🔐 Certified Kubernetes Security Specialist (CKS)
Free, independent CKS exam-preparation with a signed certificate. Secure the cluster, harden the workloads, pass the exam.
Last updated: June 2026
An independent, free exam-preparation course that walks through the publicly published CNCF Certified Kubernetes Security Specialist (CKS) curriculum across all six official domains — Cluster Setup, Cluster Hardening, System Hardening, Minimize Microservice Vulnerabilities, Supply Chain Security, and Monitoring, Logging & Runtime Security. It uses visual lessons, real kubectl and manifest examples, original self-check questions and a 45-question final exam to build practical, hands-on understanding of CIS benchmarks and kube-bench, network policies, Ingress TLS, securing the API server and kubelet, RBAC least privilege, seccomp and AppArmor, Pod Security Standards, secrets management, image scanning and supply-chain integrity, admission controllers, Falco runtime detection, audit logging and mTLS. The CKS is a performance-based, hands-on exam and requires a current Certified Kubernetes Administrator (CKA) credential first. This course is awareness/prep only — not the official Linux Foundation training nor the proctored exam — and claims no CNCF or Linux Foundation affiliation or endorsement. The course is organized into 22 modules, ending with a final exam (pass mark 80%). It is independent, free exam-preparation training — not an official or accredited review course.
What you'll learn
- The CKS Exam: Domains, Weightings & Strategy
- Cluster Setup: CIS Benchmarks & kube-bench
- Cluster Setup: Network Policies
- Cluster Setup: Ingress, TLS & GUI Hardening
- Cluster Hardening: Securing the API Server
- Cluster Hardening: Securing the Kubelet
- Cluster Hardening: RBAC Least Privilege
- Cluster Hardening: ServiceAccounts & Restricting Access
- System Hardening: OS & Kernel Minimization
- System Hardening: Seccomp Profiles
- System Hardening: AppArmor & Privilege Reduction
- Microservices: Pod Security Standards & Admission
- Microservices: Secrets Management
- Microservices: Container Sandboxing & Runtime Classes
- Microservices: Image Scanning with Trivy
- Supply Chain: SBOMs & Image Signing
- Supply Chain: Admission Control & Allowed Registries
- Supply Chain: Static Analysis & Secure Defaults
- Runtime Security: Falco Behavioural Detection
- Runtime Security: Audit Logging
- Runtime Security: Immutability & mTLS
- Exam Strategy, Time Management & Final Review
Learning objectives
- Describe the six CNCF CKS domains and how their weightings shape exam strategy.
- Configure cluster setup security: network policies, Ingress with TLS, CIS benchmark checks and kube-bench remediation.
- Harden the control plane — secure the API server, kubelet, etcd and restrict anonymous access.
- Apply RBAC least-privilege roles, service-account discipline and access restriction.
- Harden the host OS and kernel using seccomp, AppArmor and minimized footprints.
- Enforce Pod Security Standards and admission controls to minimize microservice vulnerabilities.
- Manage secrets safely and protect container runtime boundaries (gVisor, runtime classes).
- Secure the supply chain: image scanning with Trivy, SBOMs, image signing and allowed registries.
- Detect and respond at runtime using Falco, audit logging and behavioural analytics.
- Pass a 45-question exam (80% to earn your certificate).