Certified Kubernetes Security Specialist (CKS): Everything You Must Know

Everyone is excited about Kubernetes, the Cloud Native Computing Foundation (CNCF) have planned to add a new Certified Kubernetes Security Specialist (CKS) to the growing list of Kubernetes certification programs. This brings the total number of CNCF Kubernetes certifications to 3 – with the prior ones being the Certified Kubernetes Administrator and the Certified Kubernetes Application Developer. The first tests are expected to roll out and be generally available before November 2020.

In this blog, we discuss in detail the following topics:

• What is the Certified Kubernetes Security Specialist (CKS) Exam?
• Pre-requisites For CKS Exam
• Who is this certification for?
• CKS Certification Benefits
• CKS Exam Basics
• CKS Exam Topics
• Exam Retake Policy

What is the Certified Kubernetes Security Specialist Exam?

The Certified Kubernetes Security Specialist (CKS) program will consist of a performance-based certification exam and assures that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment, and runtime. This new certification is designed to enable cloud-native professionals to demonstrate security skills to current and potential employers.

Pre-requisites For CKS Exam  ^

To take the CKS exam, you must hold a current CKA certification to demonstrate you possess sufficient Kubernetes expertise. If you want to make sure you are ready for the CKS and have not already achieved the CKA, we encourage you to start today.

Note: Know more about Certified Kubernetes Administrator (CKA)

Who Is This Certification For? ^

• All those who are CKA certified and want to upgrade their skills.
• Candidates having an idea about Kubernetes and containers.
• Those who are in Cloud architecture and want to learn Security.
• For candidates who are interested in Security.
• Engineers who have some experience of Network security.
• Those who are looking for new career-changing opportunities.
• For those who are looking for adapting to new technologies.

CKS Certification Benefits ^

• A Kubernetes certification makes your resume look good and stand out from the competition. As companies will be relying more and more on Kubernetes, your expertise will be an immediate asset.
• Passing CKA and CKS  is not an easy task, so companies seeking Kubernetes engineers are willing to pay more which gives you the mighty potential for a hike in salary.
• The companies are looking for certified Kubernetes professionals, as the majority of them are moving their application towards containers.

Since the Kubernetes is quite new in the industry, there is a huge market gap for certified professionals.

CKS Exam Basics ^

• Certification Name: Certified Kubernetes Security Specialist
• Prerequisites:  One must hold a current CKA certification
• Exam Duration: 2 hours

CKS Exam Topics ^

The CKS exam curriculum includes the following general domains and their weightage :

1) Cluster Setup – 10%

• Use Network security policies to restrict cluster level access
• Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
• Properly set up Ingress objects with security control
• Protect node metadata and endpoints
• use of, and access to, GUI elements
• Verify platform binaries before deploying

2) Cluster Hardening – 15%

• Restrict access to Kubernetes API
• Use Role-Based Access Controls to minimize exposure
• Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
• Update Kubernetes frequently

3) System Hardening – 15%

• Minimize host OS footprint (reduce attack surface)
• Minimize IAM roles
• Minimize external access to the network
• Appropriately use kernel hardening tools such as AppArmor, seccomp

4) Minimize Microservice Vulnerabilities – 20%

• Setup appropriate OS-level security domains e.g. using PSP, OPA, security contexts
• Manage Kubernetes secrets
• Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
• Implement pod to pod encryption by use of mTLS

5) Supply Chain Security – 20%

• Minimize base image footprint
• Secure your supply chain: whitelist allowed registries, sign and validate images
• Use static analysis of user workloads (e.g.Kubernetes resources, Docker files)
• Scan images for known vulnerabilities

6) Monitoring, Logging and Runtime Security – 20%

• Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
• Detect threats within a physical infrastructure, apps, networks, data, users, and workloads
• Detect all phases of attack regardless of where it occurs and how it spreads
• Perform deep analytical investigation and identification of bad actors within the environment
• Ensure the immutability of containers at runtime.
• Use Audit Logs to monitor access.

Exam Retake Policy ^

The Cloud Native Computing Foundation offers one (1) free retake per exam purchase in the event that a passing score is not achieved and the candidate has not otherwise been deemed ineligible for certification or retake.

Related / References:

• Visit our YouTube channel on “Docker & Kubernetes” 
• Certified Kubernetes Administrator (CKA) Certification Exam
• Certified Kubernetes Application Developer (CKAD) certification Exam
• (CKA) Certification: Step By Step Activity Guides/Hands-On Lab Exercise & Learning Path
• (CKAD) Certification: Step By Step Activity Guides/Hands-On Lab Exercise & Learning Path
• Frequently Asked Questions on CKA & CKAD

Next task for you

Begin your journey towards becoming a Certified Kubernetes Security Specialist (CKS) and earning a lot more in 2020 by joining our Free Class Waitlist