My CKS Exam Experience and Some Killer Tips and Stuff

"Don't focus on building Internal walls to protect Fortress, Secure the Gates First!" - Security Guy

My CKS Exam Experience and Some Killer Tips and Stuff

I have cleared Kubernetes Security Specialist (CKS) Exam from Linux foundation / CNCF, with 84%. Now I have become two times certificate holder from Linux Foundation (CKA and CKS)

In this blog, I'm recapping how was my exam, and the study process I followed, so it can help you achieve these certifications with ease.

Personal Input on the Exam

I honestly had to take the exam twice (with a free retake); it’s a new exam and there’s not a lot of information out there on how to prepare, so I missed the mark the first attempt (24%), reviewed the topics I knew I had wrong and passed it the second attempt. Even in the second attempt I left out one question; luckily that one question was a “light” one accounting only for few percentage points.

TL; DR - Exam is tough. If at first you don’t succeed, Just keep trying.. until that Day!!

cks.png

What Is the Certified Kubernetes Security Specialist Exam?

The CKS certification, as the name suggests, is focused on security. It deals with nearly all aspects of security within the context of a Kubernetes environment. That means securing not only the Kubernetes cluster itself but also the applications running within the cluster.

CKS covers everything from secure cluster configuration to vulnerability scanning to runtime monitoring. This certification takes a layered approach to security, so you’ll need to learn how to secure many components of Kubernetes applications and environments.

According to the CNFC, the CKS Exam

“provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.”

With a great number of features that are available in the vanilla standalone Kubernetes versus the managed service offering, you earn a great deal of SecOps brownie points by staying on top of the security posture of your Kubernetes Cluster, whatever the cloud platform.

Know Exam Basics First

  • Certification Name: Certified Kubernetes Security Specialist
  • Prerequisites: One must hold a current CKA certification
  • Exam Duration: 2 hours
  • Software Version: Kubernetes v1.21 (changes as per new releases)
  • Number of Questions: Around 17 questions (changes as per candidate)
  • Passing score: 67% or higher to earn the certification
  • Exam Cost: $300 LinuxFoundation CKS Exam (Often given a discount on Festive seasons)

CKS Syllabus

1_-d8yL-uUvxE1-s4U6cKFaA.png

Important Topics - Single Question will come From Each Topic Guaranteed!

  • AdmissionControllers e.g. ImagePolicyWebhook. Ensure you are familiar with different types such as PodSecurityPolicy and NamespaceLifecycle. Implement and understand how they work with the API server and how they can provide added security to the cluster. Admission Controllers

  • ImmutableContainers: make containers immutable using security context and avoid mutable configuration, such as allowing shell access to a container. Immutable containers are good as we always know the state!

  • NetworkPolicies: For extra security and more control over traffic flowing between pods use Network Policies. By default all pods in a cluster can talk to each other, get more granular and create specific rules to define traffic flow. Network Policies

  • PodSecurityPolicies This enables fine-tuned resource authorisation. This could be one of the greatest assets in secure workload runtime. PSP

  • RuntimeClass - gVisor (Kernel Sandbox) This is a kernel sand boxing and abstraction implementation, helping prevent malicious applications and images from overloading the underlying Host machine Kernel. RuntimeClass

  • AquaSec Kube-Bench Easy to execute against your cluster. Pull down binaries on worker (and master) nodes and run the binary kube-bench on worker and master to have your cluster inspection report. This would be a significant starting point. Tool

  • Aquasec/trivy Image scanning tool Trivy - is a very simple Container image scanning tool.

  • AppArmor AppArmor Practice loading new profiles and then using it with your pods. AppArmor would be pre-installed.

  • Falco Falco - Practice finding all falco rules and search for specific ones and change their output and capture specific output.

  • Tracee Tracee is a Runtime Security and forensics tool for Linux. It is using Linux eBPF technology to trace your system and applications at runtime, and analyze collected events to detect suspicious behavioral patterns.

Only Materials I Used:

  1. Paid- KodeKloud CKS Course by Mumshad Mannambeth
  2. Paid- KillerShell-CKS Udemy Course
  3. Paid- KillerShell CKS Labs

Conclusion - Book that Exam

If you’re anything like me, you will probably organise your time schedule to ensure you sit the exam, by booking the exam first. Remember that pre-requisite is the CKA certification.

One Final Tip to remember — it’s an open book exam. BUT you wont have time to start “searching” for answers. You need to already know where to go and get them. Practice that search, and you’ll be fine.

I hope my CKS experience summary and preparation guide helps you achieve your certification.

Ciao! ~ Siddhartha D