Domain 4: Supply Chain Security
Overview
Supply Chain Security is tied for the highest-weighted domain on the CKS exam, accounting for 20% of the total score -- equal to Minimize Microservice Vulnerabilities. Together, these two domains represent 40% of the exam, making them your top priority for study and practice.
This domain focuses on securing the entire software supply chain: from how container images are built, to how they are scanned for vulnerabilities, to how they are signed, stored, and ultimately admitted into your Kubernetes clusters. A single compromised image in your supply chain can undermine every other security control you have in place.
Critical Exam Weight
At 20%, Supply Chain Security is tied for the highest-weighted domain on the CKS exam. Expect multiple questions covering image scanning, admission control, static analysis, and registry security. Mastering this domain can be the difference between passing and failing.
Topic Mindmap
What to Expect in the Exam
The CKS exam is performance-based, meaning you will work directly on live Kubernetes clusters. For this domain, expect tasks such as:
| Task Type | Likelihood | Difficulty |
|---|---|---|
| Scan images with Trivy and identify vulnerabilities | High | Easy-Medium |
| Configure ImagePolicyWebhook admission controller | High | Hard |
| Analyze manifests with kubesec | Medium | Easy |
| Fix insecure Dockerfiles | Medium | Medium |
| Configure private registry access with ImagePullSecrets | High | Easy-Medium |
| Enforce image registry allowlists | Medium | Medium |
| Identify images running with known CVEs | High | Medium |
Time Management
Supply Chain Security questions often require multiple steps: scanning, interpreting results, fixing configurations, and verifying changes. Practice the full workflow -- not just individual commands. Aim to complete image scanning tasks in 3-5 minutes and ImagePolicyWebhook configuration in 8-10 minutes.
Key Tools and Commands
Trivy
The primary tool for vulnerability scanning on the CKS exam.
# Scan a container image for vulnerabilities
trivy image nginx:1.25
# Scan with severity filter
trivy image --severity CRITICAL,HIGH nginx:1.25
# Scan and output as JSON
trivy image --format json -o results.json nginx:1.25
# Scan a local filesystem
trivy fs /path/to/project
# Scan for misconfigurations in Kubernetes manifests
trivy config /path/to/manifests/kubesec
Static analysis tool for Kubernetes resource manifests.
# Scan a manifest file
kubesec scan pod.yaml
# Scan via the hosted API
curl -sSX POST --data-binary @pod.yaml https://v2.kubesec.io/scan
# Scan from stdin
cat deployment.yaml | kubesec scan -Image Policy Commands
# Check which admission controllers are enabled
cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep enable-admission-plugins
# Verify ImagePolicyWebhook configuration
cat /etc/kubernetes/pki/admission_configuration.yaml
# Test if an image is allowed
kubectl run test --image=nginx --dry-run=server -o yamlRegistry and Image Commands
# Create an ImagePullSecret
kubectl create secret docker-registry regcred \
--docker-server=registry.example.com \
--docker-username=user \
--docker-password=pass \
--docker-email=user@example.com
# Pin an image to a specific digest
kubectl set image deployment/app \
app=registry.example.com/app@sha256:abc123...
# Verify an image with cosign
cosign verify --key cosign.pub registry.example.com/app:v1.0Topics in This Domain
| # | Topic | Key Focus |
|---|---|---|
| 1 | Container Image Scanning | Trivy installation, scanning, CVE interpretation, CI/CD integration |
| 2 | Image Policies & Enforcement | ImagePolicyWebhook, OPA Gatekeeper, registry allowlists |
| 3 | Static Analysis | kubesec, kube-score, manifest scoring and remediation |
| 4 | Image Signing & Verification | Cosign, Notary, SBOM, supply chain integrity |
| 5 | Dockerfile Security | Multi-stage builds, distroless images, non-root, best practices |
| 6 | Private Registry Security | ImagePullSecrets, Harbor, authentication, access control |
| 7 | Practice Questions | 25 hands-on questions covering all supply chain topics |
| 8 | Solutions | Step-by-step solutions with explanations |
Study Strategy
Recommended Approach
- Master Trivy first -- image scanning is the most likely topic to appear and is straightforward to learn
- Practice ImagePolicyWebhook end-to-end -- this is the hardest topic and requires understanding admission controller configuration files
- Know kubesec scoring -- be able to quickly identify what makes a manifest score poorly
- Memorize Dockerfile best practices -- common fixes include adding USER, removing ADD, using multi-stage builds
- Practice ImagePullSecrets -- creating and attaching them to pods and service accounts is a quick win
- Understand image digests vs tags -- know why digests are more secure and how to pin them
Common Mistakes
- Forgetting to restart the API server after enabling ImagePolicyWebhook (it is a static pod -- kubelet will restart it, but you must wait)
- Using
--severityflag incorrectly with Trivy (comma-separated, no spaces:CRITICAL,HIGH) - Not mounting the webhook kubeconfig file into the API server pod when configuring ImagePolicyWebhook
- Confusing
imagePullPolicy: Always(pod spec) with theAlwaysPullImagesadmission controller - Creating an ImagePullSecret in the wrong namespace
- Forgetting to reference the ImagePullSecret in the Pod spec or ServiceAccount
Supply Chain Attack Vectors
Understanding why supply chain security matters helps you think through exam scenarios:
Defense in Depth
Each topic in this domain addresses a different layer of defense:
- Dockerfile Security -- prevents vulnerabilities at build time
- Image Scanning -- detects known vulnerabilities before deployment
- Image Signing -- ensures image integrity and provenance
- Static Analysis -- catches misconfigurations in manifests
- Image Policies -- enforces rules at the admission gate
- Registry Security -- controls where images come from