• The exams are delivered online and consist of performance-based tasks (problems) to be solved on the command line running Linux.
• The exams consist of 15-20 performance-based tasks.
• Candidates have 2 hours to complete the CKS exam.
• The exam is proctored remotely via streaming audio, video, and screen sharing feeds.
• Results will be emailed 24 hours from the time that the exam is completed.

General Instructions

• Each task on this exam must be completed on a designated host.
• An infobox at the start of each task provides you with the host name.
• Hosts can be reached via SSH, using a command such as: ssh <nodename>
• You must return to the base node (with hostname base) after completing each task.
• Nested SSH is not supported.
• You can assume elevated privileges on any node by issuing the following command: sudo -i
• You can also use sudo to execute commands with elevated privileges at any time.

Pre-installed Tools

• kubectl with kalias and Bash autocompletion
• yq for YAML processing
• curl and wget for testing web services
• man and man pages for further documentation

Warning: The base system (with hostname base) does not have any of the above tools pre-installed as all tasks on this exam must be completed on a designated SSH host.

System Environment

• The CKS environment is currently running etcd v3.5.
• The CKS environment is currently running Kubernetes v1.30.

Cluster Setup Domain – 15%

• Use Network security policies to restrict cluster level access.
• Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi).
• Properly set up Ingress with TLS.
• Protect node metadata and endpoints.
• Verify platform binaries before deploying.

System Hardening Domain – 10%

• Minimize host OS footprint (reduce attack surface).
• Using least-privilege identity and access management.
• Minimize external access to the network.
• Appropriately use kernel hardening tools such as AppArmor, seccomp.

Supply Chain Security Domain – 20%

• Minimize base image footprint.
• Understand your supply chain (e.g., SBOM, CI/CD, artifact repositories).
• Secure your supply chain (permitted registries, sign and validate artifacts, etc.).
• Perform static analysis of user workloads and container images (e.g., Kubesec, KubeLinter).

Cluster Hardening Domain – 15%

• Use Role Based Access Controls to minimize exposure.
• Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones.
• Restrict access to Kubernetes API.
• Upgrade Kubernetes to avoid vulnerabilities.

Minimize Microservice Vulnerabilities Domain – 20%

• Use appropriate pod security standards.
• Manage Kubernetes secrets.
• Understand and implement isolation techniques (multi-tenancy, sandboxed containers, etc.).
• Implement Pod-to-Pod encryption using Cilium.

Monitoring, Logging and Runtime Security Domain – 20%

• Perform behavioral analytics to detect malicious activities.
• Detect threats within physical infrastructure, apps, networks, data, users, and workloads.
• Investigate and identify phases of attack and bad actors within the environment.
• Ensure immutability of containers at runtime.
• Use Kubernetes audit logs to monitor access.