skip to main content

Nov 12, 2020

What is CNCF’s CKS Exam and What is Covered?

By: Michael Foster

What is the Certified Kubernetes Security Specialist (CKS)?

The CKS is the third Kubernetes-based certification backed by the Cloud Native Computing Foundation (CNCF). CKS will join the existing Certified Kubernetes Administrator (CKA) and Certified Kubernetes Application Developer (CKAD) programs. All three certifications are online, proctored, performance-based exams that will require solving multiple Kubernetes security tasks from the command line. With the massive investment into Kubernetes over the last five years, these certifications continue to be highly sought after by many seeking technical knowledge about Kubernetes.

The CKS focuses specifically on Kubernetes’ security-based features such as role-based access control (RBAC) and network policies and utilizing existing Kubernetes functionality to secure your clusters. The exam’s exact details are not currently available; however, the CNCF has stated they will announce the details at KubeCon next week. Based on the previous CKA and CKAD exams, we can make some assumptions about the exam requirements.

How is the CKS Structured?

From the CNCF blog release, we can get a few details about the certification structure. The CNCF states that the exam will be similar to the CKA but will require an active CKA certification to take the exam. Based on the information poster by the Linux Foundation, this test will be:

  • 2 hours long
  • Require a passing score of approximately 74%
  • Contain approximately 20 questions
  • Uses Kubernetes version 1.19
  • Cost $300 USD, with a free retake allowed
  • The certificate is valid for 3 years
  • 12-month exam eligibility

Since you have to pass the CKA to take the CKS, the structure should appear familiar. Since the test is taken using the command line, it can be challenging for individuals to strategize, answer questions, and manage time. The CNCF accounts for this by allowing a free retake within the 12-month eligibility period.

The test will have approximately 20 questions with a total possible score of 100 points spread amongst them. Each problem is assigned a point value, and the problem will fall into a category of the content covered in the exam. On average, you will have 6 minutes to answer each question, and there are no partially correct answers.

What Content is Covered in the Exam?

The CNCF outlines the curriculum for all of their certifications in the CNCF GitHub repository. The exam will test competencies such as:

Cluster Setup (10%)

  • Control the environment’s access, rights, and platform conformity.

This section will include implementing KubernetesNetwork Policies, setting up ingress objects, and protecting the core Kubernetes components, endpoints, and metadata.

Cluster Hardening (15%)

  • Protecting K8s API and utilizing RBAC.

Here, the exam will focus on protecting the Kubernetes API and minimizing access through RBAC controls. These controls include disabling default accounts and minimizing permissions on existing accounts.

System Hardening (15%)

  • Improve the security of OS & Network; restrict access through IAM.

This section focuses on reducing the attack surface of the host. It can include minimizing IAM roles, minimizing external access to the network, or using tools such as seccomp, AppArmor, or ufw.

Minimize Microservices Vulnerabilities (20%)

  • Utilizing Kubernetes’ various mechanisms to isolate, protect, and control workload.

Vulnerability management is an exciting section that will require more clarification from the CNCF. Making up 20% of total exam content means 4-6 questions based on various concepts related to dealing with vulnerabilities will be covered. These concepts include Pod Security Policies, security contexts, Open Policy Agent (OPA) implementation, managing Kubernetes Secrets, working with different container runtimes (Docker, containerd, CRI-O, rkt, etc.), and implementing mTLS between pods.

Supply Chain Security (20%)

  • Container-oriented security, trusted resources, optimized container images, and CVE scanning.

Supply chain security shifts the focus of security left to when developers build container images. Here the focus will be on the use of dynamic admission control and its implementation to allow validated and signed images to launch containers. We may also see some questions about image scanning or relating to image builds, but precisely what they might encompass is currently unclear.

Monitoring, Logging, and Runtime Security (20%)

  • Analyze and detect threats.

Lastly, the final section will focus on visibility into your cluster security issues through audit logs and other tools and minimize unnecessary system calls, privileges, file access, and various threat vectors.

How Can I Learn More?

With the CNCF announcement around the corner, look for more updates about the CKS certification’s release and structure. Over the next couple of months, I will be detailing my CKS study journey with blogs and code examples. The first blog will break down the general announcement from KubeCon next week, outline how to prepare for the exam, and discuss how to set up your Kubernetes cluster. Then, since the course outline contains six sections, each section will have a dedicated blog post with example questions and code snippets.

As I mentioned before, our GitHub repository will allow you to create a Kubernetes version 1.19 cluster in GCP (with AWS and Azure to be documented later). This repository will give you an up-to-date study environment that will help you prepare for the exam. There will also be sub-folders that will deploy example applications with solvable problems that coincide with the different exam sections. If you would like to see some specific concepts or have any questions, please open an issue in the repo, and I will do my best to incorporate them into the study guide.