CNCF · 2026 Edition
A complete preparation guide written by CNCF-certified engineers. Covers the exam format,all 8 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
2–3 months
Prep time
Advanced
Difficulty
Hands-on lab
Format
Exam code
CKS
Full name
Certified Kubernetes Security Specialist
Vendor
CNCF
Duration
120 minutes
Exam format
Performance-based lab (no multiple-choice)
Domains covered
8 blueprint domains
Recommended experience
Active CKA certification required before sitting CKS
Typical prep time
2–3 months
CKS (Certified Kubernetes Security Specialist) is the most advanced Kubernetes credential. It validates the ability to secure Kubernetes clusters and workloads in production — a hands-on, performance-based exam set in live clusters.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Performance-based exam
The real CKS exam is entirely performance-based — you harden, monitor, and secure a live Kubernetes cluster. There are no multiple-choice questions. Courseiva practice questions cover the security concepts tested, but hands-on lab practice with Pod Security Standards, RBAC, NetworkPolicies, and Falco is still required.
Weeks 1–2
Cluster Setup (10%): CIS benchmarks, network policies, kube-bench, API server flags
Tip: kube-bench is the tool used to check Kubernetes clusters against CIS benchmarks. Know how to run it and interpret its output: PASS (compliant), FAIL (non-compliant with remediation suggestion), WARN (manual check required). CKS exam tasks often ask you to remediate a specific kube-bench finding.
Weeks 3–4
Cluster Hardening (15%) and System Hardening (15%): RBAC, API restrictions, kernel hardening
Tip: AppArmor and seccomp profiles are both tested on CKS. Know how to: load an AppArmor profile (apparmor_parser -r -W /etc/apparmor.d/profile), apply it to a pod (annotations: container.apparmor.security.beta.kubernetes.io/name: localhost/profile), and apply a seccomp profile (securityContext.seccompProfile.type: Localhost, localhostProfile: path.json).
Weeks 5–6
Minimize Microservices Vulnerabilities (20%): OPA/Gatekeeper, admission controllers, pod security
Tip: Pod Security Admission (PSA) replaced Pod Security Policy in Kubernetes 1.25. Know the three PSA levels: Privileged (no restrictions), Baseline (minimal restrictions, blocks privileged containers), Restricted (heavily restricted, requires non-root, read-only filesystem, no privilege escalation). Know how to apply a PSA label to a namespace.
Weeks 7–8
Supply Chain Security (20%) and Runtime Security (20%): image scanning, Falco, audit logs
Tip: Falco is the primary runtime threat detection tool tested on CKS. Know how to read a Falco rule: rule (name), condition (when the rule fires — uses Falco filter syntax), output (alert message), priority (ERROR, WARNING, NOTICE). CKS tasks ask you to create or modify Falco rules to detect specific behaviours.
CKS requires an active (not expired) CKA certification. If your CKA is close to expiring, renew or complete CKA before registering for CKS.
Trivy is the container image scanning tool tested on CKS. Know how to: scan an image for vulnerabilities (trivy image nginx:latest), scan with a severity filter (--severity HIGH,CRITICAL), output to a JSON file (--format json). Tasks ask you to scan an image and identify or fix vulnerabilities above a certain severity.
Kubernetes audit logs record every API call made to the cluster. Know how to configure an audit policy (specify which API groups, resources, and verbs to log at which level: None, Metadata, Request, RequestResponse), and how to enable audit logging in the API server manifest.
ImagePolicyWebhook is an admission controller that can reject pods that use images not from an approved registry. Know how to configure it: create a webhook configuration file, configure the API server with --admission-control-config-file, and understand the webhook request/response format.
CKS is valid for 2 years. The exam is taken in the same live terminal environment as CKA. Open-book access is the same: kubernetes.io/docs, kubernetes.io/blog, helm.sh/docs, and additionally github.com/falcosecurity/falco for Falco documentation.
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.
Deep-dive explanations of the key topics tested on CKS — with exam key points and common misconceptions.