"The Certified Kubernetes Security Specialist (CKS) program provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime. "
Prerequisites-
- You must have active CKA certification to appear for CKS.
- The syllabus can be found here.
- From me- Bash, VIM, be fast.
Personally, I felt like the syllabus was less, as I had already worked on app-armour, secomp, Falco, and Security contexts in my day-to-day job. The exam format is such that only those candidates who are good with time management and quick at solving questions can clear it. You will get 15-18 questions to solve within 120 minutes. You have to score 67% to clear the exam. The exam is easy; had it been 3 hours long, everyone could score full marks.
TIPS-
- Control C/P will not work. Instead, ctrl insert and shift insert. Replace your insert key near your ctrl key. I replaced it with f1 so my left hand can be busy with copy-paste and my right hand for navigation.
- Remember to search/replace strings using vim.
- :se nu and move to a specific line in vim.
- Most of the time in the exam, you might have to modify the Kube-apiserver configuration. Please keep a copy of that before modifying it.
- There is a total of 3 clusters; in one cluster, there may be multiple questions. If you mess up the configuration file without backup, the whole cluster will disappear, and you won't be able to attempt many questions.
- First, solve questions that can fetch you maximum marks within less timeāfor example, questions involving applying app-armor or seccomp profile, applying runtime class or Image policy webhook will help you score more marks quickly.
- Remember the configuration files instead of searching one-by-one in kubeadm setup, /etc/kubernetes/manifest/ for control-plane components, /var/lib/kubelet/config.yaml for kubelet config.
- Try to create RBAC in an imperative way, For ex-
- Remember app-armour, seccomp and falco config paths. /etc/apparmor.d , /var/lib/kubelet/seccomp/ ,/etc/falco/ respectively.
- Don't try to fix many errors in the yaml file; instead, create a new yaml template that can help save a few minutes.
- You can use any course from either killer.sh or kodecloud to prepare for the exam. Both have almost identical content.
- Bonus tip: As you know, in the exam, you can refer to certain allowed links. Hence, I am sharing my bookmarks here.
Soon I am going to write a blog series on Kubernetes security. So, stay tuned.
