How To Pass Certified Kubernetes Security Specialist (CKS) Exam Easily?

How To Pass Certified Kubernetes Security Specialist (CKS) Exam Easily?

CKS is a performance-based certification exam that tests candidates’ knowledge of Kubernetes and cloud security in a simulated, real world environment. Candidates must have taken and passed the Certified Kubernetes Administrator (CKA) exam prior to attempting the CKS exam. The best training tools for the CKS exam can be found on the Internet. It may not only assist you in passing the CKS test, but it can also help you develop your knowledge and abilities. It enables you to study for the CKS exam using actual exam questions and pass the first test. 

Try CKS practice exam to test yourself.

Page 1 of 2

1. Create the Pod using this manifest

2. ConfigMap and Secret changes in all namespaces at the Metadata level Also, add a catch-all rule to log all other requests at the Metadata level

Note: Don't forget to apply the modified policy.


Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that

✑ 1. logs are stored at /var/log/kubernetes/kubernetes-logs.txt.

✑ 2. Log files are retainedfor5 days.

✑ 3. at maximum, a number of 10 old audit logs files are retained. Edit and extend the basic policy to log:

✑ 1. Cronjobs changes at RequestResponse

✑ 2. Log the request body of deployments changesinthenamespacekube-system.

✑ 3. Log all other resourcesincoreandextensions at the Request level.

✑ 4. Don't log watch requests by the "system:kube-proxy" on endpoints or

4. Edit the configuration to point to the provided HTTPS endpoint correctly

Finally, test if the configuration is working by trying to deploy the vulnerable resource /home/cert_masters/test-pod.yml

Note: You can find the container image scanner's log file at /var/log/policy/scanner.log


Create a User named john, create the CSR Request, fetch the certificate of the user after approving it.

Create a Role name john-role to list secrets, pods in namespace john

Finally, Create a RoleBinding named john-role-binding to attach the newlycreated role john-role to the user john in the namespace john.

To Verify: Use the kubectl auth CLI command to verify the permissions.


Look for images with HIGH or CRITICAL severity vulnerabilities and store theoutput of the same in /opt/trivy-vulnerable.txt


Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised changes, and passed with a score of 4 points.


✑ apiVersion: v1

✑ kind: Pod

✑ metadata:

✑ name: kubesec-demo

✑ spec:

✑ containers:

✑ - name: kubesec-demo

✑ image:

✑ securityContext:

✑ readOnlyRootFilesystem:true

Hint: docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin <kubesec-test.yaml


You can switch the cluster/configuration context using the following command:

[desk@cli] $ kubectl config use-context dev

A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.

Task: Create a new default-deny NetworkPolicy named deny-network in the namespace test for all traffic of type Ingress + Egress

The new NetworkPolicy must deny all Ingress + Egress traffic in the namespace test.

Apply the newly created default-deny NetworkPolicy to all Pods running in namespace test.

You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml

9. Create a new ServiceAccount named psd-denial-sa in the existing namespace development.

Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa


Using the runtime detection tool Falco, Analyse the container behavior for at least 20 seconds, using filters that detect newly spawning and executing processes in asingle container of Nginx.

store the incident file art /opt/falco-incident.txt, containing the detected incidents. one per line, in the format



Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *