January 17, 2022

Certified Kubernetes Specialist (CKS) Cracker Tips and Tricks

Zulfi Ahamed
Zulfi Ahamed
Director Devops

How to master the Certified Kubernetes Security Specialist (CKS) CNCF program

First thing’s first: why CKS? Why do you need to study and obtain yet another Kubernetes certification? Let’s talk a step back. If you are into Kubernetes, CKA and CKAD are the two closely related certifications helping developers and DevOps teams to get acclimated to the world of Kubernetes; CKS is a different ball game. CKS leaps further to test the skills, knowledge, and proficiency on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment, and runtime. By the way, having the CKA certification is a mandatory requirement to take the CKS exam.

But why is security a critical topic when it comes to containers? Well, think about it this way: with traditional computing models, the Operating System (OS) offered a tightly-coupled architecture. Then, along came cloud, introducing a new world of “exposure” and a host of new security challenges with an additional layer to protect for (virtualization) and of course the attack surface that is now… “decentralized”. Containers are yet another abstraction. This time it is the operating system being virtualized to package only the required runtime for apps to run anywhere.

But in a microservice-based world, and as organizations are moving apps to containers - by just refactoring or even re-platforming them based on new microservice-based architectures, they have to skill up to face new security risks. This transition path is fraught with many perils encountering new threats at every step. Hence security has become a very crucial aspect.

CKS covers a comprehensive toolbox to help and bring that "awareness on all areas where security needs to be hardened for a Kubernetes based deployment." CKS is for all users in IT Operations, DevOps and platform teams that deal with Kubernetes across:

  • Development
  • Deployment
  • Management

You will be examined in setting up clusters (10% exam weight), hardening them (15%) and their infrastructure (15%), securing microservice-based apps (20%), supply chain security (20%) and monitoring, logging and runtime security (20%). You will have 2 hours to complete 16 questions.

All the tools and features you need to know about

CKS is all about security carried through ecosystem tools/packages. There are 10 tools in total that anyone taking the exam will have to familiarize themselves with, and know how to use. Those are:

Beyond the above 10 tools, there are important native Kubernetes concepts and features that you need to be comfortable with. Those are:

Setting up a system to practice

One of the important questions is: where do you practice? In order to try out all the tools and utilities noted above we would need a minimum configuration of:

  • 1 Control Plane
  • 1 worker node with 1.19 Kubernetes cluster running on Ubuntu OS

Here’s a quick overview of the steps you need to take:

  1. Install Kubernetes 1.19 with one Control Plane and a worker
  2. Upgrade the setup to 1.20 using the Kubernetes document
  3. Enable Auditing on the Kubernetes cluster and add audit rules
  4. Install K8s dashboard on the cluster and secure it
  5. Enable Node Restriction Admission controller and verify the feature on the worker node
  6. Enable ImagePolicy Admission controller and test image pull using the kube-image-bouncer server.
  7. Download and run kubebench on the Control Plane node and worker node
  8. Use the cluster to try out network security policies and RBAC
  9. Download and run Sonobuoy conformance check on the cluster
  10. Install trivy and claire on the Control Plane node.
  11. Scan all the images that are available as part of the Kubernetes deployment
  12. Create a nginx pod with Dockerfile.
  13. Ensure that the pod does not run as root and has the minimum set of privileges
  14. Launch the pod with different Security contexts
  15. Install gVisor and launch the Nginx pod using gVisor
  16. Configure Apparmor on the system and run the nginx pod using an apparmor profile
  17. Install Seccomp, configure it to block syscalls and run the nginx pod using the seccomp profile

**Important links and tips: **

kubernetes docs screenshot
  • Jq is a convenient tool for exams. Most of the security reports would be in JSON format that can be viewed with a text editor. JQ would help users extract just the piece of info they need with ease. To get the list of all pod names and the corresponding image used
    kubectl get pods -n kube-system -o json | jq '.items[].spec.containers[] | .name +" "+ .image'
  • A quick primer on jq can be found here:
  • Do not worry about setting up auto-completion, and it’s already set up for you.
    Make use of it liberally. For example, an alias of k=kubectl would come in very handy.
  • Install and configure all the tools to get an excellent understanding of the deployment and configuration aspects of the tool. This comes in very handy for debugging tool issues in the exam.

Don’t forget to check out our January CKS webinar and recording and good luck!

Best Practices
Subscribe to our newsletter
By signing up, you agree with our Terms of Service and our Privacy Policy