Task 01
Fix Insecure Kubelet and etcd
A cluster node has been configured insecurely.
docs · k8s.io/docs/reference/access-authn-authz/kubelet-authn-authzCKS Exam Topics & Practice Tasks
Every task in the CKS lab maps to a domain in the official Certified Kubernetes Security Specialist curriculum. Below is the full list — what you'll practice, what each task tests, and how it maps to the exam blueprint.
16
graded tasks
6
CKS domains
120
min per attempt
100%
curriculum coverage
Domain 1
10% of CKS exam
Cluster Setup
Lock down network access, the kubelet, API authentication, and ingress TLS, and run CIS benchmark checks.
Task 10
Upgrade a Worker Node by One Patch Version
The worker node is running an older kubelet patch version (v1.30.0) and must be upgraded to v1.30.1. Access The upgrade is performed on the worker node itself.
docs · k8s.io/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade
Task 16
Secure API Server Authentication and Authorization
The API server is currently configured insecurely.
docs · k8s.io/docs/reference/access-authn-authz/authentication
Domain 2
15% of CKS exam
Cluster Hardening
Restrict RBAC and service accounts, tighten API server flags, and keep the cluster patched.
Task 02
Create a TLS Secret
A Deployment already references a TLS Secret, but the Secret does not exist.
docs · k8s.io/docs/concepts/configuration/secret
Task 07
Create a Restrictive NetworkPolicy
Namespace secure-ns currently allows unrestricted ingress traffic.
docs · k8s.io/docs/concepts/services-networking/network-policies
Task 08
Expose HTTPS Through Ingress with TLS Termination
An application must be exposed over HTTPS using an Ingress.
docs · k8s.io/docs/concepts/services-networking/ingress
Task 14
Configure Cilium Network Policy with Mutual Authentication
Cilium is installed in the cluster.
docs · docs.cilium.io/en/stable/network/servicemesh/mutual-authentication/mutual-authentication
Domain 3
15% of CKS exam
System Hardening
Reduce the host attack surface with AppArmor, seccomp, and kernel hardening.
Task 13
Secure the Docker Daemon
A node has insecure Docker permissions.
docs · docs.docker.com/engine/security
Domain 4
20% of CKS exam
Minimize Microservice Vulnerabilities
Apply Pod Security Standards, securityContext, and mTLS, and protect secrets at rest.
Task 05
Enforce Container Immutability
A Deployment is running with an insecure container security context.
docs · k8s.io/docs/tasks/configure-pod-container/security-context
Task 09
Disable API Credential Auto-Mounting
A ServiceAccount is automatically mounting API credentials into Pods.
docs · k8s.io/docs/tasks/configure-pod-container/configure-service-account
Task 12
Fix Deployment for Restricted Pod Security Standard
Namespace restricted-ns enforces the restricted Pod Security Standard. A Deployment pss-app in this namespace is currently non-compliant and its Pods cannot start.
docs · k8s.io/docs/concepts/security/pod-security-standards
Domain 5
20% of CKS exam
Supply Chain Security
Scan images for vulnerabilities, harden Dockerfiles, generate SBOMs, and enforce image policy.
Task 03
Dockerfile and Deployment Security Best Practices
An application image is built from an insecure Dockerfile.
docs · k8s.io/docs/tasks/configure-pod-container/security-context
Task 11
Generate SPDX Document and Remove Vulnerable Container
One Deployment contains multiple Alpine-based containers.
docs · k8s.io/docs/concepts/security/supply-chain-security
Task 15
Configure ImagePolicyWebhook Admission Control
The API server must enforce image admission checks using ImagePolicyWebhook.
docs · k8s.io/docs/reference/access-authn-authz/admission-controllers
Domain 6
20% of CKS exam
Monitoring, Logging and Runtime Security
Detect threats at runtime with Falco, behavioral analytics, and audit logging.
Task 04
Detect and Stop a Pod Accessing /dev/mem
A Pod in the cluster is accessing /dev/mem.
docs · falco.org/docs/rules
Task 06
Configure API Server Audit Logging
Audit logging is not correctly configured on the API server.
docs · k8s.io/docs/tasks/debug/debug-cluster/audit