How to Pass the Certified Kubernetes Security Specialist Exam: Killer Tips and Resources from 3 Engineers
We are three Contino engineers—Jaroslav Pantsjoha, Jagendra Atal Prakash and Sean Rigby—who have all recently taken (and passed! woop!) the Certified Kubernetes Security Specialist (CKS) exam.
In this blog we hope to share our exam prep experience, offer some key tips and resources as well as offer some insights on your very own exam `ReadinessProbe`.
What Is the Certified Kubernetes Security Specialist Exam?
According to the CNFC, the CKS Exam “provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.”
With a great number of features that are available in the vanilla standalone Kubernetes versus the managed service offering, you earn a great deal of SecOps brownie points by staying on top of the security posture of your Kubernetes Cluster, whatever the cloud platform.
The Certified Kubernetes Administrator certification is a prerequisite for the Certified Kubernetes Security Certification. As you likely have seen through the Kubernetes documentation, there is a great amount of implementation detail in every aspect of admission control, advanced policies, and never-ending custom resource definitions, which can be created and managed by third parties
This certification is yet another great opportunity to validate your skills and knowledge, which now has security as an integral part of the Kuberentes focused certification track.
Why We Wanted to Get the CKS
Here’s why we each personally decided to get this cert:
Jaroslav: “It was a personal challenge to wrap up the CNCF Kubernetes Certification track, and Containerisation and Service Mesh are my keen area of interest.”
Jagendra: “I have provisioned Kubernetes orchestration solutions in the past, I wanted to accomplish these certifications, to ensure that I am up to date with the latest updates in Kubernetes including the security aspects.”
Sean: “I have worked with Kubernetes in production and security is a very important aspect from day zero. An added bonus is that it is also nice to have all three Kubernetes certifications.”
Our Exam Experiences
Here’s a summary of our individual experiences of the exam:
“From my point of view, this was a tough-but-fair certification accomplishment.
I have been working in Kubernetes and containerization for around three years, with recent work effort in service mesh implementation. The CKA, being a pre-requisite for the CKS exam, provides a great foundational framework to get started with.
This certification not only covers general kubernetes cluster administration knowledge, but there’s also a certain degree of depth particularly in self-managed master api-server configuration you should be well versed in.
The exam material brings together the security best practices of the Dockerfile manifest management as well as static (SAST), and runtime (DAST) vulnerability assessment and prevention. Interestingly, some of the tools featured are developed by teams and vendors outside the immediate kubernetes configuration ecosystem. This is why this is a great all rounder of a certification and should seriously be considered for senior professionals working in this space.”
“The CKS exam is a pretty tough one but with right practice, preparation and having a cool head, it can become easier and always keep in mind that there is a free retake included so no pressure. Since CKA is pre-requisite for the CKS exam booking, it’s always preferable to go for CKS just after CKA.
Time management in CKS exam is the key so I would suggest to skip questions if you are not sure or stuck and then flag and move to higher scoring questions. Also remember to check your context as there seems to be a defect in the testing platform where correct context is not switching. So switch the context and then validate it’s node and if correct nodes appear means it is fine. Also make sure that all resource names are copied and used correctly as if typing misses something then it creates an issue.”
“It is an open book exam so you do have access to official documentation. Learn how to navigate the docs well and search for topics quickly. Most docs give you an example yaml file to use, copy this and avoid writing yaml on your own to save time.
The exam is all hands-on, practical questions. There is an alias already configured for the main jump box. So you can use `k` instead of `kubectl` everytime. I believe it is also configured on the nodes as well.
That being said, even if you fail you will learn something and will be improving your core kubectl skills. There were some teething issues with the exam software. Interface felt very buggy even to the point of the exam time not showing and the session had crashed once.
Overall, to pass the exam you must be confident in using Kubernetes from a command line aspect and understand how core security functionality works. It’s a must for any engineers using Kubernetes day-to-day.”
Exam Preparation Resources
The exam prep to be a great validator of existing knowledge, and highlight the areas which, while not used regularly, such as Pod Security Policies, was found to be most helpful to clarify and learn the gaps for.
Topics You Will Need to Know
The depth and breadth of the exam knowledge is sensible with the following areas covered to a great degree:
- Best Practice Docker Image development and Docker Framework model
- Knowledge of the following particular set of tools (e.g. CIS Kube-bench, Trivy, Sysdig/Falco, AppArmor, Seccomp, OPA/Gatekeeper)
- Extensive API Server familiarity including debugging of issues, in both extension and tuning (Admission control, Audit)
- Knowledge of linux fundamentals, particular to security with cGroup mapping is desired
- A thorough knowledge of Kubernetes Architecture and component interaction (RBAC, NetworkPolicies, PSP, etc.)
I have found the following resources extremely helpful preparing for the CKS exam:
- Kubernetes Security Best Practices
- Kubernetes Pentest Methodology
- Securing Kubernetes Clusters
- Getting to Grips with Kubernetes RBAC
- Using effective RBAC
- Understanding Pod security policies
- intro to Falco
- Intro to Secomp
- Network policies editor
- Secure Your Containers
- CKS exam simulator
- Full CKS Udemy course
- Cluster Security Best Practices
- StackRox study guide
- Awesome CKS notes
- Take care with time keeping
The exam does not have a countdown timer, which would be extremely helpful. There is a time bar, but it's hard to assess where it is at, we’re used to seeing the actual time remaining after all.
- Watch out for question/exam environment bugs
I wish I could say it was straight forward questions, but be prepared to have an exam window crash, exam restarted and, worse, some questions will be referring to question components incorrectly named. i.e. “Allow” versus “Ally”, if in doubt IMO save it with both names.
Container Security Resources
There is tons of literature on this topic now. And in the managed environment (GKE, AKS, EKS), the cluster is already built, with a good degree of the cluster maintenance delegated to the Cloud Service Provider, as per the Operating Model.
This largely covers the fundamental best practices for your kubernetes cluster orchestration, particularly if you are managing such a cluster in-house (🤕 ).
- Admission controllers e.g. ImagePolicyWebhook:
Ensure you are familiar with different types such as PodSecurityPolicy and ImagePolicyWebhook. Implement and understand how they work with the API server and how they can provide added security to the cluster. https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
- Immutable continers: Find ways to make containers immutable using securitycontext and avoid mutable configuration, such as allowing shell access to a container. Immutable containers are good as we always know the state!
- Network policies: For extra security and more control over traffic flowing between pods use Network Policies. By default all pods in a cluster can talk to each other, get more granular and create specific rules to define traffic flow.
- PodSecurity Policies
This enables fine-tuned resource authorisation. This could be one of greatest assets in secure workload runtime.
- gVisor - Kernel Sandbox
This is a kernel sandboxing and abstraction implementation, helping prevent malicious applications and images from overloading the underlying Host machine Kernel.
Third Party Tools
Alongside kube-native tooling there are many third party provider tools that can help keep various aspects of your cluster secure. The following are mentioned heavily in the CKS criteria.
These are some examples of open source tools and projects, outside the immediate kubernetes ecosystem that are recommended to get hands-on with in order to successfully pass the exam.
- AquaSec OpenSource Kube-Bench
https://github.com/aquasecurity/kube-bench Easy to execute against your cluster. Pull down binaries on worker (and master) nodes and run the binary kube-bench worker|master to have your cluster inspection report. This would be a great starting point.
Image scanning tool - https://github.com/aquasecurity/trivy - is a very simple image scanning tool.
https://gitlab.com/apparmor/apparmor/-/wikis/Documentation - Practice loading new profiles and then using it with your pods. AppArmor would be pre-installed.
https://falco.org/docs/rules/supported-fields/ - Practice finding all falco rules and search for specific ones and change their output and capture specific output.
Book that Exam
If you’re anything like me, you will probably organise your time schedule to ensure you sit the exam, by booking the exam first. Remember that pre-requisite is the CKA certification.
We hope our experience summary and preparation guide helps you achieve your objectives.
And remember we’re always hiring amazing people who are keen SMEs. If you want to hear more on personal development and get hands-on some exciting technical challenges, just get in touch with our talent team!