Hello everyone! This is gasbugs, continuously striving towards becoming a ‘Golden Kubestronaut’. Finally, I have obtained the CKS (Certified Kubernetes Security Specialist) certification, which is the fifth gateway and one of the most important milestones on this journey! π₯³
With this CKS pass, I have officially achieved the ‘Kubestronaut’ qualification recognized by CNCF. It’s a truly fresh feeling to have reached this first goal by collecting a total of 5 certifications: CKA, CKAD, CKS, KCNA, and KCSA. It’s been a whopping 6 years since I obtained CKA. Of course, there’s still a long way to go to become a ‘Golden’ Kubestronaut by collecting all 15, but I can’t hide my pride in having overcome a significant hurdle! I’m told I’ll receive an email within a week, so I’ll need to register it. Currently, there are 80 people in South Korea who hold this qualification.Β
True to its name as a ‘security specialist’ exam, the CKS test meticulously delved into the practical ability to securely build and operate Kubernetes clusters. Compared to my experience in 2021, I could distinctly feel the changed latest trends. From now on, I will share a detailed account of those intense two hours and the key exam points.
π₯ CKS in 2025 vs. 2021: What’s Changed!
First, let’s look at the latest exam trends, which will be of most interest to those preparing for CKS. The nature of the exam has changed quite a bit compared to 2021.
- Significant Increase in Static Pod Modification Problems: In the past, there was a high proportion of problems dealing with regular Pods or Deployments, but now, directly modifying static pod configurations within /etc/kubernetes/manifests, which are directly related to control plane components, has become central. Situations requiring changes to API server, scheduler, etc., have become more frequent.
- Mandatory Inclusion of New Security Features: Pod Security Standards (PSS) and ImagePolicyWebhook are now almost always recurring problems. Beyond simply knowing the concepts, the ability to apply them in real environments and troubleshoot is essential.
- Emphasis on Container Runtime Security: Problems asking to identify and remove vulnerabilities associated with Docker sockets (docker.sock) were included. Understanding the security boundary between the host and the container runtime has become important.
- Emergence of Supply Chain Security (SBOM) Problems: Problems reflecting the latest supply chain security trends, such as using the bom tool to extract SBOM (Software Bill of Materials) and identifying and addressing images using specific package versions, were impressive.
- Shift in CKA Domain: Cluster management problems, such as Kubelet version upgrades on worker nodes, which were common in CKA in the past, seem to have moved to CKS. This appears to be an intention to jointly evaluate the cluster’s own security maintenance capabilities.
- Pressurized Time Management: The biggest change is the need to solve challenging practical problems within a short 2-hour timeframe. Especially with static pod modifications, even a small mistake can affect the entire cluster, making quick and accurate problem-solving skills even more crucial.
π‘οΈ Key Challenges Faced in the Actual Exam
Recalling the main challenges I encountered in the exam, they are as follows. Problems that evaluated a comprehensive understanding across various layers of security were predominant.
1. Cluster Setup & Hardening
- Auditing: Setting up Auditing to monitor all cluster activities was fundamental. The ability to write and apply log paths and audit policy files directly was thoroughly evaluated. π
- Kubelet Version Upgrade: Practical skills in safely upgrading the Kubelet version on worker nodes of a kubeadm-configured cluster to a specified version were verified.
- Kubelet Authentication/Authorization: Problems involved changing Kubelet’s Authentication/Authorization settings to Webhook mode and activating related certificate settings, thereby strengthening communication security between nodes and the API server.
2. Workload & Runtime Security
- Pod Security Standards (PSS): This required practical troubleshooting skills to identify deployment failure events (Fail Events) in a namespace with a restricted profile applied, and then modify the problematic Security Context to successfully deploy.
- Dockerfile and Deployment Security Improvement: It was necessary to find and improve security vulnerabilities in both code and deployment specifications, such as changing USER root to USER non-root-user in Dockerfiles and removing privileged settings in Deployments. βοΈ
- Host Path Access Control: A problem involved identifying a Deployment accessing sensitive host paths like /dev/mem and immediately scaling it to 0 to eliminate the threat. (This is presumed to be a scenario related to Falco rules.)
- Docker Socket Security: The ability to prevent unauthorized access to Docker sockets by removing specific users from the security-risky docker group was evaluated.
3. Network & Supply Chain Security
- NetworkPolicy: The ability to establish comprehensive Ingress/Egress rules by setting a Default Deny policy as a baseline and combining various conditions such as podSelector, namespaceSelector, and cidr was verified. π
- ImagePolicyWebhook: It was necessary to implement an advanced security policy by configuring an ImagePolicyWebhook that only allows specific images, thereby fundamentally blocking unauthorized images from running in the cluster.
- SBOM-based Vulnerability Remediation: A supply chain security problem involved analyzing an image’s SBOM with the bom tool to identify images using vulnerable packages of a specific version, and then removing the problematic container from the Deployment using that image. π¦
- TLS Certificate Management: The fundamentals of communication encryption were thoroughly checked, such as the ability to directly create and apply Secrets for Ingress’s TLS communication.
β¨ Overall Review: A Comprehensive Practical Guide to Kubernetes Security
CKS was not merely an exam to check knowledge, but a comprehensive evaluation of a ‘security engineer’s’ capabilities to diagnose, analyze, and address various security threats that can occur in a real operating environment within a given time.
With this pass, I’ve set a meaningful milestone as a ‘Kubestronaut’, but there are still 10 more certifications left until I become a ‘Golden Kubestronaut’. I haven’t even reached halfway yet! However, through this journey, beyond simply collecting certifications, the process of building a deep understanding and expertise in the cloud-native ecosystem itself is enjoyable.
Please look forward to and support my next journey! I wish everyone an enjoyable cloud-native journey! π
Tags: CKS, Certified Kubernetes Security Specialist, Kubernetes, Kubestronaut, Certification Review, CKS Review, Kubernetes Certification, CNCF, Cloud Native, Information Security, Kubernetes Security
Leave a Reply