Certified Kubernetes Security Specialist (CKS) Crash Course
Published by O'Reilly Media, Inc.
In-depth and hands-on practice for acing the exam
Vulnerabilities in software and IT infrastructure, if exploited, can pose a major threat to organizations. The Cloud Native Computing Foundation (CNCF) developed the Certified Kubernetes Security Specialist (CKS) certification to verify a Kubernetes administrator’s proficiency to protect a Kubernetes cluster and the cloud native software operated in it. The exam is different from the typical multiple choice format of other certifications. It’s based on performance and requires deep knowledge of the tasks at hand—under intense time pressure. Are you ready to pass the test on the first go?
Join expert Ben Muschko to dive into all the topics covered in the exam curriculum, so you’ll be fully prepared to pass the test. You’ll also benefit from Ben’s personal experience with preparing for all aspects of the exam.
What you’ll learn and how you can apply it
By the end of this live online course, you’ll understand:
- How to identify threats to cloud native application and Kubernetes clusters, and how to mitigate and/or minimize them
- Objectives, abilities, and tips and tricks (like time management, navigating the exam environment, and the type of questions to expect) needed to pass the CKS exam
- The ins and outs of the kubectl command line tool, as well as tools for security purposes
And you’ll be able to:
- Demonstrate competency to perform the responsibilities of a Kubernetes administrator or application developer with a security viewpoint
- Solve real-world Kubernetes problems in a hands-on, command-line environment
- Effectively navigate and solve questions during the CKS exam
This live event is for you because...
- You’re a Kubernetes practitioner.
- You work with Kubernetes and want to advance your experience in its security aspects.
- You want to become CKS-certified.
Prerequisites
- A Unix environment and a command-line-based text editor (Vim is recommended)
- A computer with access to a Kubernetes cluster—local or remote, version 1.22 or higher (the recommended setup is to install minikube and kubectl)
- A machine with Vagrant and VirtualBox installed
- A working knowledge of containers (Docker, in particular)
- Familiarity with a Unix environment and with bash commands
- Knowledge of the YAML format
- Administrator-level understanding of Kubernetes concepts and the resources API (optimally, you are already CKA-certified)
Recommended preparation:
- Explore the CKS Candidate Handbook
- Take Introduction to Kubernetes (live online course with Sébastien Goasguen) or Kubernetes in 4 Hours (live online course with Sander van Vugt)
Recommended follow-up:
- Read Certified Kubernetes Administrator (CKA) Study Guide (book)
- Read Certified Kubernetes Administrator (CKAD) Study Guide (book)
- Read Kubernetes Up & Running, second edition (book)
- Read Kubernetes Patterns (book)
Schedule
The time frames are only estimates and may vary according to how the class is progressing.
Day 1
Exam details and resources (55 minutes)
- Presentation: Introduction to the course; exam objectives and curriculum; candidate skills and exam environment; time management; tips and tricks; additional resources; practice exams
- Group discussion: What’s your main learning objective?
- Q&A
- Break
Cluster setup (80 minutes)
- Presentation: Defining network security policies; reviewing security configuration of Kubernetes components; Ingress with security control; protecting node metadata and endpoints; minimizing GUI access; verifying platform binaries before a deployment
- Hands-on exercises: Implement network security policy best practices; configure Ingress with TLS access; scan platform binaries
- Q&A
- Break
Cluster hardening (55 minutes)
- Presentation: Restrict access to Kubernetes API; using role-based access control (RBAC) for access control; service account best practices; updating Kubernetes frequently
- Hands-on exercises: Configure access to the Kubernetes API; use RBAC; minimize default permissions
- Q&A
- Break
System hardening (50 minutes)
- Presentation: Minimizing host OS footprint; minimizing IAM roles; minimizing external network access; using kernel hardening tools
- Hands-on exercises: Reduce IAM roles; configure network access
- Q&A
Day 2
Minimizing microservices vulnerabilities (80 minutes)
- Presentation: Set up OS-level security domains; managing Kubernetes secrets; using container runtime sandboxes; implementing pod-to-pod encryption
- Hands-on exercises: Configure security domains; configure and use secrets; configure mTLS
- Q&A
- Break
Supply chain security (80 minutes)
- Presentation: Minimizing base image footprint; signing and validating images from whitelisted registries; static analysis of workload files; scanning images for vulnerabilities
- Hands-on exercises: Produce the smallest possible base image size; image supply chain in practice; scan Kubernetes resources and Dockerfiles; scan an image with vulnerabilities
- Q&A
- Break
Monitoring, logging, and runtime security (75 minutes)
- Presentation: Detecting malicious activities on the host and container level; detecting threats and the phases of attack; performing deep analytical investigation; ensuring immutability of containers at runtime; using audit logs to monitor access
- Hands-on exercises: Attack detection by example; configure and verify container immutability; monitor access by audit logs
- Q&A
Wrap-up (5 minutes)
Your Instructor
Benjamin Muschko
Benjamin Muschko is a software engineer, consultant, and trainer with more than 20 years of experience in the industry. He specializes in cloud-native application development and transformation, container solutions, DevSecOps, and Continuous Integration/Continuous Delivery implementations. Ben is an author, a frequent speaker at conferences, and an avid open source advocate.