Prerequisites for CKS
You already hold your CKA -- congratulations. The Certified Kubernetes Security Specialist (CKS) builds directly on top of everything CKA tested, but it shifts the lens entirely to security. This section maps out exactly what additional knowledge you need, what tools to learn, and the recommended order to study.
CKA-to-CKS Learning Path
What CKA Already Covers (Relevant to CKS)
Your CKA certification means you already have a solid foundation in these areas. CKS does not re-test the basics, but it deepens several of them:
| CKA Topic | CKS Relevance |
|---|---|
| RBAC | CKA covers creating Roles/ClusterRoles. CKS requires you to audit, harden, and detect misconfigurations in RBAC. |
| Network Policies | CKA covers basic ingress rules. CKS expects egress policies, default-deny, and namespace isolation patterns. |
| TLS & Certificates | CKA covers certificate signing requests. CKS expects you to rotate certificates, configure mTLS, and verify certificate chains. |
| etcd | CKA covers backup/restore. CKS expects you to encrypt etcd at rest and secure the etcd endpoint. |
| Pod Security | CKA covers securityContext basics. CKS requires Pod Security Standards/Admission, OPA Gatekeeper, and deep securityContext hardening. |
| Kubeconfig | CKA covers context switching. CKS expects you to restrict access, manage multiple identities, and audit kubeconfig files. |
| Namespaces | CKA uses them for organization. CKS uses them as security boundaries with resource quotas, network policies, and RBAC scoping. |
Key Insight
CKA asks: "Can you configure it?" CKS asks: "Can you secure it, detect when it's misconfigured, and fix it under pressure?"
What's NEW in CKS (Beyond CKA)
These topics are not covered at all in CKA and represent the core of what you need to learn:
1. Supply Chain Security
- Image scanning with Trivy to find vulnerabilities in container images
- Image signing and verification (Cosign, Notary concepts)
- Allowed registries -- restricting which registries pods can pull from
- Static analysis of Kubernetes manifests (kubesec, conftest)
- ImagePolicyWebhook admission controller for runtime image verification
2. Runtime Security & Monitoring
- Falco -- real-time kernel-level threat detection using syscall monitoring
- Audit logging -- configuring the API server audit policy to track who did what
- Behavioral analysis -- detecting anomalous container behavior at runtime
- Immutable containers -- enforcing read-only root filesystems, no privilege escalation
3. Linux Kernel Security Mechanisms
- Seccomp profiles -- restricting which syscalls a container can make
- AppArmor profiles -- Mandatory Access Control for file/network/capability restrictions
- Linux capabilities -- fine-grained privilege control (drop ALL, add only what's needed)
- SELinux (conceptual understanding, less hands-on in the exam)
4. Admission Controllers (In Depth)
- OPA Gatekeeper -- writing and enforcing custom admission policies using Rego
- Pod Security Admission -- enforcing Baseline/Restricted security standards at namespace level
- Validating and Mutating Webhooks -- how admission control pipelines work
- ImagePolicyWebhook -- denying containers from untrusted sources
5. Advanced Network Security
- Ingress with TLS termination -- securing ingress resources properly
- mTLS with service meshes (conceptual -- mutual TLS between services)
- Network-level isolation beyond basic NetworkPolicy (Cilium, Calico features)
6. Cluster Hardening
- CIS Benchmarks -- using kube-bench to audit cluster configuration against CIS standards
- API server hardening -- disabling anonymous auth, configuring admission plugins, audit logging
- kubelet security -- protecting the kubelet API, disabling read-only port
- Secrets management -- encrypting secrets at rest, external secret stores, avoiding secrets in env vars
Exam Reality Check
The CKS exam is 100% hands-on in a terminal. You will not get multiple-choice questions. Every topic above requires you to type commands, edit YAML, and fix configurations under a 2-hour time limit.
Security Tools You Need to Learn
The following tools appear either directly on the CKS exam or are essential for practice:
| Tool | What It Does | Exam Relevance |
|---|---|---|
| Trivy | Scans container images and configs for CVEs | Directly used on exam |
| Falco | Monitors syscalls for suspicious runtime behavior | Directly used on exam |
| kube-bench | Audits cluster against CIS Kubernetes Benchmark | Directly used on exam |
| OPA / Gatekeeper | Enforces custom admission policies | Directly used on exam |
| kubesec | Scores Kubernetes manifests for security risks | Good for practice |
| AppArmor | Linux kernel module for mandatory access control | Directly used on exam |
| Seccomp | Linux kernel feature to filter system calls | Directly used on exam |
| conftest | Tests structured data against OPA/Rego policies | Useful for practice |
Linux Security Fundamentals (Beyond CKA)
CKA expects you to be comfortable with Linux. CKS expects you to understand Linux security primitives at a deeper level:
Must-Know Concepts
- Linux Namespaces -- How containers achieve process isolation (PID, NET, MNT, UTS, IPC, USER namespaces)
- cgroups -- Resource limits and accounting that enforce container boundaries
- Linux Capabilities -- The 40+ capabilities that break down root's power (CAP_NET_ADMIN, CAP_SYS_PTRACE, etc.)
- Seccomp -- Berkeley Packet Filter (BPF) programs that filter syscalls at the kernel level
- AppArmor -- Profile-based MAC system that restricts file access, network access, and capabilities
- SELinux -- Label-based MAC system (know concepts; exam focuses more on AppArmor)
- /proc filesystem -- How container information leaks through /proc and how to restrict it
How Containers Use These Primitives
When a container starts, the container runtime:
- Creates new namespaces (PID, NET, MNT, etc.) to isolate the process
- Sets cgroup limits to restrict CPU, memory, and I/O
- Drops capabilities that the process does not need
- Applies a seccomp profile to block dangerous syscalls
- (Optionally) loads an AppArmor profile for file and network restrictions
CKS tests your ability to configure and verify steps 3-5 for pods.
Key Files and Paths to Know
| Path | Purpose |
|---|---|
/etc/apparmor.d/ | AppArmor profile definitions |
/proc/<pid>/status | Check seccomp mode and capabilities of a running process |
/proc/<pid>/attr/current | Current AppArmor profile for a process |
/var/lib/kubelet/seccomp/ | Default location for seccomp profiles on nodes |
/etc/kubernetes/manifests/ | Static pod manifests (API server, etcd, etc.) |
/etc/kubernetes/pki/ | Cluster PKI certificates and keys |
Recommended Study Order
Follow this order to build knowledge incrementally. Each domain builds on the previous ones:
Study Time Estimate
Most CKA holders spend 4 to 6 weeks preparing for CKS with 1-2 hours of daily study. If you are already comfortable with Linux security concepts, you may need less time. If Linux security is entirely new to you, budget 6-8 weeks.
Week-by-Week Suggested Plan
| Week | Focus | Key Activities |
|---|---|---|
| Week 1 | Prerequisites + Lab Setup | Set up Kind cluster, install tools, review Linux security basics |
| Week 2 | Cluster Setup & Hardening | CIS benchmarks with kube-bench, RBAC auditing, Network Policies |
| Week 3 | System Hardening | AppArmor profiles, Seccomp profiles, Linux capabilities |
| Week 4 | Microservice Vulnerabilities | Security contexts, Pod Security Admission, OPA Gatekeeper, Secrets |
| Week 5 | Supply Chain Security | Trivy scanning, image policies, static analysis |
| Week 6 | Runtime Security + Review | Falco rules, audit logging, immutable containers, mock exams |
Next Steps
Before diving into the CKS domains, make sure you:
- Read the CKA to CKS Bridge -- understand exactly what security concepts are new
- Set up your Lab Environment -- you cannot learn CKS without hands-on practice
- Take the Self-Assessment Quiz -- identify your specific knowledge gaps
- Check your answers in the Solutions