{"id":20102942,"url":"https://github.com/stackrox/kubernetes_security_specialist_study_guide","last_synced_at":"2026-01-27T17:37:29.893Z","repository":{"id":37716375,"uuid":"312104346","full_name":"stackrox/Kubernetes_Security_Specialist_Study_Guide","owner":"stackrox","description":null,"archived":false,"fork":false,"pushed_at":"2021-01-04T22:33:10.000Z","size":55,"stargazers_count":420,"open_issues_count":0,"forks_count":111,"subscribers_count":28,"default_branch":"master","last_synced_at":"2024-05-30T02:26:49.674Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stackrox.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-11-11T22:21:01.000Z","updated_at":"2024-05-17T04:48:07.000Z","dependencies_parsed_at":"2022-09-05T09:50:16.146Z","dependency_job_id":null,"html_url":"https://github.com/stackrox/Kubernetes_Security_Specialist_Study_Guide","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2FKubernetes_Security_Specialist_Study_Guide","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2FKubernetes_Security_Specialist_Study_Guide/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2FKubernetes_Security_Specialist_Study_Guide/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2FKubernetes_Security_Specialist_Study_Guide/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stackrox","download_url":"https://codeload.github.com/stackrox/Kubernetes_Security_Specialist_Study_Guide/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241542241,"owners_count":19979280,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T17:33:44.463Z","updated_at":"2026-01-27T17:37:29.851Z","avatar_url":"https://github.com/stackrox.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Certified Kubernetes Security Specialist Study Guide \n\n\u003cp align=\"center\"\u003e\n  \u003cimg width=\"360\" src=\"img/kcss_logo.png\"\u003e\n\u003c/p\u003e\n\n- [Certified Kubernetes Security Specialist Study Guide](#certified-kubernetes-security-specialist-study-guide)\n  - [CKS Overview](#cks-overview)\n    - [Repository Structure](#repository-structure)\n    - [Outline](#outline)\n    - [Exam News and Overview](#exam-news-and-overview)\n    - [KubeCon Announcement and Preparation Tips](#kubecon-announcement-and-preparation-tips)\n  - [Curriculum](#curriculum)\n    - [Cluster Setup - 10%](#cluster-setup---10)\n    - [Cluster Hardening - 15%](#cluster-hardening---15)\n    - [System Hardening - 15%](#system-hardening---15)\n    - [Minimize Microservice Vulnerabilities - 20%](#minimize-microservice-vulnerabilities---20)\n    - [Supply Chain Security - 20%](#supply-chain-security---20)\n    - [Monitoring, Logging and Runtime Security - 20%](#monitoring-logging-and-runtime-security---20)\n  - [Extra Resources](#extra-resources)\n\n## CKS Overview  \n\nThe CKS is the third Kubernetes based certification backed by the Cloud Native Computing Foundation (CNCF). CKS will join the existing [Certified Kubernetes Administrator (CKA)](https://www.cncf.io/certification/cka/) and [Certified Kubernetes Application Developer (CKAD)](https://www.cncf.io/certification/ckad/) programs. All three certifications are online, proctored, performance-based exams that will require solving multiple Kubernetes security tasks from the command line. With the massive investment into Kubernetes over the last five years, these certifications continue to be highly sought after by many seeking out technical knowledge about Kubernetes.\n\nThis repository contains resources to build a Kubernetes cluster, and example questions and answers based on the [Certified Kubernetes Security Specialist (CKS) exam curriculum](https://github.com/cncf/curriculum/blob/master/CKS_Curriculum_%20v1.19%20Coming%20Soon%20November%202020.pdf).\n\n### Repository Structure\n\n```shell\nstudy_guide/\n└ cluster_setup/\n  └ Makefile\n  └ gcp   -\u003e Create a 1.19 cluster in GCP with RKE.\n  └ aws   (coming soon)\n  └ azure (coming soon)\n└ img/\n  └ all_images_used\n└ walkthrough/\n  └ p0_intro/\n  └ p1_cluster_setup /\n  └ p2_cluster_hardening/\n  └ p3_system_hardening/\n  └ p4_minimizing_vulnerabilities/\n  └ p5_supply_chain_security/\n  └ p6_monitoring_logging_runtime_security/\n└ LICENSE\n└ README.md\n```\n\n### Outline\n\nThe CKS test will be online, proctored and performance-based, and candidates have 2 hours to complete the exam tasks. This information is currently based on the [Linux Foundations release of the CKS outline](https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/).\n\nFrom the CKS Exam Curriculum repository, The exam will test domains and competencies including:\n- [Cluster Setup (10%)](#cluster-setup---10): Best practice configuration to control the environment's access, rights and platform conformity.\n- [Cluster Hardening (15%)](#cluster-hardening---15): Protecting K8s API and utilize RBAC.\n- [System Hardening (15%)](#system-hardening---15): Improve the security of OS \u0026 Network; restrict access through IAM.\n- [Minimize Microservice Vulnerabilities (20%)](#minimize-microservice-vulnerabilities---20): Utilizing on K8s various mechanisms to isolate, protect and control workload.\n- [Supply Chain Security (20%)](#supply-chain-security---20): Container oriented security, trusted resources, optimized container images, CVE scanning.\n- [Monitoring, Logging, and Runtime Security (20%)](#monitoring-logging-and-runtime-security---20): Analyse and detect threads.\n\n### Exam News and Overview\n\n-\u003e [CNCF CKS Overview](https://www.stackrox.com/post/2020/11/what-is-cncf-certified-kubernetes-security-specialist-cks-exam-and-what-is-covered/)\n\n### KubeCon Announcement and Preparation Tips\n\n-\u003e [KubeCon Announcement and Linux Foundation Update](https://www.stackrox.com/post/2020/11/cks-cncf-announcement-and-exam-study-tips/)\n\n## Curriculum\n\nBelow is the CKS curriculum broken down by its six sections. Each section has its own folder in the repository, where you can walk through individual questions relating to their respective topic. Each section in the curriculum overview also contains external resources that you may find useful in your studying journey,\n\n### Cluster Setup - 10% \n\n\u003cdetails\u003e\u003csummary\u003eUse CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)\u003c/summary\u003e\n\n* [CIS benchmark for Kubernetes](https://www.cisecurity.org/benchmark/kubernetes/)\n\n\u003c/summary\u003e\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eVerify platform binaries before deploying\u003c/summary\u003e\n  \n* [Kubernetes platform binaries](https://github.com/kubernetes/kubernetes/releases)\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eProtect node metadata and endpoints\u003c/summary\u003e\n  \n* [Setting up secure endpoints in Kubernetes](https://blog.cloud66.com/setting-up-secure-endpoints-in-kubernetes/)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eUse Network security policies to restrict cluster level access\u003c/summary\u003e\n  \n* [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies)\n* [An Introduction to Network Policies](https://medium.com/@reuvenharrison/an-introduction-to-kubernetes-network-policies-for-security-people-ba92dd4c809d)\n* [Get started with Kubernetes network policy](https://docs.projectcalico.org/security/kubernetes-network-policy)\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eProperly set up Ingress objects with security control\u003c/summary\u003e\n  \n* [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eMinimize use of, and access to, GUI elements\u003c/summary\u003e\n  \n* [On Securing the Kubernetes Dashboard](https://blog.heptio.com/on-securing-the-kubernetes-dashboard-16b09b1b7aca)\n  \n\u003c/details\u003e\n\n### Cluster Hardening - 15%\n\n\u003cdetails\u003e\u003csummary\u003eRestrict access to Kubernetes API\u003c/summary\u003e\n\n* [Controlling Access to the Kubernetes API](https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eUse Role Based Access Controls to minimize exposure\u003c/summary\u003e\n\n* [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eExercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones\u003c/summary\u003e\n  \n* [Managing Service Accounts](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/)\n* [Configure Service Accounts for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/)\n* [Securing Kubernetes Clusters by Eliminating Risky Permissions](https://www.cyberark.com/resources/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions)\n\n\u003c/details\u003e\n\n### System Hardening - 15%\n\u003cdetails\u003e\u003csummary\u003eMinimize host OS footprint (reduce attack surface)\u003c/summary\u003e\n\n* [Reduce Kubernetes Attack Surfaces](https://blog.sonatype.com/kubesecops-kubernetes-security-practices-you-should-follow#:~:text=Reduce%20Kubernetes%20Attack%20Surfaces)\n* [CIS Benchmark Ubuntu Linux](https://www.cisecurity.org/benchmark/ubuntu_linux/)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eMinimize IAM roles\u003c/summary\u003e\n\n* [IAM Grant least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eMinimize external access to the network\u003c/summary\u003e\n\n* [Secure hosts with OS-level firewall (ufw)](https://help.replicated.com/community/t/managing-firewalls-with-ufw-on-kubernetes/230)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eAppropriately use kernel hardening tools such as AppArmor, seccomp\u003c/summary\u003e\n\n* [Kubernetes Hardening Best Practices](https://www.sumologic.com/kubernetes/security/#security-best-practices)\n\n\u003c/details\u003e\n\n### Minimize Microservice Vulnerabilities - 20%\n\u003cdetails\u003e\u003csummary\u003eSetup appropriate OS level security domains e.g. using PSP, OPA, security contexts\u003c/summary\u003e\n\n* [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)\n* [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n* [Pod Security Policy](https://blog.alcide.io/pod-security-policy)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eManage Kubernetes secrets\u003c/summary\u003e\n\n* [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eUse container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)\u003c/summary\u003e\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eImplement pod to pod encryption by use of mTLS\u003c/summary\u003e\n  \n* [Manage TLS Certificates in a Cluster](https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/)\n\n\u003c/details\u003e\n\n### Supply Chain Security - 20%\n\n\u003cdetails\u003e\u003csummary\u003eMinimize base image footprint\u003c/summary\u003e\n\n* [Why build small container images in Kubernetes](https://cloud.google.com/blog/products/gcp/kubernetes-best-practices-how-and-why-to-build-small-container-images)\n* [7 best practices for building containers](https://cloud.google.com/blog/products/gcp/7-best-practices-for-building-containers)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eSecure your supply chain: whitelist allowed image registries, sign and validate images\u003c/summary\u003e\n\n* [Using Admission Controllers](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/)\n* [Dynamic Admission Control](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/)\n* [How to reject docker registries in Kubernetes?](https://stackoverflow.com/questions/54463125/how-to-reject-docker-registries-in-kubernetes)\n* [Container image signatures in Kubernetes](https://medium.com/sse-blog/container-image-signatures-in-kubernetes-19264ac5d8ce)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eUse static analysis of user workloads (e.g. kubernetes resources, docker files)\u003c/summary\u003e\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eScan images for known vulnerabilities\u003c/summary\u003e\n\n* [Scan your Docker images for vulnerabilities](https://medium.com/better-programming/scan-your-docker-images-for-vulnerabilities-81d37ae32cb3)\n\n\u003c/details\u003e\n\n### Monitoring, Logging and Runtime Security - 20%\n\n\u003cdetails\u003e\u003csummary\u003ePerform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities\u003c/summary\u003e\n\n* [Restrict a Container's Syscalls with Seccomp](https://kubernetes.io/docs/tutorials/clusters/seccomp/)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eDetect threats within physical infrastructure, apps, networks, data, users and workloads\u003c/summary\u003e\n  \n* [Threat matrix for Kubernetes](https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eDetect all phases of attack regardless where it occurs and how it spreads\u003c/summary\u003e\n\n* [Investigating Kubernetes attack scenarios in Threat Stack](https://www.threatstack.com/blog/kubernetes-attack-scenarios-part-1)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003ePerform deep analytical investigation and identification of bad actors within environment\u003c/summary\u003e\n\n* [Kubernetes security 101: Risks and Best practices](https://www.stackrox.com/post/2020/05/kubernetes-security-101/)\n  \n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eEnsure immutability of containers at runtime\u003c/summary\u003e\n\n* [Leverage Kubernetes to ensure that containers are immutable](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/keeping_containers_fresh_and_updateable#leveraging_kubernetes_and_openshift_to_ensure_that_containers_are_immutable)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eUse Audit Logs to monitor access\u003c/summary\u003e\n\n* [Kubernetes Audit](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/)\n* [How to monitor Kubernetes audit logs?](https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/)\n\n\u003c/details\u003e\n\n## Extra Resources\n\n- [Linux Academy: CKA Training](https://training.linuxfoundation.org/certification/certified-kubernetes-administrator-cka/)\n- [A Cloud Guru: CKAD Training](https://acloudguru.com/course/certified-kubernetes-application-developer-ckad)\n- [A Cloud Guru: Kubernetes Security](https://acloudguru.com/course/kubernetes-security)\n- [GitHub: walidshaari - CKSS](https://github.com/walidshaari/Certified-Kubernetes-Security-Specialist)\n- [GitHub: Madhu Akula's Kubernetes Goat](https://github.com/madhuakula/kubernetes-goat)\n- [GitHub: Abdennour](https://github.com/abdennour/certified-kubernetes-security-specialist)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackrox%2Fkubernetes_security_specialist_study_guide","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstackrox%2Fkubernetes_security_specialist_study_guide","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackrox%2Fkubernetes_security_specialist_study_guide/lists"}