Certified Kubernetes Security Specialist

Harden it. Detect it. Pass it.

Q: What tools does the lab have for security tasks?

The CKS environment ships with Falco for runtime detection, Trivy for image and filesystem scanning, AppArmor and seccomp on the nodes, audit logging on the API server, and a CNI that enforces NetworkPolicies. Validators inspect the real effect, not just your YAML.

Q: Is the CKS exam hard?

CKS is widely considered the hardest of the three. It is entirely performance-based, tasks span the cluster and the underlying nodes, and several require tools like Falco, Trivy, and AppArmor that you rarely touch day to day. This lab drills exactly those tools under exam conditions.

A browser-based lab that gives every student their own real Kubernetes cluster, 16 hands-on CKS security tasks scored by programmatic validators, and an attempt history that shows exactly what you missed — and why.

Get access · €29 → 1 attempt · €9.99 Try for free

free 3-question trial · €29 full access · 14 days · or €9.99 per attempt

graded tasks

real cluster

15 min

free trial

student@cks-lab — kubectl

00:18:05

$ kubectl apply -f default-deny.yaml -n payments

networkpolicy.networking.k8s.io/default-deny created

$ kubectl exec -n payments web -- curl -m2 db:5432

command terminated with exit code 28 (timeout)

$ grep -c "Drop" /var/log/falco/events.log

────────────────────────────────────────────────

▸ validator: default-deny in ns · egress blocked

▸ score: 100% · result saved to attempt #09

What it does

Three things, done well.

No video courses. No fake simulators. Use quick quizzes to warm up, then work the same kind of cluster, the same kind of security task, and the same kind of grader you'll meet on CKS exam day.

f.01 · runtime

Real Kubernetes, on demand.

Each attempt boots an isolated kind cluster wired through ttyd, with the security tooling pre-installed. Falco, Trivy, and audit logging are real — not stubs.

falco · trivy · apparmor · audit

f.02 · scoring

Programmatic validators.

Every task ships its own check script that inspects real cluster and host state. You get partial credit for partial work, an output trace per question, and a reviewable diff.

partial credit · per-task · idempotent

f.03 · history

Per-user attempt log.

Every finished exam — score, duration, missed tasks, the validator output, and the canonical solution — is saved to your console. Pattern-spot what you keep getting wrong.

persistent · solutions · diffable

How it works

From sign-up to scored, in four moves.

No installs. No local kubeconfig surgery. Open the lab, get a cluster, finish the tasks, read your report.

Create an account.

Email + password, or Google SSO. You land in your student console — profile, target score, sync clock.

provision

Open the lab.

One click spins a 2-node kind cluster and an embedded desktop. Provisioning runs once across all 16 tasks.

solve

Work in-context.

Each question gives you the SSH target, a docs link, and a question rail beside the live workspace. Submit when satisfied.

review

Read the report.

Programmatic validators run on finish. Pass/fail, per-task feedback, and the canonical solution post to your history.

Inside the lab

A question, an instance, a grader. Side by side.

The lab is one window: a question rail on the left, an embedded Linux desktop on the right, and a progress strip you can navigate at any time. Below is what one CKS task looks like.

› question 09 / 16 · cluster hardening

Lock a namespace down with a default-deny NetworkPolicy.

ssh root@cks-master

In namespace payments, create a default-deny NetworkPolicy for both ingress and egress, then allow only the web pods to reach the db pods on port 5432.

Nothing else in the namespace may talk to db. You'll be graded on the policy and on the connectivity matrix actually enforced by the CNI.

validator · q09 · netpol-default-deny

scoring

▸ checking ns payments policies...

✓ default-deny ingress + egress [1.0/1.0]

✓ web → db :5432 allowed [1.0/1.0]

▸ probing enforced connectivity...

✓ other → db blocked [1.0/1.0]

✓ db egress to internet blocked [1.0/1.0]

────────────────────────────────────────

RESULT pass 4.0 / 4.0 100%

SAVED attempt #09 · q09

Exam scope

Mapped to the published CKS curriculum.

Domain weights mirror the official CKS exam blueprint. All 16 lab tasks are tagged to a domain so your attempt history breaks down by exactly the areas the exam measures. See the full task list with descriptions.

d.01

Cluster Setupnetwork policies, CIS benchmark, ingress TLS, kubelet, API auth

10%

d.02

Cluster HardeningRBAC, service accounts, API server flags, upgrades, secrets

15%

d.03

System Hardeninghost OS footprint, AppArmor/seccomp, kernel hardening

15%

d.04

Minimize Microservice VulnerabilitiesPod Security Standards, securityContext, mTLS, secrets at rest

20%

d.05

Supply Chain Securityimage scanning, Dockerfile hardening, SBOM, image policy

20%

d.06

Monitoring, Logging & Runtime SecurityFalco rules, behavioral analytics, audit logging, immutability

20%

Pricing

Pay once. No subscription.

Create a free account and try the first 3 questions for 15 minutes. Go full access for 14 days, or buy a single attempt — no recurring charges either way.

full access

cks practice lab

$ 29 one-time · 14 days

14 days of full lab access · no renewal · no auto-charge

✓Free account includes 3 questions · 15 minutes
✓Paid access unlocks 16 graded tasks · 120 minutes · unlimited retakes
✓Real on-demand kind cluster, every attempt
✓Programmatic, partial-credit validators
✓Persistent attempt log + canonical solutions
✓Unlimited retakes for 14 days from purchase
✓7-day refund, no questions asked

Get access · €29 → Try for free stripe · visa · mastercard · amex

single attempt · pay as you go

€9.99 per attempt

One full 120-minute exam attempt with all 16 tasks, real cluster, and programmatic scoring. Buy more only when you need them.

Buy 1 attempt →

cohort · 5+ seats

Team licensing

Bulk seats, an admin console, aggregate progress reporting. Email [email protected] for a quote.

going for more than one?

CKA and CKAD too.

Each certification is a separate one-time purchase on the same lab engine. See CKA and CKAD.

the certification itself (Linux Foundation) is sold separately at $445.
this lab is independent practice — not the exam.

FAQ

Things people ask before signing up.

What does €29 actually buy me?

14 days of full lab access from the moment of purchase: all 16 graded CKS tasks, unlimited retakes during the window, and the canonical solutions. Your attempt history stays on your account permanently — you just can't open new lab sessions after day 14. No recurring charge, no plan to upgrade. If it doesn't work for you, email [email protected] within 7 days for a full refund.

Is this affiliated with the Linux Foundation or CNCF?

No. prepium.sh is an independent practice environment. We track the published CKS curriculum closely, but we are not the certifier.

Do I need a CKA before taking the CKS?

Yes. The Linux Foundation requires you to hold an active CKA certification before you can sit the CKS exam. You can still practice CKS here without one — but you'll need to pass the CKA first to register for the real CKS. We cover the CKA too.

What tools does the lab have for security tasks?

The CKS environment ships with the tooling the exam expects — Falco for runtime detection, Trivy for image and filesystem scanning, AppArmor and seccomp on the nodes, audit logging on the API server, and a CNI that actually enforces NetworkPolicies. Validators inspect the real effect, not just your YAML.

How accurate are the validators?

Each task ships with a check script that inspects real cluster and host state — for example, it probes the actual connectivity matrix a NetworkPolicy enforces, or confirms a Falco rule fires. There are usually multiple valid solutions; the grader rewards any of them and gives partial credit.

How long should I study for the CKS?

Most people spend 4–8 weeks after passing the CKA. CKS is narrower but deeper — you need fluency with Falco rules, Pod Security admission, image scanning, and audit policy, plus host-level hardening you won't have touched on the CKA. We recommend at least 3–4 full timed attempts before the real exam.

Is the CKS exam hard?

CKS is widely considered the hardest of the three. It's entirely performance-based, the tasks span both the cluster and the underlying nodes, and several require tools (Falco, Trivy, AppArmor) you rarely touch day to day. The time pressure is real. This lab is built to drill exactly those tools under exam conditions.

Also on prepium.sh

Going for more than one certification?

prepium.sh covers all three CNCF Kubernetes certifications on the same lab engine — real clusters, programmatic validators, and persistent attempt history.

CKA

Certified Kubernetes Administrator

17 hands-on lab tasks across cluster architecture, networking, storage, and troubleshooting, plus a 55-question quiz bank.

CKAD

Certified Kubernetes Application Developer

16 hands-on lab tasks across the five CKAD domains, plus practice drills and a 32-question quiz bank.

Open a cluster. Start ticking tasks.

One-time €29 unlocks 14 days of full lab access — all 16 graded CKS tasks, unlimited retakes, and a permanent attempt history. No subscription, no upsell.

Get access · €29 → Try for free Sign in

One-time €29 · 14 days of access
7-day refund, no questions asked
Real cluster, not a simulator
Programmatic, partial-credit scoring
Solutions revealed after submission
Persistent, per-user attempt log