Certified Kubernetes Security Specialist (CKS) Prep Journey

After successfully completing CKA last year, was little excited myself and got the CKS voucher in discount on last Cyber Monday 2020. (Forced to complete by Nov 30th 2021 or else the voucher will expire.. :))

In my current company we are using K8sin Production from last 4 years. I have handled bunch of K8s issues in Development and Production environment which gave me in-depth knowledge of K8s.

Coming to CKS preparation, as always our first stop should be checking the exam content and be familiar with each every aspect of it. As of now CKS is being tested with K8s version 1.22 . Refer this location for latest version. https://github.com/cncf/curriculum

Prep Topics:

We need to be through on following concepts,

1. Network Policies
2. RBAC (Role/Cluster Role and corresponding Bindings)
3. Pod Security Policies (will be deprecated in 1.25)
4. Security Context (At Pod level and at container level)
5. Runtime with gvisor (validate with dmesg command)
6. Immutable aspect of pods and docker containers.
7. Secret Management and Associating with pod volumes
8. Image Policy Webhook (Dynamic Admission Controllers)
9. Auditing Requirements and enabling with Kube-apiserver
10. Best practices for Dockerfile (latest version, root user check, unnecessary packages)

Along with the above mentioned concepts of core K8s, we should be thorough on following dependency concepts.

1. Kube-Bench recommendations (Master/Worker/Kubelet/etcd)
2. Image scanning with Trivy
3. Seccomp Profile and associating with Pod.
4. OPA and Gatekeeper
5. Falco Rules and overriding an existing rule with local profile.
6. AppArmor — loading a profile, and associating with pod to restrict syscalls.
7. Kubesec — validate k8s manifest files and

Recommended Courses:

1. Absolutely Recommended to go through KodeKloud CKS course and mock exams.

https://kodekloud.com/courses/certified-kubernetes-security-specialist-cks/

2. Zeal Vora course on CKS

https://www.udemy.com/course/certified-kubernetes-security-specialist-certification/

3. Kubernetes CKS complete course by Killer.sh Kim https://www.udemy.com/course/certified-kubernetes-security-specialist/

Personally I have taken all 3 courses, KodeKloud registered for one month and remaining 2 courses are available in Udemy Business account (free in my company). If you need to pick only one I would recommend to go for KodeKloud course and practice every lab of it.

Mock Exams:

• KodeKloud Mock exams — Recommended to complete early and don’t wait for last 2 days before the exam date. Trust me, you won’t get enough time to revise and take the mock exams.
• Killer.sh — https://killer.sh/cks The mock exams are free with CKS voucher. I have seen lot of folks who didn’t have knowledge about this free simulator that comes with your CKS exam registration. The mock exam is lot tougher when compared to actual exam.

Suggestions:

1. Practice Practice Practice…!!! you need to practice all the manifest files, just reading won’t help.
2. Time Management is crucial. The exam is for 2 hour with 15 questions/clusters that we need to complete. I would suggest in completing the high percentage questions first and flag any low percentage questions to come back and finish at the end.
3. Killer mock exam is a must which will give you at what level you are currently and practice this at least one week before the exam so that you will have enough time to revise and practice one more time.

Please provide your feedback in comments or if you want me to cover anything else. I am happy to take the feedback and improve on it.

I have cleared the exam with 84% and thanks to my family with all the support they have provided in my preparation journey.