What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF / Linux Foundation certification that validates expertise in securing container-based applications and Kubernetes platforms during build, deployment, and runtime. It is performance-based and proctored online.

Is CKA required to take the CKS exam?

Yes. An active Certified Kubernetes Administrator (CKA) certification is a prerequisite for the CKS — you cannot register or sit for the exam without one.

What is the CKS pass score?

The CKS exam pass score is 67%. The exam is performance-based and uses a hands-on terminal in a live cluster.

How long is the CKS exam?

The CKS exam is 2 hours long and contains roughly 15-20 performance-based tasks across the six domains.

Can I retake the CKS exam if I fail?

Yes. Each CKS registration includes one free retake, which must be taken within 12 months of the original registration date.

What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CKS Exam Guide

Everything you need to register, prepare, and pass the Certified Kubernetes Security Specialist exam — format, cost, retake policy, prerequisites, and how to get a voucher at a discount.

Last reviewed: April 27, 2026

What the CKS Is

The Certified Kubernetes Security Specialist (CKS) is a certification offered by the Cloud Native Computing Foundation and administered by the Linux Foundation. It validates that the holder has the skills to secure container-based applications and Kubernetes platforms during build, deployment, and runtime.

It is the third tier in the Kubernetes certification track: CKAD for application developers, CKA for cluster operators, and CKS for security specialists. See the CKS vs CKA vs CKAD comparison for a breakdown of which to take in which order.

Exam Format

Attribute	Value
Format	Performance-based — hands-on terminal in a live cluster
Duration	2 hours
Number of tasks	Approximately 15–20
Pass score	67%
Delivery	Online, remotely proctored via PSI
Validity	2 years from the date you pass
Allowed reference	kubernetes.io documentation, kubernetes.io/blog, and a small set of sub-domains (Trivy, Falco, AppArmor, etc.) — verify the current list on the exam handbook
Languages	English, Japanese
Prerequisite	Active CKA certification

Always verify the latest format, exam version, and tooling on the official Linux Foundation CKS page. The exam tracks the current Kubernetes minor and is refreshed each cycle.

The Six Exam Domains

The CKS curriculum is split into six weighted domains. Each one maps to a full section of this site — start with the one with the highest weight if you are time-boxed.

#	Domain	Weight	Where to study
1	Cluster Setup	15%	Cluster Setup and Hardening
2	Cluster Hardening	15%	Cluster Setup and Hardening
3	System Hardening	10%	System Hardening
4	Minimize Microservice Vulnerabilities	20%	Microservice Security
5	Supply Chain Security	20%	Supply Chain Security
6	Monitoring, Logging & Runtime Security	20%	Monitoring, Logging, and Runtime Security

The three highest-weighted domains — Microservice Vulnerabilities, Supply Chain, and Monitoring/Runtime — together make up 60% of the exam. If you are short on time, prioritise those.

Cost and Vouchers

Standard registration is the same as the other CNCF Kubernetes certifications. Always check the official CKS page for the current price — Linux Foundation pricing changes periodically.

How to pay less

Black Friday and CKS Day promotions. The Linux Foundation runs storewide discounts (often 30–50% off) on Black Friday, Cyber Monday, and at recurring CNCF community events. Add the cert to a wishlist and wait if your timeline allows.
Kubernetes Fundamentals (LFS258) bundle. Bundling the cert with the official prep course is usually cheaper than buying both separately.
KubeCon attendee voucher. KubeCon + CloudNativeCon attendees frequently get a discount code in their registration email.
Employer reimbursement. Many engineering organisations reimburse CNCF certifications under their training budget — check before paying personally.
CNCF community discounts. Some CNCF projects, ambassadors, and meetup organisers receive vouchers to distribute. Active community members occasionally get them this way.

Beware of unofficial voucher resellers. Codes sold on third-party marketplaces are often expired, region-locked, or already redeemed. Buy through the official Linux Foundation store or a verified CNCF event.

Retake Policy

Each registration includes one free retake.
The retake must be taken within 12 months of the original exam registration date — not the date you sat for it.
There is no mandatory waiting period between attempts; you can schedule the retake as soon as you are ready.
If you fail both attempts, you must purchase a new exam to try again.
The exam will be the current published version at the time of each attempt — if Kubernetes minors changed between your registrations, the retake may target a newer version.

Recertification

CKS is valid for 2 years from the date you pass. To stay certified, retake the current exam before it expires. Linux Foundation announces curriculum changes well in advance — review the official curriculum repository before sitting a recert.

Exam-Day Logistics

Photo ID. A government-issued photo ID with your name in Latin characters is required at check-in. Make sure the name on your ID matches the name on your Linux Foundation account.
Test environment. Quiet, private room. Walls and desk are inspected via webcam. No second monitor, no notes, no phone within reach.
Hardware. A reliable laptop with a working webcam and microphone, wired or strong wi-fi, and a power source that will last 2.5+ hours. Run the official compatibility check before exam day.
Browser. The exam runs in a remote terminal embedded in Chrome or Chromium. Disable extensions and clear notifications before you start.
Allowed tabs. One additional tab is allowed for kubernetes.io and the explicitly permitted reference domains. Familiarise yourself with the exact list before the exam.
kubectl autocomplete and aliases. Set up your shell aliases (k=kubectl, completion, dry-run helpers) at the start of the exam — every minute counts.

How to Prepare on This Site

Pick a plan: the 30/60/90-day study plan sequences the domains and links to the most exam-relevant articles.
Drill questions: CKS Practice Questions covers the same domains as the exam in multiple-choice form.
Print the cheat sheet: CKS Cheat Sheet is a one-page reference for kubectl, NetworkPolicy, RBAC, seccomp, and other CKS essentials.
Validate manifests: the YAML Security Analyzer runs the same static checks the exam expects you to apply by hand.
Run the official simulator: killer.sh is the official CKS exam simulator from Killer Shell GmbH and is bundled free with every exam purchase — two sessions of 36-hour access each. The simulator is intentionally harder than the real exam and runs on the identical PSI environment, so finishing it comfortably is the strongest signal you are ready. Save the second session for the days right before your scheduled attempt.

Ready to start studying?

Open the 30/60/90-Day Study Plan Practice Questions