HomeCoursesKubernetes Security (CKS)

🔐 Certified Kubernetes Security Specialist (CKS)

Free, independent CKS exam-preparation with a signed certificate. Secure the cluster, harden the workloads, pass the exam.

Last updated: June 2026

An independent, free exam-preparation course that walks through the publicly published CNCF Certified Kubernetes Security Specialist (CKS) curriculum across all six official domains — Cluster Setup, Cluster Hardening, System Hardening, Minimize Microservice Vulnerabilities, Supply Chain Security, and Monitoring, Logging & Runtime Security. It uses visual lessons, real kubectl and manifest examples, original self-check questions and a 45-question final exam to build practical, hands-on understanding of CIS benchmarks and kube-bench, network policies, Ingress TLS, securing the API server and kubelet, RBAC least privilege, seccomp and AppArmor, Pod Security Standards, secrets management, image scanning and supply-chain integrity, admission controllers, Falco runtime detection, audit logging and mTLS. The CKS is a performance-based, hands-on exam and requires a current Certified Kubernetes Administrator (CKA) credential first. This course is awareness/prep only — not the official Linux Foundation training nor the proctored exam — and claims no CNCF or Linux Foundation affiliation or endorsement. The course is organized into 22 modules, ending with a final exam (pass mark 80%). It is independent, free exam-preparation training — not an official or accredited review course.

What you'll learn

  • The CKS Exam: Domains, Weightings & Strategy
  • Cluster Setup: CIS Benchmarks & kube-bench
  • Cluster Setup: Network Policies
  • Cluster Setup: Ingress, TLS & GUI Hardening
  • Cluster Hardening: Securing the API Server
  • Cluster Hardening: Securing the Kubelet
  • Cluster Hardening: RBAC Least Privilege
  • Cluster Hardening: ServiceAccounts & Restricting Access
  • System Hardening: OS & Kernel Minimization
  • System Hardening: Seccomp Profiles
  • System Hardening: AppArmor & Privilege Reduction
  • Microservices: Pod Security Standards & Admission
  • Microservices: Secrets Management
  • Microservices: Container Sandboxing & Runtime Classes
  • Microservices: Image Scanning with Trivy
  • Supply Chain: SBOMs & Image Signing
  • Supply Chain: Admission Control & Allowed Registries
  • Supply Chain: Static Analysis & Secure Defaults
  • Runtime Security: Falco Behavioural Detection
  • Runtime Security: Audit Logging
  • Runtime Security: Immutability & mTLS
  • Exam Strategy, Time Management & Final Review

Learning objectives

  • Describe the six CNCF CKS domains and how their weightings shape exam strategy.
  • Configure cluster setup security: network policies, Ingress with TLS, CIS benchmark checks and kube-bench remediation.
  • Harden the control plane — secure the API server, kubelet, etcd and restrict anonymous access.
  • Apply RBAC least-privilege roles, service-account discipline and access restriction.
  • Harden the host OS and kernel using seccomp, AppArmor and minimized footprints.
  • Enforce Pod Security Standards and admission controls to minimize microservice vulnerabilities.
  • Manage secrets safely and protect container runtime boundaries (gVisor, runtime classes).
  • Secure the supply chain: image scanning with Trivy, SBOMs, image signing and allowed registries.
  • Detect and respond at runtime using Falco, audit logging and behavioural analytics.
  • Pass a 45-question exam (80% to earn your certificate).