How to pass the Certified Kubernetes Security Specialist exam with a flying score?

I just completed my CKS certification a few days ago (also my Kubernetes Trifecta), and while the knowledge of this exam is still fresh, I’m going to share my point of view on the hardest Kubernetes exam - Certified Kubernetes Security Specialist. If you’re preparing for this certification, or you want to get some insights before deciding to pursue it, this article is for you!

I also published exam reviews for CKA & CKAD, check them out if you haven’t:

What to know about the Certified Kubernetes Security Specialist exam?

The Certified Kubernetes Security Specialist (CKS) program provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment, and runtime.

If you’re a Kubernetes Administrator and you want to deep dive into the security subject, or you are interested in Kubernetes and want to gain more knowledge, this one is for you. But before we start, there are some things I want to highlight about the exam and the certification.

  • You need to pass and hold an active CKA certification to seat for this exam (unlike KCNA, CKA, or CKAD, this exam requires a prior certification).
  • The passing score is 67/100 instead of 66/100 like CKAD, and CKA.
  • The certificate is valid for 2 years instead of 3 years like CKA, and CKAD (security needs to be updated more frequently).
  • This is an online, proctored, and performance-based exam (you will take the exam via PSI Secure Browser). Candidate needs to solve 15-20 questions in 2 hours.
  • The current version of Kubernetes in the exam is v1.25.
  • The cost for this exam is 395$ (including 1 free retake), Cyber Monday or Black Friday is a good time to buy the exam.

Before you go further, make sure you read these resources from the Linux Foundation for a better understanding of this exam:

How to prepare for the exam?

You already passed the CKA exam before coming here, but I still want to reemphasize again that “PRACTICE” is the key, CKS exam is challenging in both difficulty and time constraints, and without effortless practice in the lab/mock exam, it will be really HARD to solve all questions in limited time.

I used the following resources to prepare for my CKS exam:

  1. Certified Kubernetes Security Specialist (CKS) by Mumshad Mannambeth, Vijin Palazhi (KodeKloud).
  2. Kubernetes official documents.

You can start by going through the Mumshad CKS course first and practice with the labs along the way, all necessary knowledge required for the exam will be covered in this course. After finishing the course (which takes me around 4 weeks), you can start with the mock exams (there are 3 mock exams offered by KodeKloud), and repeat them a few times. And finally, if you want to have more practice, try some free practices on the internet (GitHub, etc…). CKS challenge from KodeKloud could be a good option: CKS - Challenges  - KodeKloud

Exam readiness checklist.

Before seating for the CKS exam, let’s verify your knowledge with the below checklists:

You’re comfortable with the CKS exam curriculum:

  • Cluster Setup
  • Cluster Hardening
  • System Hardening
  • Minimize Microservice Vulnerabilities
  • Supply Chain Security
  • Monitoring, Logging, and Runtime Security

You can solve any KodeKloud mock exams in less than 25 mins with a grade of 100%.

You’re well-familiar with below sample tasks (I just listed some major items):

  • Enable a custom Admission Controller for a Kubernetes cluster (ex: ImagePolicyWebhook).
  • Configure an Audit Policy against your Kubernetes cluster.
  • Load an AppArmor profile and apply it in a pod/deployment.
  • Load a Seccomp profile and use it in the pod definition.
  • Customize Falco logs and configurations.
  • Scan images with Aqua Trivy.

If all answers are YES, you are ready to seat for the CKS exam. To schedule the exam, follow the below steps:


Access the Linux Foundation training portal, select the CKS exam, then click the Schedule button.


Confirm your region, and timezone and find a proper exam slot in the PSI portal.

What to expect on the exam date?

You can start the exam 30" before the scheduled slot, the exam will start with the self-check-in process first. You will be asked you capture your ID and face, then wait for the proctor. In my case, I only have to wait for my proctor for 5 mins but depending on the availability of proctors at this time, you may have to wait longer (up to 20-30 mins).

Proctor will walk you through some exam policies and review your environment setup before releasing your CKS exam.

You will have 120 mins to solve around 15-20 long & complex questions, as this is CKS, you should not expect any questions that you can solve with just a single kubectl command. Each question normally has 2-3 tasks, and each task required 2-3 different steps to achieve the final goal.

Some tips for your CKS exam:

  • Being well in time management, don’t spend too much time on any question, and take the advantage of question flag.
  • Back up the kube-apiserver or other major components YAML file before making a change, you may need it in case you messed up something.
  • Other tips are already covered in the CKA exam.

Being certified.

Results will be emailed 24 hours from the time that the exam is completed. Normally the email from credly.com will come first (the signal of passing). You can check your final score in the Linux Foundation learning portal and also get your certificate in PDF format as well.

Thanks for reading my post, if you have any questions about the CKS exam or you want to share your exam result with me, feel free to comment.

Happy learning, Trung.

Hi My name is Percy Jetty
Trying to practice 148 practice test , on Mumshad’s CKS course tutorial.
Docker commands are not working to see the logs on Kube-apiserver. Can you please help me.
Do I need to adjust the lab environment to root or anything else.
I am on root , it says
Please help me . Thank you .

Hello @percyjetty,

docker command will not be available in CKS lab or in the real exam, please use “crictl” instead.
For an example:
crictl ps -a | grep api

Thanks,
Trung.

Does the Firefox browser provided in the Remote Desktop exam environment come with pre-configured bookmarks to the main resources that are allowed (such as the Kubernetes Docs, Falco, Trivy, AppArmor, etc.)? Does one need to remember the URLs?

Hi @Pranay-Singhal,
Your all answer are available here -

Regards,

No, it won’t come with pre-configured bookmarks.