Certified Kubernetes Security Specialist (CKS) Exams – 2022

A curated collection of exercises to help prepare for the Certified Kubernetes Security Specialist.

GCP K8 Setup before attempting practice questions

Hands-on practice of CKS Labs

Kubernetes Admin knowledge

Think from a hackers perspective

Note – 1 : Prior knowledge of CKA is required before enrollment.

Note – 2 : These “exam-style” questions are not exactly like the real exam, nor are they exam dumps or don’t expect them to be the case.

Section – 1:

There are no practice questions in first section. This section is designed to help students for installation of gcp-k8s-cluster and cluster-setup.

Section – 2:

Test your knowledge of Trivy, RBAC & Service Accounts, AppArmor, Secrets & Pod, Seccomp profiles, RuntimeClass. Kube-bench.

Section – 3:

Test your knowledge of Audit, Falco, ImagePolicyWebhooks, Pod Security Policy, Network Policy (Deny), Network Policy (Restrict pod), Dockerfile Security issue

You must cover below curriculum before attempting CKS Exam:

10% – Cluster Setup

  1. Use Network security policies to restrict cluster level access
  2. Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
  3. Properly set up Ingress objects with security control
  4. Protect node metadata and endpoints
  5. Minimize use of, and access to, GUI elements
  6. Verify platform binaries before deploying

15% – Cluster Hardening

  1. Restrict access to Kubernetes API
  2. Use Role Based Access Controls to minimize exposure
    • handy site collects together articles, tools and the official documentation all in one place
  3. Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
  4. Update Kubernetes frequently
  5. Minimize host OS footprint (reduce attack surface)
  6. Minimize IAM roles
  7. Minimize external access to the network
  8. Appropriately use kernel hardening tools such as AppArmor, seccomp

15% System Hardening

  1. Minimize host OS footprint (reduce attack surface)
  2. Minimize IAM roles
  3. Minimize external access to the network
  4. Appropriately use kernel hardening tools such as AppArmor, seccomp!? where is selinux? assume exam systems are ubuntu

20% – Minimize Microservice Vulnerabilities

  1. Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts
  2. Manage kubernetes secrets
  3. Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
  4. Implement pod to pod encryption by use of mTLS

20% – Supply Chain Security

  1. Minimize base image footprint
  2. Secure your supply chain: whitelist allowed image registries, sign and validate images
  3. Use static analysis of user workloads (e.g. kubernetes resources, docker files)
  4. Scan images for known vulnerabilities

20% – Monitoring, Logging and Runtime Security

  1. Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
  2. Detect threats within physical infrastructure, apps, networks, data, users and workloads
  3. Detect all phases of attack regardless where it occurs and how it spreads
  4. Perform deep analytical investigation and identification of bad actors within environment
  5. Ensure immutability of containers at runtime
  6. Use Audit Logs to monitor access

Sign up with 30 days money back guarantee.

Tutorial Bar
Logo