The 2025 CNCF Annual Cloud Native Survey found that 66% of organizations hosting generative AI models now run their inference on Kubernetes, and that 82% of container users run Kubernetes in production. That single shift changes what a Kubernetes security credential means in practice. The clusters you are asked to defend are no longer just web apps and stateful services. They now run model servers, vector databases, and agent frameworks on expensive GPU fleets, and attackers have already moved to exploit them (CNCF, 2026).
Highlights
- The CKS curriculum has not added an AI domain, and that surprises people.
- Kubernetes has become the default runtime for production AI.
- The highest weight domains map almost perfectly to AI risk
- GPU nodes are now a primary target, and the controls are pure CKS.
- Model files behave as executable code, so the supply chain rules apply directly.
- A 2026 program change now rewards finishing the certification track.
- The exam stays offline and proctored, so AI assistants are off limits.
Why Kubernetes Security Is Now AI Security
For most of its history, Kubernetes security was a conversation about web services, databases, and internal tooling. That framing is now out of date. The 2025 CNCF Annual Cloud Native Survey describes Kubernetes as the operating system for AI, with 66% of organizations running generative AI relying on it for some or all of their inference workloads. The workloads moved, and the attack surface moved with them.
A modern cluster running AI looks different from a traditional one. It schedules GPU accelerated pods that pull large model files from a registry. It runs inference servers that hold sustained high privilege access to hardware. It connects agent frameworks to tools, data stores, and external APIs. Security teams now have to reason about model artifacts, vector stores, and serialized weights alongside the usual containers and services.
Here is the part that matters for your career. The controls that defend these workloads are not new. They are network policies, role based access control, admission policy, image signing, and runtime detection, which is the precise toolkit the CKS exam measures. The credential did not chase AI. AI moved onto the platform the credential already covers.
What AI Actually Changes, and What It Does Not
Before mapping anything, it helps to separate hype from the exam reality, because the honest answer protects you from wasting study time.
What stays the same: the CKS curriculum
The CKS exam tests six domains, and their structure has not changed since the October 2024 program update (Linux Foundation). No domain mentions AI, machine learning, or LLMs. There is no prompt injection task, no model poisoning scenario, and no question about securing a vector database by name. If you walk into the exam expecting AI specific content, you will be studying the wrong material.
| Domain | Weight | Core focus |
|---|---|---|
| Cluster Setup | 15% | Network policies, CIS benchmark review, TLS ingress, node metadata, binary verification |
| Cluster Hardening | 15% | RBAC, service account hygiene, restricting API access, version upgrades |
| System Hardening | 10% | Host OS footprint, least privilege IAM, kernel hardening with AppArmor and seccomp |
| Minimize Microservice Vulnerabilities | 20% | Pod Security Standards, secrets management, container isolation, mTLS |
| Supply Chain Security | 20% | SBOM, image signing, allowed registries, static analysis, vulnerability scanning |
| Monitoring, Logging, and Runtime Security | 20% | Behavioral analytics, Falco, audit logs, immutability, attack investigation |
What changes: the stakes and the scenarios
The exam content is stable, but the world the content describes is not. Each control now defends a workload that is more valuable to an attacker and more damaging when compromised. A misconfigured network policy used to expose an internal API. Today it can expose an inference endpoint that holds proprietary model behavior. An over permissive service account used to allow lateral movement. Now it can hand an attacker a fleet of GPUs.
Sysdig's threat research documented a clear run of incidents that prove the point (Sysdig, 2026). A LangFlow server remote code execution flaw allowed unauthenticated takeover of an AI pipeline in July 2025. An NVIDIA container escape in the same month allowed container to host movement on GPU hosts. The ShadowRay 2.0 campaign in November 2025 turned an exposed inference server into cloud malware. None of these required a novel security primitive to defend against. They required the primitives done correctly.
The 2026 CKS Exam at a Glance
The logistics are worth confirming before you book, because several details changed recently.
| Attribute | Detail |
|---|---|
| Format | Online, proctored, performance based, run from a live terminal |
| Duration | Two hours |
| Tasks | Roughly 15 to 20 hands on tasks, each with a posted weight |
| Passing score | 67% |
| Cost | 445 USD, including one free retake and practice simulator sessions |
| Kubernetes version | Aligned to v1.34 as of the October 2025 update |
| Prerequisite | You must have passed the CKA, though it no longer has to be active |
| Validity | Two years |
Two changes stand out for 2026. First, the prerequisite softened. You still need to have passed the CKA, but an expired CKA now satisfies the requirement (CNCF). Second, the CARE program now links your credentials. Passing or recertifying the CKS reinstates or extends your CKA and renews your KCSA automatically, so you maintain fewer separate renewal windows (CNCF, 2026).
Mapping CKS Domains to AI Workload Security
This is where the exam earns its relevance. Walk each domain and you find an AI scenario waiting on the other side.
Cluster Setup and Cluster Hardening
Network isolation is the first control AI workloads need and the first thing the exam checks. A default deny posture stops a compromised inference pod from reaching the rest of your cluster or calling out to an attacker controlled endpoint. The pattern you practice for the exam is the pattern you ship to production.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: ml-serving
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns-egress
namespace: ml-serving
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53RBAC carries the same dual purpose. The exam wants least privilege roles and disciplined service accounts. AI pipelines need exactly that, with a separate identity for each stage so that a compromised model server cannot touch training data or trigger a deployment. Disabling token automount on workloads that never call the API server closes an easy escalation path.
apiVersion: v1
kind: ServiceAccount
metadata:
name: model-server
namespace: ml-serving
automountServiceAccountToken: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: model-server
namespace: ml-serving
rules:
- apiGroups: [""]
resources: ["configmaps", "secrets"]
verbs: ["get"]
resourceNames: ["serving-config", "model-registry-credentials"]Reviewing component configuration with kube-bench rounds out this area. The CIS Kubernetes Benchmark is the same audit standard whether the node runs a web frontend or a Triton inference server.
kube-bench run --targets master,nodeSystem Hardening
Kernel level restriction is the domain people underestimate, and it is the one that contains GPU node compromise. An inference container rarely needs a broad syscall surface, so an AppArmor or seccomp profile that blocks unexpected behavior limits what a foothold can do. Least privilege IAM on the node matters too, because an inference server that can read cloud instance credentials becomes a path into the wider account.
The cryptojacking angle makes this concrete. Attackers want your GPU fleet because A100 and H100 nodes are ideal mining hardware, and the high utilization that AI inference already produces lets a miner hide in plain sight. Reducing the host footprint and restricting syscalls is how you make that foothold useless.
Minimize Microservice Vulnerabilities
Pod Security Standards are high yield on the exam and high value in production. Enforcing the restricted profile through namespace labels stops privileged pods, host mounts, and root execution, which are the conditions a container escape needs. You apply the same control to a model server.
apiVersion: v1
kind: Namespace
metadata:
name: ml-serving
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: latestThe workload itself should drop everything it does not need. A read only root filesystem and a dropped capability set turn a model server into a hard target without changing its function.
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
seccompProfile:
type: RuntimeDefaultSecrets management belongs here too. Model registry credentials and inference API keys are exactly the secrets the exam expects you to handle correctly, and exactly the ones an attacker wants.
Supply Chain Security
This domain captures the AI specific threat that practitioners most often miss. A model file is not passive data. Common serialized formats can execute code at load time, which means an untrusted model is an untrusted binary. The Keras supply chain vulnerability in November 2025 showed how a poisoned ML dependency reaches production through normal pipelines (Sysdig, 2026).
The defenses are the supply chain controls the exam measures. Scan images for known vulnerabilities and fail on the severities you care about.
trivy image --severity CRITICAL,HIGH registry.internal/ml/model-server:1.4.2Enforce that only signed artifacts from approved registries can run, using an admission policy engine. The exam tests this idea through admission control, and the same policy keeps an unsigned or unknown model image out of your serving namespace.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-model-images
spec:
validationFailureAction: Enforce
rules:
- name: check-signature
match:
any:
- resources:
kinds: ["Pod"]
verifyImages:
- imageReferences:
- "registry.internal/ml/*"
attestors:
- count: 1
entries:
- keys:
publicKeys: |
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQ...
-----END PUBLIC KEY-----Pinning images and model files by digest rather than tag removes the mutable reference an attacker would target. Static analysis tools that inspect manifests for risky settings complete the build time picture.
Monitoring, Logging, and Runtime Security
Runtime detection is where every other control gets verified at execution time. Falco watches syscalls and flags behavior that should never happen inside an inference pod, such as a spawned shell, an unexpected outbound connection, or a process loading a file in a way that suggests unsafe deserialization.
- rule: Shell spawned in model serving pod
desc: Detect an interactive shell started inside an inference container
condition: >
spawned_process and container and proc.name in (bash, sh, zsh)
and k8s.ns.name = "ml-serving"
output: >
Shell in inference pod (pod=%k8s.pod.name container=%container.name cmd=%proc.cmdline)
priority: WARNINGWhen something does fire, the exam expects you to investigate. The container runtime interface tools let you inspect a suspicious workload directly on the node, which is the same first move a responder makes against an exploited inference server.
crictl ps
crictl inspect <container-id>
crictl logs <container-id>Audit logging captures the API server side of the story, so you can reconstruct who did what when a service account is abused. Behavioral analytics, immutability, and audit policy are listed competencies, and they read like a runbook for the ShadowRay class of attack.
The New Threat Class You Should Understand
You do not need to memorize incident names for the exam, but understanding them sharpens your sense of why each control exists. The pattern across recent AI infrastructure attacks is consistent. Entry comes through a supply chain weakness or an exposed service, and escalation runs through over privileged runtimes or misconfigured data stores.
| Incident | Date | Entry point | CKS domain that defends it |
|---|---|---|---|
| LangFlow server RCE | July 2025 | Unauthenticated AI pipeline takeover | Microservice Vulnerabilities, Cluster Setup |
| NVIDIA container escape | July 2025 | Container to host movement on GPU nodes | System Hardening, Microservice Vulnerabilities |
| ShadowRay 2.0 | November 2025 | Exposed inference server turned into malware | Runtime Security, Cluster Setup |
| Keras supply chain flaw | November 2025 | Poisoned ML dependency | Supply Chain Security |
| Trusted agent runs malware | January 2026 | Compromised AI agent | Cluster Hardening, Runtime Security |
Read down the right hand column and you have rebuilt the high weight half of the exam from real incidents.
AI on Both Sides of the Fence
AI changes the attacker toolkit, not just the target. Reports now describe automated reconnaissance and malware that mutates to evade static detection, along with attacks timed to autoscaling windows when new pods spawn quickly. The defensive answer is not a magic tool. It is policy enforcement that blocks unknown images and behavior before they reach the cluster, paired with runtime detection that catches what slips through. Those are CKS controls.
One practical note for exam day. The CKS environment is offline and proctored, and only the official Kubernetes documentation and a small set of approved tool docs are permitted (CNCF). You cannot bring an AI assistant into the exam, so the muscle memory you build during practice is what carries you through the time limit.
A Realistic Study Plan
This plan assumes you have passed the CKA and have working Kubernetes experience. Allocate your hours to match domain weight, and spend most of your time in a cluster rather than reading.
Weeks 1 to 2: cluster and node controls. Build network policies until default deny with selective allow rules is automatic. Practice RBAC design and verify it with kubectl auth can-i. Run kube-bench against a cluster, read the report, and fix the failures. Apply AppArmor and seccomp profiles and confirm they block what you expect.
Weeks 3 to 4: workloads and supply chain. Enforce Pod Security Standards through namespace labels and write secure pod specs from memory. Scan images with a vulnerability scanner and act on the results. Stand up an admission policy that rejects unsigned or unapproved images. Practice managing secrets and configuring mTLS between services.
Week 5: runtime and integration. Install and configure runtime detection, generate events, and read the alerts. Set up audit logging end to end and investigate a simulated incident with runtime tooling. Combine multiple controls in a single scenario, because real exam tasks rarely stay inside one topic.
Week 6: timed rehearsal. Run the practice simulator sessions included with your exam registration under real conditions, and read the CIS Kubernetes Benchmark once so you understand what your audit tools are checking. Build and break your own lab cluster, then fix it against the clock. Refer only to the official documentation so you train the lookups you are allowed to use.
Exam Day Tips
Set your aliases the moment the clock starts, because every saved keystroke compounds over two hours.
alias k=kubectl
export do="--dry-run=client -o yaml"
export now="--grace-period=0 --force"Read each task for its namespace, node, and cluster context, and run the provided context switch command before you touch anything. Work in three passes. Take quick wins first, then the heavier tasks, then a final validation sweep. Trust partial credit and never leave a task blank, since a reasonable attempt often scores. Avoid rebooting the base node, and if a task stalls past five to seven minutes with no progress, move on and return later.
Conclusion
The CKS exam did not add an AI module, and it did not need to. AI moved onto Kubernetes, and the controls that secure AI workloads are the same network policies, RBAC, admission enforcement, supply chain integrity, and runtime detection the exam has always measured. What changed is the cost of getting them wrong, because the workloads behind those controls now include valuable models and expensive GPU fleets that attackers actively pursue.
Your next steps are direct. Confirm your CKA status, knowing the prerequisite now accepts an expired CKA and that the CARE program will extend it when you pass the CKS. Build a lab cluster, weight your study toward the three high value domains, and practice every control by hand until the commands are reflexive. Treat each domain as a defense against a real AI infrastructure attack rather than an abstract checkbox, and you will pass the exam while building skills the market is paying for right now.
FAQS
Q1: Do I need an active CKA certification to take the CKS exam in 2026?
You must have passed the Certified Kubernetes Administrator exam at some point, but it no longer needs to be currently active. The CNCF updated the prerequisite so that an expired CKA still satisfies the requirement, which removes a common blocker for people returning to the certification track. The 2026 CARE program goes further. When you pass or recertify the CKS, your CKA is reinstated or extended automatically to match your new CKS expiration date, so you stop juggling two renewal windows. If you have not passed the CKA yet, build that foundation first, because the CKS assumes fluent cluster administration. A structured option for that base is the CKA Certification Learning Path, which covers the administration skills the security exam builds on.
Q2: Does the CKS exam test AI or LLM security topics directly?
No. The exam has six domains, and none of them reference artificial intelligence, machine learning, large language models, prompt injection, or model files. The curriculum has been stable since the October 2024 update, so anyone promising AI specific exam questions is misreading the syllabus. The reason AI matters to the credential is different. Kubernetes now runs the majority of production AI inference, which means the network policies, RBAC, admission control, supply chain, and runtime detection the exam measures are the exact controls that defend AI workloads. You study standard Kubernetes security and apply it to higher stakes targets. That distinction protects your preparation time and keeps your expectations accurate.
Q3: Which tools should I be comfortable with for the CKS exam?
Plan to use a focused set of tools fluently from the command line. The core list includes kube-bench for CIS benchmark auditing, Trivy for image vulnerability scanning, AppArmor and seccomp for kernel level restriction, an admission policy engine such as OPA Gatekeeper or Kyverno, NetworkPolicy manifests for a default deny posture, and Falco for runtime detection. You also need Pod Security Admission, RBAC, secrets handling, and audit logging at your fingertips. The exam rewards speed, so the goal is to apply and verify each tool without searching the documentation mid task. Hands on repetition in a real cluster is the only reliable way to build that recall, and the CKS Certification Learning Path provides browser based labs and mock exams that let you practice these tools against scenarios that mirror the real format.
Q4: How is the CKS different from the KCSA certification?
The two sit at opposite ends of the difficulty range. The Kubernetes and Cloud Native Security Associate is a multiple choice, knowledge based exam aimed at foundational understanding of cluster security concepts and compliance. The Certified Kubernetes Security Specialist is an advanced, performance based exam where you fix and harden live clusters under a two hour time limit, and it requires a passed CKA as a prerequisite. KCSA is a good entry point if you are early in your security journey, while CKS proves you can implement controls under pressure. Under the CARE program the two now connect, because passing or recertifying the CKS renews your KCSA automatically. If your goal is a senior security or platform role, the CKS is the credential that carries weight with employers.
Q5: How long does it take to prepare for the CKS if I already hold a CKA?
Most CKA holders need roughly four to eight weeks of focused study, depending on how much security and tooling experience they bring. If you already work with Falco, Trivy, admission policies, and AppArmor in production, the lower end is realistic. If those tools are new, plan for eight to ten weeks and spend the extra time in a lab. The difficulty comes from breadth and precision, since a single wrong annotation or misspelled rule condition can cost full credit on a task. Weight your schedule toward Supply Chain Security, Minimize Microservice Vulnerabilities, and Runtime Security, which together make up 60% of the exam. A guided path such as the CKS Certification Learning Path helps you sequence the domains and rehearse in timed conditions before exam day.
Q6: Can I use AI assistants or external notes during the CKS exam?
No. The CKS is a proctored exam delivered through a secured browser, with a live proctor monitoring your webcam and screen. You are limited to a single browser tab pointed at the official Kubernetes documentation and a small set of approved tool docs, and you cannot use personal notes, copy from external sources, or call an AI assistant. This is why practiced command recall matters so much. The time pressure leaves no room to look up basic syntax, so your preparation has to make the common operations automatic. Treat every practice session as if those restrictions are in place, and the real exam will feel familiar rather than constraining.
Discussion