CKS Certified Kubernetes Security Specialist: Exam Study Guide
Full CKS exam study guide for 2026: six security domains, RBAC deep dive, key tools like Falco and OPA, and how to build hands-on lab practice efficiently.
Posted by
Certify CopilotRelated reading
How to Pass the CKA Kubernetes Exam in 2026
CKA exam guide for 2026: exam domains, hands-on lab strategy, kubectl command tips, recommended courses, and a realistic 8-week study timeline.
CCNA vs Network+: Which Networking Cert Should You Pursue?
CCNA vs CompTIA Network+ compared: vendor lock-in, job market value, exam difficulty, cost, and which networking certification fits your career goals.
How to Pass the Cisco CCNA Exam in 2026 (200-301)
CCNA 200-301 study guide with exam topics, recommended labs, Cisco learning resources, practice test tips, and a realistic 12-week prep timeline to pass.
CKS vs. CKA and CKAD: What Makes It Different?
The Certified Kubernetes Security Specialist (CKS) is the most advanced credential in the Linux Foundation's Kubernetes certification track. Unlike the Certified Kubernetes Administrator (CKA) and Certified Kubernetes Application Developer (CKAD), the CKS has a hard prerequisite: you must hold a valid CKA certificate before you can register. This is not optional — the Linux Foundation enforces it at registration.
The CKS is a two-hour, fully hands-on performance-based exam conducted in a live Kubernetes environment. There are no multiple-choice questions. You are given a series of tasks to complete across multiple clusters using only the kubectl CLI, standard Linux tools, and the official Kubernetes documentation. Passing score is 67%.
The Six CKS Exam Domains
- Cluster Setup (15%): Network policies to restrict pod-to-pod traffic, CIS benchmark hardening for cluster components, Ingress objects with TLS termination, and protection of node metadata APIs. This domain overlaps heavily with CKA content but adds a security lens.
- Cluster Hardening (15%): RBAC configuration, service account management (disabling auto-mounting, binding minimum roles), Kubernetes API server restrictions, and keeping cluster components updated. Understand how to audit existing RBAC permissions with kubectl auth can-i.
- System Hardening (15%): AppArmor profiles, Seccomp profiles, reducing the OS attack surface on nodes, and limiting kernel capabilities in container security contexts. You must be comfortable writing and applying AppArmor profiles and referencing Seccomp in pod specs.
- Minimize Microservice Vulnerabilities (20%): OPA/Gatekeeper admission controllers, Pod Security Admission (PSA), secrets management best practices, multi-tenancy isolation, and container sandboxing with gVisor or Kata Containers. This is the highest-weighted domain.
- Supply Chain Security (20%): Image scanning with Trivy, minimizing base image footprint, Dockerfile best practices, signed container images, and admission controllers that enforce image provenance policies. Know how to use Trivy to scan an image and interpret the severity output.
- Monitoring, Logging and Runtime Security (20%): Falco for runtime threat detection, behavioral analysis of containers, audit logging in Kubernetes, and immutable containers. You need to know how to write and apply Falco rules and how to configure the Kubernetes audit policy file.
Stop guessing. Start understanding.
Certify Copilot AI explains any certification practice question in real-time, directly on your screen. Try it free with 10 credits, no card required.
Try Certify Copilot AI FreeRBAC Deep Dive
RBAC appears across multiple CKS domains and is one of the most tested topics. In Kubernetes, RBAC has four object types you must know:
- Role / ClusterRole: Defines a set of permissions (verbs on resources). Roles are namespace-scoped; ClusterRoles are cluster-scoped or can be bound into a namespace.
- RoleBinding / ClusterRoleBinding: Attaches a Role or ClusterRole to a subject (user, group, or service account). A RoleBinding to a ClusterRole grants only namespace-scoped permissions in the binding's namespace — a subtle distinction the exam exploits.
- Service account default behavior: Kubernetes automatically mounts a service account token into every pod. For the CKS, you should know how to disable this with automountServiceAccountToken: false and why it matters for least-privilege security.
- Audit RBAC with kubectl: Use kubectl auth can-i --list --as=system:serviceaccount:namespace:sa-name to enumerate permissions for a service account. The exam may ask you to identify over-privileged service accounts and remediate them.
Building a Lab Environment
The CKS is unpassable without extensive hands-on practice. Use killer.sh (included free with your CNCF exam registration — two sessions) as your primary simulator. It is deliberately harder than the real exam, so scoring above 60% on killer.sh is a strong predictor of passing. For daily practice, provision a two-node cluster using kubeadm on any cloud provider or locally using VMs.
Bookmark the Kubernetes documentation, the Falco rules documentation, and the Trivy CLI reference — these are the only external resources permitted during the exam. Practice navigating them quickly under time pressure. See our certification prep blog for CKA and CKAD guides that build the foundation you need before tackling the CKS.