KubeQuest

Appearance

CKS Study GuideCertified Kubernetes Security Specialist

Master Kubernetes security from cluster hardening to runtime defense. A comprehensive, hands-on guide to passing the CKS exam with confidence.

Get Started
Practice Labs
Mock Exams

Cluster Setup & Hardening (30%)

Network policies, CIS benchmarks, ingress security, RBAC, service accounts, and restricting API access. The combined weight of these two domains makes them the foundation of the exam.

System Hardening (15%)

Minimize host OS footprint, limit node access, use kernel hardening tools like AppArmor and seccomp, and reduce the attack surface of your infrastructure.

Minimize Microservice Vulnerabilities (20%)

Security contexts, Pod Security Standards, OPA Gatekeeper, secrets management, container sandboxing with gVisor and Kata, and mTLS with service meshes.

Supply Chain Security (20%)

Image provenance, container image signing, vulnerability scanning with Trivy, allowlisting registries, ImagePolicyWebhook, and software bill of materials.

Monitoring, Logging & Runtime Security (15%)

Behavioral analytics with Falco, audit logging, immutable containers, mutable vs immutable infrastructure, and threat detection at runtime.

CKS Exam Domain Overview

The following mind map shows the complete breakdown of CKS exam domains, their weight percentages, and the key topics within each domain.

What This Guide Covers

This study guide is structured to take you from foundational Kubernetes security concepts all the way through exam-ready proficiency. Each section maps directly to the official CKS curriculum and includes:

  • Concept explanations with real-world context for understanding why each security control exists
  • Hands-on lab exercises that mirror the performance-based exam format
  • Command references with practical examples you can use during the exam
  • Common pitfalls and troubleshooting patterns observed in practice environments
  • Mock exams that simulate the time pressure and complexity of the real exam

Prerequisites

Before starting this guide, you should hold an active CKA (Certified Kubernetes Administrator) certification or have equivalent experience. The CKS exam assumes working knowledge of:

  • Kubernetes cluster architecture and component management
  • kubectl proficiency and resource management
  • Networking fundamentals (Services, Ingress, DNS)
  • Linux system administration basics

See the Prerequisites section for a detailed readiness checklist.

Exam Format

DetailInformation
Certification NameCertified Kubernetes Security Specialist (CKS)
Exam Duration2 hours
FormatPerformance-based (hands-on, command-line tasks)
Passing Score67%
ProctoringPSI Bridge Proctored
EnvironmentRemote desktop with terminal access to Kubernetes clusters
PrerequisitesActive CKA certification required
Validity2 years from date of certification
Retakes1 free retake included with exam purchase
Kubernetes VersionAligned with latest stable release at time of exam
Allowed ResourcesKubernetes documentation (kubernetes.io), tool docs during exam

Domain Weight Distribution

DomainWeight
Cluster Setup15%
Cluster Hardening15%
System Hardening15%
Minimize Microservice Vulnerabilities20%
Supply Chain Security20%
Monitoring, Logging and Runtime Security15%

Exam Strategy: The two highest-weighted domains -- Minimize Microservice Vulnerabilities and Supply Chain Security -- together account for 40% of the exam. Prioritize deep understanding and hands-on practice in these areas while maintaining solid coverage across all domains.

Getting Started

  1. Review the prerequisites -- ensure your CKA knowledge is current: Prerequisites
  2. Work through each domain -- follow the structured sections in order
  3. Practice in lab environments -- hands-on repetition is essential for the performance-based format
  4. Take mock exams -- simulate real exam conditions: Mock Exams
  5. Review cheatsheets -- consolidate key commands and patterns: Exam Tips & Cheatsheets

Built with VitePress -- Powered by OpsAlchemy

Released under the MIT License.

Copyright © 2026 OpsAlchemy