What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CKS Study Plan

Three sequenced roadmaps — 30, 60, or 90 days — for preparing for the Certified Kubernetes Security Specialist exam. Each block names the domain, the practical work, and the articles on this site to read.

Last reviewed: April 27, 2026

Pick the Right Plan

Match the plan to how much time per day you can realistically commit.

Plan	Daily commitment	Best for
30-day	2–3 hours/day, including weekends	Existing CKA holders comfortable with kubectl, NetworkPolicy, and RBAC; need a focused security cram
60-day	1–1.5 hours/day	Recommended default — works alongside a full-time job and leaves time for hands-on lab work
90-day	45–60 minutes/day	Newer to security primitives; want time to build labs, read official docs, and absorb the supply-chain stack

Active CKA is required. If you do not yet hold the CKA, pass it first — it is a registration prerequisite for the CKS. See the CKS vs CKA vs CKAD comparison.

Lab Setup — Do This Once Before Day 1

Spin up a local multi-node cluster — kind, k3d, or minikube with at least one worker. The exam environment uses real nodes, so a single-node setup is not enough for NetworkPolicy and PSA practice.
Install kubectl, kube-bench, Trivy, Falco, and Cosign. You will use all of them in the exam.
Configure shell aliases up front: alias k=kubectl, source <(kubectl completion bash), and a --dry-run=client -o yaml snippet for fast manifest generation.
Bookmark the kubernetes.io documentation pages for NetworkPolicy, Pod Security Admission, RBAC, AuditPolicy, RuntimeClass, ServiceAccount, and ImagePolicyWebhook — these are the most often-referenced during the exam.

30-Day Plan (Intensive)

Week 1 — Cluster Setup & Hardening (Domains 1, 2)

Day 1–2: Foundations and CIS

Kubernetes Security Fundamentals — request lifecycle (auth → authz → admission)
CIS Benchmark for Kubernetes
Running kube-bench— practice on your local cluster

Day 3–4: API server and admission control

Day 5–6: NetworkPolicy

Network Policies— write default-deny + targeted allow policies
Cilium or Calico — pick one and install

Day 7: RBAC and ServiceAccounts

Week 2 — Pod Security & System Hardening (Domain 3 + Pod Security)

Day 8–9: Pod Security Admission

Pod Security Standards
Practice labeling namespaces with pod-security.kubernetes.io/enforce=restricted

Day 10–11: Linux capabilities and seccomp

Day 12: AppArmor

AppArmor Profiles — write, load, and attach a profile

Day 13–14: Sandboxing and host hardening

Week 3 — Microservice & Supply Chain (Domains 4, 5)

Day 15–16: Image hardening

Microservice security overview
Practice with a distroless or minimal UBI base image; non-root user; read-only root filesystem

Day 17–18: Vulnerability scanning

Day 19–20: SBOM and signing

Understanding SBOM
Syft
Cosign — sign and verify an image end-to-end

Day 21: Admission verification

Wire Cosign verification through Kyverno verifyImages and block an unsigned image

Week 4 — Runtime, Audit & Final Drills (Domain 6)

Day 22–23: Audit logging

Kubernetes audit logging — write a policy file and verify events appear

Day 24–25: Runtime detection

Falco — install, write a custom rule, trigger an alert
Tetragon — read at minimum

Day 26–27: Secrets and etcd

Secrets management
etcd security — KMS v2 encryption at rest

Day 28–30: Final drills

Practice questions — full set, twice
Cheat sheet — print and rehearse the YAML skeletons under timer
YAML Analyzer — paste workloads from real repositories and explain every finding

60-Day Plan (Recommended)

Same six domains, with breathing room. Each week below covers half what the 30-day plan covers in one week — leaving time for lab work, recap, and kubernetes.io reading.

Week	Focus	Outcome
1	Fundamentals — auth, RBAC, admission lifecycle	Mental model of every API request path
2	Cluster Setup — CIS, kube-bench, API server flags	kube-bench score above 80% on a fresh cluster
3	NetworkPolicy + CNI choice	Default-deny applied across two namespaces
4	RBAC + ServiceAccount hardening	ClusterRole with no wildcards; SA token automount disabled by default
5	Pod Security Admission + capabilities	Restricted profile applied to dev / prod namespaces; capabilities dropped
6	System Hardening — seccomp, AppArmor, sandboxing	Custom AppArmor profile loaded; seccomp `RuntimeDefault` verified
7	Microservice + image hardening	Distroless image with non-root + read-only root FS
8	Supply chain — Trivy, Syft, Cosign	SBOM + signed image + admission verification
9	Audit logging + Falco	Custom audit policy + custom Falco rule
10	Secrets, etcd, KMS v2	Encryption at rest verified; rotated KEK
11	Practice questions + targeted weak-spot review	Score above 80% on the practice set
12	Mock exam under 2-hour timer + cheat-sheet rehearsal	Confident on every domain; sit the exam

90-Day Plan (Thorough)

Cover the same material but with one month per domain group, which gives time to read official kubernetes.io docs in depth and build small projects rather than just running through tutorials.

Month 1 — Foundations & Cluster Hardening

Fundamentals — full section, two passes (week 1 and week 4)
Cluster Setup & Hardening — every subsection: CIS, API server, control plane, network, node, pod, RBAC, secrets, configuration validation
Project: deploy a hardened kubeadm cluster, score it with kube-bench, document each finding and fix

Month 2 — System Hardening, Microservice, Supply Chain

System Hardening — capabilities, seccomp, AppArmor, sandboxing, sysctls
Microservice security — base images, SAST, SCA, secret handling
Supply chain — SBOM with Syft, scanning with Trivy, signing with Cosign, admission verification with Kyverno
Project: CI pipeline that builds a distroless image, emits an SBOM, signs with Cosign, and is verified at admission by Kyverno

Month 3 — Runtime, Drilling, Mock Exams

Monitoring, Logging, Runtime Security — audit logging, Falco, Tetragon, Tracee
Attack vectors — read every category and pair each with its mitigation
Practice questions — full set, three passes spaced over the month
Two timed mock exams in the final week using the cheat sheet and YAML skeletons under a real timer

Day-Before Checklist

Run the official PSI compatibility check on the same machine and network you will use during the exam.
Re-read the cheat sheet end to end. Practice typing the NetworkPolicy and seccomp YAML skeletons from memory.
Verify your photo ID, charge your laptop, and clear the desk and walls of any notes, monitors, or paper.
Rehearse your shell setup: aliases, kubectl completion, and --dry-run=client -o yaml snippets.
Sleep. Hydration matters more than one extra hour of revision.

Print the cheat sheet and start drilling questions.

Open the CKS Cheat Sheet Practice Questions