Domain 3: Minimize Microservice Vulnerabilities
Overview
Minimize Microservice Vulnerabilities is the highest weighted domain in the CKS exam, accounting for 20% of the total exam score. This domain focuses on securing individual workloads, pods, and containers running within the cluster -- the actual microservices that make up your applications.
Highest Weight Domain -- 20%
This is the single most important domain on the CKS exam. You cannot afford to lose points here. Master every topic thoroughly: SecurityContexts, Secrets encryption, OPA/Gatekeeper, runtime sandboxing, mTLS, admission controllers, and container hardening. A strong performance in this domain can make or break your exam result.
Topic Mindmap
Key Concepts at a Glance
| Concept | What It Does | Exam Relevance |
|---|---|---|
| SecurityContext | Controls pod/container-level Linux security settings | Very High -- expect 2-3 questions |
| Secrets Encryption | Encrypts secrets at rest in etcd | High -- EncryptionConfiguration setup |
| OPA/Gatekeeper | Policy-as-code admission control | High -- write ConstraintTemplates |
| RuntimeClass | Assigns sandboxed runtimes to pods | Medium -- configure gVisor/Kata |
| mTLS | Encrypts service-to-service communication | Medium -- Istio concepts |
| Admission Controllers | Intercepts API requests for validation/mutation | High -- webhook configuration |
| Container Hardening | Reduces container attack surface | Medium -- Dockerfile + pod spec |
What to Expect in the Exam
The CKS exam is performance-based, meaning you will work directly on live Kubernetes clusters. For this domain, expect tasks such as:
| Task Type | Likelihood | Difficulty |
|---|---|---|
| Configure SecurityContext on pods/containers | Very High | Medium |
| Set up encryption at rest for secrets | High | Hard |
| Create OPA/Gatekeeper policies | High | Hard |
| Configure RuntimeClass for sandboxing | Medium | Medium |
| Fix admission controller configurations | Medium | Hard |
| Harden container specifications | High | Medium |
| Identify and fix secret exposure | High | Easy-Medium |
Time Management
This domain's 20% weight means roughly 24 minutes of a 2-hour exam should be dedicated to these topics. However, OPA/Gatekeeper and EncryptionConfiguration tasks can be time-consuming. Practice writing Rego policies and EncryptionConfiguration YAML from memory -- you will not have time to construct these from scratch during the exam.
Defense in Depth Strategy
The topics in this domain form concentric layers of security around your microservices:
Study Strategy
Work through these topics in order. Security Contexts and Secrets are foundational -- nearly every other topic builds on understanding pod specifications. OPA/Gatekeeper is the most complex new concept, so allocate extra study time. Runtime sandboxing and mTLS are more conceptual but still require hands-on practice.
Section Contents
| Section | Topic | Key Skills |
|---|---|---|
| Security Contexts | Pod and container security settings | YAML configuration, Linux security |
| Secrets Management | Encryption at rest, secret handling | EncryptionConfiguration, etcd |
| OPA/Gatekeeper | Policy-as-code admission control | Rego, ConstraintTemplates |
| Runtime Sandboxing | gVisor, Kata, RuntimeClass | RuntimeClass configuration |
| mTLS & Service Mesh | Service-to-service encryption | Istio, PeerAuthentication |
| Admission Controllers | Webhooks and built-in controllers | Webhook configuration |
| Container Hardening | Minimal images, non-root, read-only | Dockerfile, pod spec hardening |
| Practice Questions | 25 exam-style questions | All domain topics |
| Solutions | Detailed solutions with explanations | Step-by-step walkthroughs |