Container technologies have come a long way and are here to stay thanks to Kubernetes. Containerized applications allowed organizations to reshape the way they serve software. Software infrastructures are now much cheaper to maintain due to fewer resources being used. Operation is also more consistent and stable.
However, with the rapid growth in software innovation, there’s also an increase in cyber-attacks. This makes organizations focus more and more on cyber security. Demand for cyber security professionals is increasing at a fast pace. But there aren't nearly enough people with the required skills.
To combat this concern, The Cloud Native Computing Foundation (CNCF) got to work. In collaboration with The Linux Foundation, they created the Certified Kubernetes Security Specialist (CKS) program. The aim is to train more people to become security professionals. And organizations can finally find the qualified people they need.
What is CKS?
The Certified Kubernetes Security Specialist (CKS) is a performance-based certification exam. Individuals are tested on their knowledge of securing cloud infrastructures and Kubernetes clusters.
Those who pass the exam get a certificate that proves they have certain skills. It shows companies that they are able to protect Kubernetes clusters against cyber attacks. This includes the ability to protect containers running in those clusters.
The exam consists of practical tests. For each test, a problem is presented and the examinees have to come up with a solution. They have to run the correct commands to solve that problem. There are usually around 15-20 of these practical exercises.
The exam duration is around 2 hours. To pass the exam, you need to obtain a score of at least 67%.
The CKS is a proctored exam. Through a webcam, the proctor monitors people that take the exam. They observe the examinee's behavior to prevent them from cheating.
The CKS certification, once obtained, is valid for two years. Only those who hold an active Certified Kubernetes Administrator (CKA) certificate are allowed to purchase and take the exam. Otherwise said, CKS depends on CKA.
The CKS Curriculum
The curriculum for the CKS exam focuses heavily on testing skills in securing a Kubernetes cluster while identifying vulnerabilities as early as possible. It also covers security management at the operating system level and the containers running inside the Kubernetes cluster.
Knowing what knowledge/topics they test can help you prepare for the exam. Expect to be tested, measured, and scored through the following categories:
Cluster Setup 10%
- Primarily involves the ability to configure network security policies that enforce pod access levels and restrictions.
- Tests the ability to utilize the CIS benchmark tool that scans the Kubernetes cluster and provides a list of recommended configurations for different components of the cluster.
- Tests the ability to configure the ingress component to apply different URL settings and securely route traffic to services within the Kubernetes cluster.
- Tests the ability to verify the authenticity of downloaded binaries of Kubernetes packages before installing and deploying them to your infrastructure.
- The ability to protect node metadata and endpoints.
Cluster Hardening 15%
- Configure levels of restrictions to the Kubernetes API.
- Tests the ability to manage Role Based Access Controls (RBAC) to limit access of different users within the cluster.
- Tests the ability to manage service accounts and the awareness of namespaced access with just the proper permissions.
- The ability to perform version upgrades for the components and the cluster itself.
System Hardening 15%
- Tests the ability to apply the Least Privilege Principle to users at the Operating System Level to minimize attack entries.
- Manage Identity and Access Management (IAM).
- Tests the ability to manage firewalls and identify network port activities.
- Tests knowledge using tools like AppArmor and seccomp and its integration to the Kubernetes cluster.
Minimize Microservice Vulnerabilities 20%
- Set up appropriate OS-level security domains, e.g., using PSP, OPA, security contexts.
- Tests the ability to manage different types of Kubernetes secrets and configure them into pods.
- Tests the ability to use container runtime sandboxes like gvisor and kata containers for improved container isolation and security.
- Implement pod-to-pod communication security using encryption like SSL and mTLS.
Supply Chain Security 20%
- Tests the knowledge of building containers that are small, efficient, and have fewer components (to reduce attack surface).
- Manage restrictions in image registries, whether public or private. Cryptographically sign container images. Verify signatures to ensure image authenticity before deployment.
- Tests knowledge using tools like kubesec that scans and scores images based on security and performance.
- Tests knowledge in vulnerability scanning tools for container images like Trivy.
Monitoring, Logging, and Runtime Security 20%
- Tests the ability to identify potentially malicious activities in syscall processes.
- Detect threats within a physical infrastructure, apps, networks, data, users, and workloads
- Tests the knowledge in detecting all possible attack phases and areas to stop their spread.
- Perform deep analytical investigation and identification of bad actors within the environment.
- Ensure immutability of containers at runtime by limiting read/write access to root filesystems.
- Tests the knowledge in enabling audit logs in the cluster and using them.
Is CKS for Me?
The main focus of CKS is cyber-security, which is somewhat of a complex subject on its own. It is no surprise that CKS is considered one of the most challenging compared to other Kubernetes certifications. There is also the requirement that individuals will need to pass the CKA exam first before they are allowed to take CKS.
If you're already someone that uses Kubernetes daily, take the time to learn the security aspects of it. Security is more essential than ever since most software infrastructures are now in the cloud. This will give you the necessary training to secure your current infrastructure from devastating cyber-attacks.
Another reason to go for CKS is that it opens the doors for better career opportunities. The 10th Annual Open Source Jobs Report by the Linux Foundation reported that more organizations are more likely to hire individuals with some level of cyber-security skills.
Individuals who pass the exam are highly regarded in the job market. The effort to obtain it is nothing to scoff at. As all things that are hard to get are valuable, it is definitely worth all the trouble, given the benefits and rewards you get towards the end.
How Much Is the CKS Exam?
As of August 2022, the cost for the CKS online exam is USD 395. Quite steep, I know. However, CNCF does offer discounts from time to time. One way you can get significant discounts is if you attend KubeCon events that happen regularly. You can also subscribe to the Linux Foundation's newsletter and receive updates about discount coupons that you can use to further bring down the overall exam cost.
How can I prepare for the CKS Exam?
The good news is that even though the CKS exam is the most challenging, you can easily pass it by choosing the right learning resources.
KodeKloud has the best course to help you pass the Certified Kubernetes Security Specialist (CKS). It is always aligned with the current curriculum set by the Linux Foundation. Did I mention that KodeKloud is a Linux Foundation-certified Kubernetes training partner?
The best things about this course is that:
- It's easy to understand.
- It lets you practice the skills you learn, in hands-on lab exercises.
Practice will help you learn much faster, and remember what you studied. Even if you have a full-time job, you can invest between 30 minutes and 2 hours per day. And you'll see significant progress every day.
So start your CKS journey today by checking our course: Certified Kubernetes Security Specialist (CKS).
Tips for the CKS Exam
Are you scheduled to take the CKS exam soon? In that case, let me share with you some tips based on first-hand experience.
#1 Tip: Get familiar with the exam environment
The CNCF made extensive updates to the exam environment last June 2022. You can check out this blog or video for full details and comparison. You must get to know all these changes as they may become the difference between passing and failing the exam.
#2 Tip: Take your time
Understandably, we want to learn things faster. However, taking the time to digest each vital topic as you go through the course is also beneficial. As the saying goes, slow and steady wins the race.
#3 Tip: Practice what you've learned. Take the KodeKloud CKS Challenge
Practicing makes it easier to memorize and absorb what you've learned. I recommend taking the CKS Challenge. It contains a series close to complex real-world challenges that will boost your confidence and prepare you for the Certified Kubernetes Security Specialist Certification. Practice makes perfect, and enough of it will greatly help you with the exam.
The boost in credibility that CKS adds to an individual's profile is quite substantial. Employers will notice it on your CV. The 10th Open Source Jobs Report ranked cybersecurity skills in the Top 3, next to Cloud and Container skills and DevOps, including all its variants. This means there is an increased demand for cybersecurity professionals with knowledge and competency.
Getting CKS certified makes an individual stand out like a shining diamond. As most people often stop after receiving CKAD or CKA. The benefits it brings definitely outweigh the challenging journey it comes with.
If you are new to Kubernetes and interested in learning this fantastic technology, here's a Kubernetes learning path you can follow. Go from a beginner to a Certified Kubernetes expert in no time.
Good luck with the exam!