Cloud Native Computing Foundation (CNCF)

CKS

Certified Kubernetes Security Specialist

A hands-on, performance-based certification validating the skills to secure container-based applications and Kubernetes platforms across build, deployment, and runtime. Requires a prior CKA pass and is highly valued for platform-security roles.

$4452 hours

What's on the exam

CKS Curriculum (updated 2024, current Kubernetes release)

Cluster Setup

10%

Network security policies · CIS benchmark hardening · Ingress with TLS · Securing node metadata and endpoints · Verifying platform binaries

Cluster Hardening

15%

Restricting API access · Role-Based Access Control (RBAC) · ServiceAccount minimization · Updating Kubernetes frequently · Securing the kubelet

System Hardening

15%

Minimizing host OS footprint · Restricting IAM roles · Minimizing external access · AppArmor and seccomp · Kernel hardening tools

Minimize Microservice Vulnerabilities

20%

Pod security standards and admission · SecurityContexts · Managing Secrets · Container runtime sandboxes (gVisor, Kata) · mTLS between pods

Supply Chain Security

20%

Minimizing base image footprint · Image signing and validation · Static analysis of workloads · Scanning images for known CVEs · Allowed image registries

Monitoring, Logging, and Runtime Security

20%

Behavioral analytics and syscall detection · Detecting threats with Falco · Immutable container runtimes · Audit logging · Investigating runtime activity

Frequently asked questions

How much does the CKS cost?

The CKS costs $445. Includes one free retake; price set by the Linux Foundation and may change.

How long is the CKS and how many questions does it have?

Real-world tasks performed in live Kubernetes clusters — 2 hours.

What do you need to pass the CKS?

67%.

Can you retake the CKS?

One free retake included; further retakes require a new registration.

What is the best way to study for the CKS?

Study the official blueprint, not random material: the exam is weighted by domain (Cluster Setup 10%, Cluster Hardening 15%, System Hardening 15%, Minimize Microservice Vulnerabilities 20%, Supply Chain Security 20%, Monitoring, Logging, and Runtime Security 20%). Spaced-repetition flashcards built domain-by-domain against that blueprint are the most time-efficient way to cover everything the exam tests.

Program in development

We're building a blueprint-complete program for this exam. Meanwhile, explore live programs across 11 exam.

Explore programs →

At a glance

Format: Hands-on, performance-based command-line exam
Questions: Real-world tasks performed in live Kubernetes clusters
Duration: 2 hours
Passing: 67%
Eligibility: Must have passed the Certified Kubernetes Administrator (CKA) exam at any time; the CKA does not need to remain active
Validity / renewal: 2 years — renewable by recertification
Where you take it: Online proctored, browser-based terminal
Retake policy: One free retake included; further retakes require a new registration
Cost: $445 — Includes one free retake; price set by the Linux Foundation and may change

Official sources

CNCF Certified Kubernetes Security Specialist (CKS) ↗

Fees, policies, and blueprints change — always confirm details with the official source before registering.