnerabilities and Exposures, a vulnerability identifier system used in the text for tracking Kubernetes version security issues.
Clair: A tool used for container image vulnerability scanning.
ClusterRole: A cluster-scoped RBAC role used to grant permissions across the cluster; contrasted in the text with Role.
ClusterRoleBinding: An RBAC binding that attaches a ClusterRole to subjects at cluster scope; contrasted in the text with RoleBinding.
Connaisseur: A tool used for container image verification.
Cosign: A Sigstore project tool used for container image signing.
Distroless images: Container images built with minimal or no operating-system userland to reduce base image footprint.
Falco: A runtime threat detection tool that performs behavioral analytics on syscall, process, and file activity.
GCP Secret Manager: A Google Cloud external secret manager used for Kubernetes secret integration.
Grype: A tool used for container image vulnerability scanning.

Official Materials and Guidance

This page is built from Cloud Native Computing Foundation / Linux Foundation official materials and ExamPal shared release pack, the shared syllabus, topic tree, terminology pack, free pack, and premium pack.

-Cks Exam Guide
-Cks Lfs Course Outline
-Guidance: Linux Foundation/CNCF exam page, curriculum, handbook, simulator
-Domain outline: Cluster Setup 10%; Cluster Hardening 15%; System Hardening 15%; Minimize Microservice Vulnerabilities 20%; Supply Chain Security 20%; Monitoring/Logging/Runtime Security 20%.

Download App Official source Start Free Practice Exam