Errata

Certified Kubernetes Security Specialist (CKS) Study Guide

Errata for Certified Kubernetes Security Specialist (CKS) Study Guide

Submit your own errata for this product.

The errata list is a list of errors and their corrections that were found after the product was released. If the error was corrected in a later version or reprint the date of the correction will be displayed in the column titled "Date Corrected".

The following errata were submitted by our customers and approved as valid errors by the author or editor.

Color key: Serious technical mistake Minor technical mistake Language or formatting error Typo Question Note Update

Version Location Description Submitted By Date submitted Date corrected
Page Protecting Node Metadata and Endpoints
Table 2-1. Inbound control plane node ports

The Kubernetes API server port is 6443, not 6643.

See kubernetes.io/docs/reference/networking/ports-and-protocols/#control-plane

 Chris Devine  Nov 13, 2023 
Page Cluster Setup: Exam Essentials
5th paragraph

"Know where to find the hash file and how to use a validation tool to identify if the binary has been tempered with" should read "been tampered with."

 Chris Devine  Nov 13, 2023 
Page page 25, Creating the TLS Certificate and Key
First paragraph of section, the openssl req command

The cert is created for domain accounting.tls with the command
“openssl req -nodes -new -x509 -keyout accounting.key -out accounting.crt \
-subj "/CN=accounting.tls”

Then later the certificate is used for an ingress accessed with a different domain name accounting.internal.acme.com

“kubectl create ingress accounting-ingress \
--rule="accounting.internal.acme.com/*=accounting-service:80, \
tls=accounting-secret" -n t75”

For better consistency the certificate should be created with domain name accounting.internal.acme.com
“openssl req -nodes -new -x509 -keyout accounting.key -out accounting.crt \
-subj "/CN=accounting.internal.acme.com”

 Carlos Santana  Jan 11, 2024 
Page Configuring the ImagePolicyWebhook Admission Controller Plugin
4th paragraph

The first paragraph of the section mentions the creation of the file, "image-policy-webhook-admission-config.yaml" file:
"Create the file /etc/kubernetes/admission-control/image-policy-webhook-admission-config.yaml and populate it with the content shown in Example 6-9."

In the fourth paragraph, the file is incorrectly referrred to as, "image-policy-webhook-admission-configuration.yaml":
"Find the command line option --enable-admission-plugins and append the value ImagePolicyWebhook to the existing list of plugins, separated by a comma. Provide the command line option --admission-control-config-file if it doesn’t exist yet, and set the value to /etc/kubernetes/admission-control/image-policy-webhook-admission-configuration.yaml"

Not a big issue and anybody following along can easily know what the instructions mean and which file is actually being referred to.

 dennis  Oct 07, 2024 
Page 61
Worker node column

"version" is misspelled under the Worker node section, 2nd step, "Install new kubeadm vesrion"

Note from the Author or Editor:
This is a typo in Figure 3-4.

 Reynaldo Linares  Oct 20, 2025 
Page 74
2nd paragraph

The sentence, "The process is currently managed by a server". I believe the correct word should be "service" instead of "server", since the following line states "You can review the status of a service".

 Reynaldo Linares  Oct 20, 2025