Skip to content
  • About Us
  • Our Services
  • Case Studies
  • Blog
  • Join Us
  • Contact Us
CKS Exam
Jaroslav Pantsjoha

How to Pass the Certified Kubernetes Security Specialist Exam: Killer Tips and Resources from 3 Engineers

We are three Contino engineers—Jaroslav Pantsjoha, Jagendra Atal Prakash and Sean Rigby—who have all recently taken (and passed! woop!) the Certified Kubernetes Security Specialist (CKS) exam.

In this blog we hope to share our exam prep experience, offer some key tips and resources as well as offer some insights on your very own exam `ReadinessProbe`.

What Is the Certified Kubernetes Security Specialist Exam?

According to the CNFC, the CKS Exam “provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.”

With a great number of features that are available in the vanilla standalone Kubernetes versus the managed service offering, you earn a great deal of SecOps brownie points by staying on top of the security posture of your Kubernetes Cluster, whatever the cloud platform.

The Certified Kubernetes Administrator certification is a prerequisite for the Certified Kubernetes Security Certification. As you likely have seen through the Kubernetes documentation, there is a great amount of implementation detail in every aspect of admission control, advanced policies, and never-ending custom resource definitions, which can be created and managed by third parties

This certification is yet another great opportunity to validate your skills and knowledge, which now has security as an integral part of the Kuberentes focused certification track.

Why We Wanted to Get the CKS

Here’s why we each personally decided to get this cert:

Jaroslav: “It was a personal challenge to wrap up the CNCF Kubernetes Certification track, and Containerisation and Service Mesh are my keen area of interest.”

Jagendra: “I have provisioned Kubernetes orchestration solutions in the past, I wanted to accomplish these certifications, to ensure that I am up to date with the latest updates in Kubernetes including the security aspects.”

Sean: “I have worked with Kubernetes in production and security is a very important aspect from day zero. An added bonus is that it is also nice to have all three Kubernetes certifications.”

Our Exam Experiences

Here’s a summary of our individual experiences of the exam:

Jaroslav:

“From my point of view, this was a tough-but-fair certification accomplishment.

I have been working in Kubernetes and containerization for around three years, with recent work effort in service mesh implementation. The CKA, being a pre-requisite for the CKS exam, provides a great foundational framework to get started with.

This certification not only covers general kubernetes cluster administration knowledge, but there’s also a certain degree of depth particularly in self-managed master api-server configuration you should be well versed in.

The exam material brings together the security best practices of the Dockerfile manifest management as well as static (SAST), and runtime (DAST) vulnerability assessment and prevention. Interestingly, some of the tools featured are developed by teams and vendors outside the immediate kubernetes configuration ecosystem. This is why this is a great all rounder of a certification and should seriously be considered for senior professionals working in this space.”

Jagendra

“The CKS exam is a pretty tough one but with right practice, preparation and having a cool head, it can become easier and always keep in mind that there is a free retake included so no pressure. Since CKA is pre-requisite for the CKS exam booking, it’s always preferable to go for CKS just after CKA.

Time management in CKS exam is the key so I would suggest to skip questions if you are not sure or stuck and then flag and move to higher scoring questions. Also remember to check your context as there seems to be a defect in the testing platform where correct context is not switching. So switch the context and then validate it’s node and if correct nodes appear means it is fine. Also make sure that all resource names are copied and used correctly as if typing misses something then it creates an issue.”

Sean

“It is an open book exam so you do have access to official documentation. Learn how to navigate the docs well and search for topics quickly. Most docs give you an example yaml file to use, copy this and avoid writing yaml on your own to save time.

The exam is all hands-on, practical questions. There is an alias already configured for the main jump box. So you can use `k` instead of `kubectl` everytime. I believe it is also configured on the nodes as well.

That being said, even if you fail you will learn something and will be improving your core kubectl skills. There were some teething issues with the exam software. Interface felt very buggy even to the point of the exam time not showing and the session had crashed once.

Overall, to pass the exam you must be confident in using Kubernetes from a command line aspect and understand how core security functionality works. It’s a must for any engineers using Kubernetes day-to-day.”

Exam Preparation Resources

The exam prep to be a great validator of existing knowledge, and highlight the areas which, while not used regularly, such as Pod Security Policies, was found to be most helpful to clarify and learn the gaps for.

Topics You Will Need to Know

The depth and breadth of the exam knowledge is sensible with the following areas covered to a great degree:

  • Best Practice Docker Image development and Docker Framework model
  • Knowledge of the following particular set of tools (e.g. CIS Kube-bench, Trivy, Sysdig/Falco, AppArmor, Seccomp, OPA/Gatekeeper)
  • Extensive API Server familiarity including debugging of issues, in both extension and tuning (Admission control, Audit)
  • Knowledge of linux fundamentals, particular to security with cGroup mapping is desired
  • A thorough knowledge of Kubernetes Architecture and component interaction (RBAC, NetworkPolicies, PSP, etc.)

Learning Resources

I have found the following resources extremely helpful preparing for the CKS exam:

General Tips

  • Take care with time keeping
    The exam does not have a countdown timer, which would be extremely helpful. There is a time bar, but it's hard to assess where it is at, we’re used to seeing the actual time remaining after all.

  • Watch out for question/exam environment bugs
    I wish I could say it was straight forward questions, but be prepared to have an exam window crash, exam restarted and, worse, some questions will be referring to question components incorrectly named. i.e. “Allow” versus “Ally”, if in doubt IMO save it with both names.

Container Security Resources

There is tons of literature on this topic now. And in the managed environment (GKE, AKS, EKS), the cluster is already built, with a good degree of the cluster maintenance delegated to the Cloud Service Provider, as per the Operating Model.

This largely covers the fundamental best practices for your kubernetes cluster orchestration, particularly if you are managing such a cluster in-house (🤕 ).

Kube-native tooling

  • Admission controllers e.g. ImagePolicyWebhook:
    Ensure you are familiar with different types such as PodSecurityPolicy and ImagePolicyWebhook. Implement and understand how they work with the API server and how they can provide added security to the cluster. https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/

  • Immutable continers: Find ways to make containers immutable using securitycontext and avoid mutable configuration, such as allowing shell access to a container. Immutable containers are good as we always know the state!

  • Network policies: For extra security and more control over traffic flowing between pods use Network Policies. By default all pods in a cluster can talk to each other, get more granular and create specific rules to define traffic flow.
    https://kubernetes.io/docs/concepts/services-networking/network-policies/

  • PodSecurity Policies
    This enables fine-tuned resource authorisation. This could be one of greatest assets in secure workload runtime.
    https://kubernetes.io/docs/concepts/policy/pod-security-policy/

  • gVisor - Kernel Sandbox
    This is a kernel sandboxing and abstraction implementation, helping prevent malicious applications and images from overloading the underlying Host machine Kernel.
    https://github.com/google/gvisor

Third Party Tools

Alongside kube-native tooling there are many third party provider tools that can help keep various aspects of your cluster secure. The following are mentioned heavily in the CKS criteria.

These are some examples of open source tools and projects, outside the immediate kubernetes ecosystem that are recommended to get hands-on with in order to successfully pass the exam.

  • AquaSec OpenSource Kube-Bench
    https://github.com/aquasecurity/kube-bench Easy to execute against your cluster. Pull down binaries on worker (and master) nodes and run the binary kube-bench worker|master to have your cluster inspection report. This would be a great starting point.

  • Aquasec/trivy

Image scanning tool - https://github.com/aquasecurity/trivy - is a very simple image scanning tool.

  • AppArmor

https://gitlab.com/apparmor/apparmor/-/wikis/Documentation - Practice loading new profiles and then using it with your pods. AppArmor would be pre-installed.

  • Falco

https://falco.org/docs/rules/supported-fields/ - Practice finding all falco rules and search for specific ones and change their output and capture specific output.

Book that Exam

If you’re anything like me, you will probably organise your time schedule to ensure you sit the exam, by booking the exam first. Remember that pre-requisite is the CKA certification.

We hope our experience summary and preparation guide helps you achieve your objectives.

And remember we’re always hiring amazing people who are keen SMEs. If you want to hear more on personal development and get hands-on some exciting technical challenges, just get in touch with our talent team!

More Articles

Top 20 DX Innovators

[Infographic] Top 20 Digital Transformation Innovators: Europe 2021 Report

2 March 2021 by Michael Chalmers
Compliance as Code

What Is Compliance as Code? Benefits, Use Cases and Tools

12 February 2021 by Josh Armitage
Cloud Automation

Cloud Automation: What It Is, Use Cases and Benefits

20 January 2021 by Yann Hempstead
  • Londonlondon@contino.io