Skip to main content

Certified Kubernetes Security Specialist (CKS) Upcoming Program Changes

The CKS exam will be updated as of September 12, 2024.

The CKS exam will be updated on September 12, 2024 at 00:00 UTC as part of our ongoing efforts to ensure that a Certified Kubernetes Security Specialist (CKS) has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.

What is changing on CKS? 

  • The CKS domains (i.e. Cluster Setup, Cluster Hardening, etc.) will remain unchanged but please review the upcoming changes to competencies (some additions/deletions and updated language which are outlined below each domain heading) and the % weight change in several of the domains. These changes reflect the latest knowledge of Kubernetes and cloud security that a candidate should possess.
  • Any CKS exam taken after 12:01am UTC on September 12, 2024 (including retakes), will test on the new set of Domains and Competencies (see below for updates).

NOTE: It does NOT matter if the exam reservation happens to be for a first attempt or a retake, nor does it matter on what date you completed the exam purchase.  The only date that matters is the date you sit for the exam. 

A Certified Kubernetes Security Specialist (CKS) will be able to: 

  • Demonstrate expertise in securing container-based applications and Kubernetes platforms
  • Employ best practices to safeguard against threats across physical infrastructure, applications, networks, data, users, and workloads
  • Detect potential security breaches, identify phases of attack and malicious actors within the environment, and ensure robust security measures at every stage of operation across the entire development lifecycle

Cluster Setup Domain – 15%

  • Use Network security policies to restrict cluster level access
  • Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
  • Properly set up Ingress with TLS
  • Protect node metadata and endpoints
  • Verify platform binaries before deploying

Cluster Hardening Domain – 15%

  • Use Role Based Access Controls to minimize exposure
  • Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
  • Restrict access to Kubernetes API
  • Upgrade Kubernetes to avoid vulnerabilities

System Hardening Domain – 10% 

  • Minimize host OS footprint (reduce attack surface)
  • Using least-privilege identity and access management
  • Minimize external access to the network
  • Appropriately use kernel hardening tools such as AppArmor, seccomp

Minimize Microservice Vulnerabilities Domain – 20%

  • Use appropriate pod security standards
  • Manage Kubernetes secrets
  • Understand and implement isolation techniques (multi-tenancy, sandboxed containers, etc.)
  • Implement Pod-to-Pod encryption using Cilium

Supply Chain Security Domain – 20%

  • Minimize base image footprint
  • Understand your supply chain (e.g. SBOM, CI/CD, artifact repositories)
  • Secure your supply chain (permitted registries, sign and validate artifacts, etc.)
  • Perform static analysis of user workloads and container images (e.g. Kubesec, KubeLinter)

Monitoring, Logging and Runtime Security Domain – 20%

  • Perform behavioral analytics to detect malicious activities
  • Detect threats within physical infrastructure, apps, networks, data, users and workloads
  • Investigate and identify phases of attack and bad actors within the environment
  • Ensure immutability of containers at runtime
  • Use Kubernetes audit logs to monitor access

Thank you for your interest in Linux Foundation training and certification. We think we can better serve you from our China Training site. To access this site please click below.

感谢您对Linux Foundation培训的关注。为了更好地为您服务,我们将您重定向到中国培训网站。 我们期待帮助您实现在中国区内所有类型的开源培训目标。