I just accomplished something I've been promising myself for so long: obtaining the CKS (Certified Kubernetes Security Specialist) certification! Although I believed I had the knowledge to pass this exam for a few years, I've been postponing it due to being busy with other commitments. Finally, just before my CKA (Certified Kubernetes Administrator) certification expired, I took the CKS exam last Friday and successfully passed it! Yay!

Exam Format

The Certified Kubernetes Security Specialist exam is hands-on. You will need to complete approximately 16 tasks within two hours. Upon starting your exam, you’ll get access to a couple of Kubernetes clusters where you can perform the requested tasks. There are no theoretical questions or multiple-choice options; you will simply have access to a VM through which you can operate on different Kubernetes clusters.

The exam includes live proctoring; a person will be watching you throughout the two hours, to ensure that you do not communicate with others, have no books or papers nearby, and do not open any applications other than the exam application. They are very strict! The only resource you are allowed to consult is the official Kubernetes documentation, accessible from the exam's VM.

Requirements

The CKA (Certified Kubernetes Administrator) certification is a prerequisite for taking the CKS exam. This means you will need to pass the CKA exam first. This requirement makes sense, after all, you cannot properly secure a technology you're not familiar with. The Certified Kubernetes Administrator exam ensures that you have real experience with this technology.

The CKA exam format is the same as that of the CKS, you’ll be prompted to complete about 16 tasks within two hours as well. In the case of the CKA, the tasks are related to cluster administration (installing, upgrading, and troubleshooting Kubernetes components) as well as creating the most common Kubernetes objects, such as Pods, Deployments, DaemonSets, ConfigMaps, Services, Volumes, and Volume Claims, Ingress controllers, etc. If you use Kubernetes, these objects should already be familiar to you, as they are commonly used in any Kubernetes workload.

How to Prepare for the CKS Exam

Here are the topics I encourage you to study (and practice!):

• Secrets: Practice creating generic secrets in imperative mode and mounting them as a volume within a pod.
  Documentation: https://kubernetes.io/docs/concepts/configuration/secret/.

• Network Policies: Dive into creating network policies to filter and block incoming traffic to a specific pod. Make sure you know how to use Pod Selectors and Namespace Selectors.
  Documentation: https://kubernetes.io/docs/concepts/services-networking/network-policies/.

• Service Accounts: Practice creating Service Accounts without the automatic mounting of the token within the Pod. Learn how to configure a Pod to use a specified Service Account.
  Documentation: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/.

• Roles and Role Bindings: Practice creating roles with a variety of permissions, and create the necessary Role Binding object to tie the role to a Service Account or User.
  Documentation: https://kubernetes.io/docs/reference/access-authn-authz/rbac/.

• Image Scanning: Learn how to use Trivy for scanning Docker images and detect known vulnerabilities.
  Documentation: https://github.com/aquasecurity/trivy.

• Containers Immutability: Practice setting up a pod with a read-only root file system and blocking privilege escalation.
  Documentation: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/.

• Principle of Least Privilege: Practice configuring Pods to run with a low privileged user. Learn how to spot and disable privileged containers and drop unnecessary kernel capabilities.
  Documentation: Idem (Security Context).

• AppArmor: Play around with enforcing specific AppArmor profiles and configuring them on a Pod. You might not be asked to develop an AppArmor profile from scratch, but knowing how to enforce and set one up is key.
  Documentation: https://kubernetes.io/docs/tutorials/security/apparmor/.

• Seccomp: Practice applying a seccomp profile stored on the host filesystem to a pod. Much like AppArmor, the task will likely be about configuration rather than creation.
  Documentation: https://kubernetes.io/docs/tutorials/security/seccomp/.

• Admission Controllers: Get familiar with configuring an admission controller (crafting the Admission Configuration object) for something like an Image Policy Webhook, and then sorting out the parameters for its use in the Kube API Server.
  Documentation: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/.

• Best Practices for Core Components: Practice configuring the Kube API Server and core components following the recommended secure best practices. For example, enforcing authentication, opting for a secure cipher suite for internal communications, and so on.

Final Tips!

Remember, the CKS is a hands-on exam; you'll need to create and/or configure all those Kubernetes features on real clusters. Therefore, practice as much as you can! I recommend renting a cluster on the cloud or installing Minikube on your local machine.

Time management is crucial; the two hours fly by with 16 tasks to complete. If you're unsure about a particular task, flag it to return to later and move on. Try to complete as many tasks as you can and save for the end those you're less certain about. In my case, I managed to complete 14 out of the 16 tasks before running out of time!

Pay close attention to the cluster context; each task must be completed on a specific cluster. I recommend that before you even start to read the task, execute the command for kubeconfig context switching (this is provided at the beginning of each task).

Be aware, the exam's VM is not user-friendly… it can be quite frustrating to perform tasks remotely connected to a VM that doesn't display in full screen, and where shortcuts don't work properly. Keep in mind the exam environment won't do you any favors.

Also, the process to launch the exam through the live proctoring application is rather cumbersome. It takes at least 20 minutes to download the app, perform the check-in, scan your room, etc. Therefore, I recommend launching the exam 20 or 30 minutes before your scheduled time.

That's all! I hope you find this guide and the tips helpful for your CKS exam preparation. I wish you the best of luck, and don't hesitate to leave a question here if you have any!