CertLabProCNCF Certified Kubernetes Security Specialist
265 questions de pratique
Dernière révision : April 2026
Notes personnelles et liens de ressources pour votre parcours d'étude
Filtrer par Certification
The Certified Kubernetes Security Specialist (CKS) is the most demanding cert in the CNCF ladder and the only one with a hard prerequisite — you must hold an active Certified Kubernetes Administrator (CKA) credential to register for CKS. CKS is hands-on: two hours against real clusters via kubectl in a browser-based terminal, with tasks covering cluster hardening, supply-chain security (image signing, SBOMs), runtime defense (Falco, AppArmor, seccomp), admission control (OPA Gatekeeper, Kyverno), and policy enforcement. CKS distinguishes the security-specialist role from CKA (cluster operator), CKAD (application developer), and CNPE (platform engineer). It is the capstone of the Kubestronaut bundle and one of the most valuable security credentials in cloud.
CIS Benchmarks for Kubernetes, kube-bench, ingress TLS, NetworkPolicies for cluster-level isolation, and verifying platform binaries. 15% of the exam.
RBAC minimization, service-account hardening, kubelet authentication / authorization, restricting API access, and upgrading clusters to patch CVEs. 15% of the exam.
Linux-level hardening (kernel hardening, AppArmor, seccomp profiles, minimizing host OS attack surface), and IAM minimization. Smallest domain at 10%.
Pod Security Standards, OPA Gatekeeper, Kyverno, mTLS via service mesh, and managing secrets (Vault integration, Sealed Secrets). 20% of the exam.
Image signing with Sigstore / cosign, SBOMs, image scanning (Trivy, Grype), restricting image registries, and verifying base images. 20% of the exam — increasingly emphasized in 2024–2026 refreshes.
Falco runtime threat detection, audit logging, behavioral analytics, and forensic workflows. 20% of the exam. Heavy practical work writing Falco rules and parsing audit logs.
$130k–$175k–$250k USD annual
Range reflects US-based mid-to-senior cloud-security roles where Kubernetes security expertise is required. Senior DevSecOps and cloud-security architect roles at FAANG and unicorns trend significantly higher (often $320k+ TC). CKS is among the highest-paying single certifications in cloud — reflecting the persistent (ISC)² Cybersecurity Workforce Study talent gap and the scarcity of engineers fluent in both Kubernetes operations and cloud-native security tooling.
Source: levels.fyi 2025–2026 (cloud / application security), U.S. BLS OEWS May 2024 (15-1212 information security analysts), (ISC)² Cybersecurity Workforce Study 2024. Figures are approximate; actual compensation depends on role, region, and experience.
Kubernetes is the de facto orchestrator for cloud-native workloads, and Kubernetes-specific security expertise is one of the scarcest skill profiles in cloud. The (ISC)² Cybersecurity Workforce Study has consistently flagged cloud-security engineering as a persistent talent gap, and CKS is the single most-recognized credential within that gap. CKS holders command salary premiums that consistently exceed CKA / CKAD alone, and the credential is increasingly cited as a "preferred" or "required" qualification in senior DevSecOps and cloud-security architect pipelines. CKS is the capstone of the Kubestronaut bundle (KCNA + KCSA + CKA + CKAD + CKS) and signals an unusually deep operational and security commitment that meaningfully accelerates senior-pipeline candidacy.
CKS has a hard prerequisite — you must hold an active Certified Kubernetes Administrator (CKA) credential at the time you register and at the time you sit the exam. This is enforced at registration; you cannot purchase a CKS exam slot without an active CKA. If your CKA expires before you sit CKS, you will need to renew or recertify before registering.
The sensible CNCF security progression is KCNA → KCSA → CKA → CKS. KCSA is not required for CKS but materially de-risks the attempt by establishing the conceptual scaffolding (4Cs, threat modeling, supply-chain security) that CKS then tests under hands-on time pressure. Most successful CKS candidates have 6–12 months of production Kubernetes operations experience after CKA before sitting CKS — the exam assumes operational fluency with kubectl, kubelet, etcd, and the control plane.
CKS is the most demanding cert in the CNCF ladder. The exam is hands-on: 15–20 performance-based tasks against real clusters in a browser-based terminal, two hours, with access only to a small allow-list of documentation domains in a single browser tab. Pass mark is 67%. Expect 100–200 hours of study over 10–16 weeks after CKA, depending on prior security experience. Candidates with a strong general security background (CISSP, OSCP) and a fresh CKA pass tend toward the lower end; pure operators newer to security work tend toward the higher end.
The most common stumbling block is the breadth of tooling — Falco, AppArmor, seccomp, Sigstore / cosign, Trivy, OPA Gatekeeper, Kyverno, Vault — combined with the same kubectl time pressure as CKA. Bash / jq fluency, fast vim editing, and kubectl efficiency remain decisive. The CKS-specific toolchain (especially writing custom Falco rules and seccomp profiles under exam time pressure) is what most failed attempts cite as the gap. Mock exams from killer.sh (two free attempts bundled) are widely considered required preparation.
Original release — the security-specialist capstone of the CNCF ladder. Validity is 2 years (CKS has always been 2-year validity, unlike CKA / CKAD which moved from 3 to 2 years in April 2024). Curriculum refreshes annually to track recent Kubernetes releases and CVE patterns; supply-chain security and Sigstore coverage expanded materially in 2023–2024 refreshes.
CKS (CNCF Certified Kubernetes Security Specialist) is a a challenging, scenario-heavy exam that requires deep hands-on experience and the ability to make architectural trade-off decisions Professional-level exam. Most candidates need 150–300 hours of study spread over 3–6 months for professional and expert-level exams. These exams typically expect prior associate-level proficiency. Most candidates who score consistently above the passing threshold on practice exams pass on their first attempt.