Certified Kubernetes Security Specialist (CKS) exam guide
This post will collect the links to the blog posts that I’m going to write as a preparation guide for CKS. Also, I’m going to cover other security-related topics that not necessarily appear in the exam, but I deem important to talk about when we talk about security in containers in general and Kubernetes in particular.
The new Certified Kubernetes Security Specialist exam (CKS) (curriculum here) was introduced at the end of 2020 at Kubecon NA and completes the Kubernetes certifications offered by the Cloud Native Computing Foundation (CNCF: disclaimer, I’m one of the ambassadors for the foundation), the other two being the Certified Kubernetes Adminstrator (CKA) and the Certified Kubernetes Application Developer (CKAD). It demonstrates how CNCF and the community around Kubernetes is extremely serious about security (check the security whitepaper made by SIG-Security) and the latest news about hacks like SUPERNOVA only confirms that it’s high time we include a strong security posture from the start of our container supply chains.
The exam attests the skills of who successfully pass it to think and act appropriately when architecting and implementing a secure container orchestration architecture, and it’s one of toughest exam I have faced (with the possible exclusion of LFCS/LFCE). I’m going to start here a series of focused blog posts that will deal with specific part of the curriculum, and I’ll try to cover the topic to the best of my knowledge to give you the tools you need to learn and master each topic to the level necessary to pass the certification. But really, it’s up to you to invest enough time and effort in learning and keep learning after getting the certificate: security is a fluid topic and it’s an ever-changing effort to stay up to dated.
The exam
The exam lasts 2 hours for 17 questions, with different weight for each question, ranging from 14% to 4%; it’s completely browser-based and it’s remotely proctored. You are allowed to open one extra tab (I switched to Chrome for the exam, while I use Edge for my daily work, so I can have a clean slate to start) on which you can visit only the domain https://www.kubernetes.io (so you can browse the Kubernetes blog and the docs, but not other sites like https://discuss.kubernetes.io. For some questions involving 3rd-party tools (there’s a couple of those) you are allowed to browse other domains like https://falco.org/docs/ but that’s an exception.
Personal take on the exam
I honestly had to take the exam twice (with a free retake); it’s a new exam and there’s not a lot of information out there on how to prepare, so I missed the mark the first time, reviewed the topics I knew I had wrong and passed it the second time. Even if the second time I left out the last question; luckily the last question was a “light” one accounting only for few percentage points.
I really enjoyed studying for the exam! It forced me to both learn new topics and revisit what I thought I knew about Kubernetes security, and also some new cool tool (one above all, Trivy from AquaSecurity). Some really good resources are:
- The exam simulator at killer.sh and the accompanying course on Udemy: this is really a great resource and helped my a ton! Thanks Kim Wuestkamp! He also has a series of blogs on medium starting here.
- Various gist and github repositories: this from Abdennour Toumi, Scott Walkins’ k8s-cks-notes and Ibrahim Jelliti’s (github, blog).
- The just-released LFS260: I just bought it and it looks really good, it’s well written (no videos) and the excercises will keep you busy for a long while.
Exam tips & tricks
It’s crucial to go fast but to maintain focus: here you really need to read the questions carefully and do exactly what the question asks. You can go back and forth thru the questions but make sure you get it right before you complete the exam; also, make sure you are completing the assignment on the right node: you start from a client host machine where you have access to various kubeconfig files (usually at the beginning of the question there’s a kubecttl config use-context
command you can easily copy paste into the terminal) and depending on the question you are required to move to either the controller node or one of the worker nodes. You simply get a list of nodes and SSH into the right node (the hostname is the same as the node name); this worked like a charm for me without password authentication.
One more tip: always copy/save the files provided before modifying them directly! Once I messed up a Network Policy so bad I could not made it work again (you gotta ❤ YAML) so I just start over from the original file.
It’s worth to add an alias
for kubectl ( alias k=kubectl
), it will save you precious time and typing (since you’re there add kg='kubectl get'
and kd='kubectl describe'
); going into the exam I thought I needed fancy stuff like krew plugins (I have made a memorable shortcut to install krew! wget bit.ly/installkrew
. There are some good plugins for RBAC visualization out there) but in the end I could get thru the exam without.
That’s it for now! I’m going to write more about the CKS experience, stay tuned! Here’s the index of the articles I published so far: