Certified Kubernetes Security Specialist (CKS) Upcoming Program Changes

UPDATE: The CKS exam will be updated no earlier than October 10, 2024.

Due to a technical issue identified during our beta testing, our release date of the updated CKS exam is estimated for October 2024. Please note that the updated exam will NOT take place before October 10, 2024. Please bookmark this site and check back regularly for updates.

The CKS exam will be updated after October 10, 2024 at 00:00 UTC as part of our ongoing efforts to ensure that a Certified Kubernetes Security Specialist (CKS) has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.

What is changing on CKS?

The CKS domains (i.e. Cluster Setup, Cluster Hardening, etc.) will remain unchanged but please review the upcoming changes to competencies (some additions/deletions and updated language which are outlined below each domain heading) and the % weight change in several of the domains. These changes reflect the latest knowledge of Kubernetes and cloud security that a candidate should possess.
Any CKS exam taken after the release of the new exam (including retakes), will test on the new set of Domains and Competencies (see below for updates).

NOTE: It does NOT matter if the exam reservation happens to be for a first attempt or a retake, nor does it matter on what date you completed the exam purchase. The only date that matters is the date you sit for the exam.

A Certified Kubernetes Security Specialist (CKS) will be able to:

Demonstrate expertise in securing container-based applications and Kubernetes platforms
Employ best practices to safeguard against threats across physical infrastructure, applications, networks, data, users, and workloads
Detect potential security breaches, identify phases of attack and malicious actors within the environment, and ensure robust security measures at every stage of operation across the entire development lifecycle

Cluster Setup Domain – 15%

Use Network security policies to restrict cluster level access
Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
Properly set up Ingress with TLS
Protect node metadata and endpoints
Verify platform binaries before deploying

Cluster Hardening Domain – 15%

Use Role Based Access Controls to minimize exposure
Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
Restrict access to Kubernetes API
Upgrade Kubernetes to avoid vulnerabilities

System Hardening Domain – 10%

Minimize host OS footprint (reduce attack surface)
Using least-privilege identity and access management
Minimize external access to the network
Appropriately use kernel hardening tools such as AppArmor, seccomp

Minimize Microservice Vulnerabilities Domain – 20%

Use appropriate pod security standards
Manage Kubernetes secrets
Understand and implement isolation techniques (multi-tenancy, sandboxed containers, etc.)
Implement Pod-to-Pod encryption using Cilium

Supply Chain Security Domain – 20%

Minimize base image footprint
Understand your supply chain (e.g. SBOM, CI/CD, artifact repositories)
Secure your supply chain (permitted registries, sign and validate artifacts, etc.)
Perform static analysis of user workloads and container images (e.g. Kubesec, KubeLinter)

Monitoring, Logging and Runtime Security Domain – 20%

Perform behavioral analytics to detect malicious activities
Detect threats within physical infrastructure, apps, networks, data, users and workloads
Investigate and identify phases of attack and bad actors within the environment
Ensure immutability of containers at runtime
Use Kubernetes audit logs to monitor access

Certified Kubernetes Security Specialist (CKS) Upcoming Program Changes

UPDATE: The CKS exam will be updated no earlier than October 10, 2024.

What is changing on CKS?

A Certified Kubernetes Security Specialist (CKS) will be able to:

Stay Up to Date