The CKS is widely considered the hardest of the three CNCF Kubernetes certifications, and the one with the smallest pool of free, realistic practice resources. It’s a 2‑hour, performance-based exam that assumes you already know Kubernetes (CKA is a prerequisite) and tests whether you can secure it.
The good news: while the prep stack for CKS is thinner than CKA or CKAD, it is possible to prepare entirely with free resources. This guide is the playbook, including how the open-source CK-X simulator covers the security-specific scenarios most free tools skip.
Why CKS is Different (and Harder)
CKS is unusual among security certifications: it doesn’t test theory. There’s no “which OWASP category does this fall under?” multiple-choice question. Every task is a live cluster you must secure, audit, or harden. You’ll be:
- Writing and debugging RBAC policies under a timer
- Configuring NetworkPolicies that fail-closed by default
- Scanning images with trivy and analyzing the output
- Auditing nodes against CIS benchmarks with kube-bench
- Configuring AppArmor or seccomp profiles for specific containers
- Detecting and responding to runtime anomalies with Falco
You can’t fake this with slides. You need a cluster you can break, fix, and break again. See our CKS prerequisites guide if you’re not yet sure you’re ready.
The CKS Exam at a Glance
| Attribute | CKS Exam Reality |
|---|---|
| Format | Performance-based on a live cluster |
| Duration | 2 hours |
| Number of tasks | 15–20 hands-on scenarios |
| Passing score | 67% |
| Prerequisite | Active CKA certification |
| Allowed tabs | kubernetes.io/docs, plus tool docs (trivy, falco, app-armor.io) |
| Environment | PSI Secure Browser with remote desktop + terminal |
| Retake | One free retake within 12 months |
| Validity | 2 years |
Two things to internalize:
- CKS time pressure is real. The tasks are denser than CKA or CKAD because they often combine multiple security primitives in one scenario.
- The allowed-tabs list is wider. You can reference tool docs (trivy, falco), but only if you’ve practiced enough to know what to look for in those docs.
What CKS Actually Tests
The current CKS curriculum weights look like this:
| Domain | Weight |
|---|---|
| Cluster Setup | 10% |
| Cluster Hardening | 15% |
| System Hardening | 15% |
| Minimize Microservice Vulnerabilities | 20% |
| Supply Chain Security | 20% |
| Monitoring, Logging, and Runtime Security | 20% |
For the full domain breakdown see our CKS exam topics guide.
Free Resources That Actually Move the Needle
CKS-specific free resources are rarer than CKA/CKAD. Here’s the short list that actually produces pass results.
1. CK-X: Free, Open-Source CKS Simulator
CK-X is the free Kubernetes exam simulator we built specifically because there was no free option that matched the PSI exam UI, and almost nothing free covered CKS-specific scenarios at all.
What you get for free on the CKS track:
- Web-based remote desktop + terminal that mirrors PSI
- Real K3D clusters with security tooling pre-installed (trivy, falco, kube-bench)
- Timer-based exam mode
- Multi-question navigation
- Automated validation against your live cluster
- CKS-specific scenarios: NetworkPolicies, PodSecurity admission, image scanning, runtime detection, RBAC hardening
If you’d rather see the platform end-to-end before installing anything, this short walkthrough covers it:
2. The Official Kubernetes Documentation
kubernetes.io/docs is your in-exam lifeline. CKS-relevant pages to know cold:
/docs/concepts/security//docs/concepts/security/pod-security-standards//docs/concepts/security/pod-security-admission//docs/concepts/services-networking/network-policies//docs/reference/access-authn-authz/rbac//docs/reference/access-authn-authz/admission-controllers//docs/tasks/configure-pod-container/security-context/
3. Free Open-Source Security Tools
Install and use these locally before exam day. They’re allowed (and expected) on the exam:
# trivy: image and config scanning
brew install aquasecurity/trivy/trivy
# kube-bench: CIS benchmark auditor
docker run --pid=host -v /etc:/etc:ro \
-v /var:/var:ro -t aquasec/kube-bench:latest run --targets master,node
# falco: runtime threat detection
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco --namespace falco --create-namespace
# kubesec: manifest scanner
docker run -i kubesec/kubesec:latest scan /dev/stdin < pod.yaml4. CIS Kubernetes Benchmark (Free PDF)
The CIS Kubernetes Benchmark is freely downloadable from the Center for Internet Security after a quick form. It’s the source-of-truth for the cluster-hardening domain. Skim the controls, then map them to kube-bench output.
A Free 6-Week CKS Study Plan
CKS deserves more time than CKA or CKAD. Six weeks at ~1.5 hours/day on weekdays and ~3 hours on weekends is the sweet spot.
| Week | Focus | Daily Practice |
|---|---|---|
| Week 1 | Cluster setup + hardening | kubeadm hardening, API server flags, audit logging |
| Week 2 | RBAC + ServiceAccount hygiene | Least-privilege roles, token rotation, automountServiceAccountToken |
| Week 3 | NetworkPolicies + Ingress security | Default-deny patterns, egress control, TLS termination |
| Week 4 | Pod security + admission | PodSecurity admission, SecurityContext, AppArmor, seccomp |
| Week 5 | Supply chain + image scanning | trivy, image signing, ImagePolicyWebhook, allowed registries |
| Week 6 | Runtime security + full mocks | falco rules, audit log analysis, 2 timed mock exams |
Week 1: Cluster setup and hardening
Stand up a kubeadm cluster from scratch. Then break it on purpose:
- Disable anonymous auth on the API server.
- Turn on audit logging with a custom Policy file.
- Restrict kubelet API access (
--anonymous-auth=false,--authorization-mode=Webhook). - Run
kube-benchand remediate every FAIL.
# Audit policy snippet: know this from memory
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
resources:
- group: ""
resources: ["secrets", "configmaps"]
- level: RequestResponse
resources:
- group: ""
resources: ["pods/exec", "pods/portforward"]Week 2: RBAC and ServiceAccount hygiene
A near-guaranteed CKS task: scope down an over-privileged ServiceAccount.
# Inspect what a SA can do
k auth can-i --list --as=system:serviceaccount:default:builder
# Disable token automount (a CKS reflex move)
k patch sa default -p '{"automountServiceAccountToken": false}'For a deep, exam-aligned walkthrough see CKA RBAC hands-on guide.
Week 3: NetworkPolicies and ingress security
Default-deny is the CKS pattern that pays. Drill it until you can type from memory:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: prod
spec:
podSelector: {}
policyTypes: [Ingress, Egress]Then layer on explicit allow rules. Practice writing both directions (ingress and egress), most candidates remember ingress and forget egress.
Week 4: Pod security and admission
The CKS exam moved from PodSecurityPolicy to Pod Security Admission. Learn the three levels: privileged, baseline, restricted. Practice labeling a namespace and observing what gets rejected:
k label ns prod \
pod-security.kubernetes.io/enforce=restricted \
pod-security.kubernetes.io/enforce-version=latestDrill SecurityContext patterns:
securityContext:
runAsNonRoot: true
runAsUser: 10001
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
seccompProfile:
type: RuntimeDefaultWeek 5: Supply chain and image scanning
# Scan an image with trivy
trivy image --severity HIGH,CRITICAL nginx:1.21
# Scan a manifest
trivy config ./k8s/
# Restrict allowed registries via OPA Gatekeeper or ImagePolicyWebhook
# (you'll see at least one of these on the exam)Week 6: Runtime security and full mocks
Falco is the runtime detection tool referenced most often in CKS scenarios. Learn the structure of a rule, not every macro:
- rule: Shell in Container
desc: A shell was spawned in a container with an attached terminal.
condition: spawned_process and container and shell_procs and proc.tty != 0
output: "Shell spawned (user=%user.name container=%container.name)"
priority: WARNINGThen run two full timed mock exams. Realistic conditions:
- Single 24‑inch monitor only
- No notes other than allowed docs
- Strict 2‑hour timer
- Webcam on
The Top 8 CKS Practice Mistakes
- Skipping kube-bench output review. Almost every CKS attempt has at least one task that maps to a CIS control. If you’ve never read kube-bench output, you’ll waste minutes parsing it on exam day.
- Forgetting egress in NetworkPolicies. Ingress-only policies are a partial-credit trap. CKS validators often check egress too.
- Memorizing AppArmor profiles. You can’t. Memorize the attachment syntax and the location (
/etc/apparmor.d/) and read the profile from disk. - Treating runtime security as theory. Install Falco. Trigger a rule. Watch the alert. Theory alone won’t pass.
- Skipping PodSecurity admission practice. It replaced PSP. If your training material is older than 2 years, it’s wrong on this topic.
- Not tightening the default ServiceAccount. Every namespace ships with one. The CKS-correct move is
automountServiceAccountToken: falseunless explicitly required. - Ignoring the audit log. A common CKS task: enable audit logging, then find a specific event in it. If you’ve never
grep-ed an audit log, you’ll struggle. - No timed practice. CKS time pressure is brutal. At least three full 2‑hour mocks before exam day.
Free vs. Premium CKS Prep: How They Compare
| Feature | Free Stack (incl. CK-X) | Premium Mock Bundles |
|---|---|---|
| Real Kubernetes clusters | Yes | Yes |
| PSI-style exam UI | Yes (CK-X) | Yes |
| Number of full-length CKS mocks | 1–2 (CK-X) | 5–10 (curated, exam-mapped) |
| Pre-installed security tooling | Yes (CK-X) | Yes |
| Difficulty calibrated to current exam | Mixed | Yes, maintained |
| Per-domain analytics | Basic | Detailed weak-spot reports |
| Coverage of newer topics (PSA, image signing) | Solid | Updated as the blueprint evolves |
| Cost | $0 | One-time fee |
Honest read: CKS is the certification where the gap between free and premium is narrowest in coverage but widest in calibration. The free stack will get you the topic exposure. Premium bundles like the CKS exam-ready mock exam bundle earn their cost in the final 2 weeks when calibrated difficulty and per-domain analytics tell you exactly which 20 hours to invest before exam day.
A Hands-On CKS Practice Loop That Works
CKS practice fails when it’s “read about NetworkPolicies.” It works when it’s adversarial:
- Stand up a cluster with deliberate misconfigurations (privileged containers, anonymous API auth, no NetworkPolicies, default automount).
- Run the security tools (
kube-bench,trivy,kubesec) against it. Read every FAIL. - Fix one issue at a time. Re-run the scanner. Confirm the FAIL becomes PASS.
- Break the fix on purpose. Then re-fix it.
- Move to the next misconfiguration.
Six weeks of this loop, with two full timed mocks at the end, is the closest thing to a free guaranteed pass.
How to Run Your First Free CKS Mock Exam Today
# 1. Clone CK-X
git clone https://github.com/sailor-sh/CK-X.git
cd CK-X
# 2. Spin it up (Docker required)
docker compose up -d
# 3. Open your browser
open http://localhost:3000
# 4. Pick "CKS" track and start a timed examWithin 5 minutes you’ll be inside a remote desktop with security tooling pre-installed and a CKS-specific exam timer running. Which is exactly the point.
If you’d rather try the hosted version of the simulator without installing anything, head to sailor.sh and start a free CKS practice session.
CKS Practice CTA: Where to Go Next
- Free, today: Try CK-X and run one full 2‑hour CKS timed mock.
- Sharpen weak spots: Read our CKS exam guide 2026, CKS study plan, and CKS exam practice environment guide.
- Final 2 weeks before exam: Consider the CKS exam-ready mock exam bundle for calibrated difficulty and per-domain analytics.
Frequently Asked Questions
Can I really pass the CKS using only free resources?
Yes, but the free stack is thinner here than for CKA or CKAD. CK-X covers the CKS-specific scenarios most other free tools skip (PodSecurity admission, runtime detection with Falco, image scanning with trivy). You’ll still need to put in 100+ hours of adversarial lab time. If you do, free is enough.
Do I need to pass CKA before taking CKS?
Yes. The CKA is a hard prerequisite for the CKS. Your CKA must be active when you sit for the CKS exam.
How long should I spend preparing for CKS?
6–8 weeks at 1.5–2 hours/day is realistic for someone who’s already CKA-certified and has production Kubernetes exposure. Less if you’re already in a security-focused role; more if security tooling (trivy, falco, kube-bench) is new to you.
Is CK-X really free?
Yes. CK-X is open source under the Apache‑2.0 license. Self-host it locally with Docker, fork it, or use the hosted version on sailor.sh for free.
How is CK-X different from killer.sh for CKS?
killer.sh comes bundled with the exam voucher and gives you 2 sessions of 36 hours. CK-X is unlimited, free, open source, and self-hostable, with a CKS-specific track and pre-installed security tooling. Many candidates use both: CK-X for ongoing daily practice, killer.sh as the final dress rehearsal.
What’s the most overlooked CKS topic?
PodSecurity admission. It replaced PodSecurityPolicy, and a lot of older training material still teaches PSP. If your study material doesn’t mention pod-security.kubernetes.io/enforce labels, it’s outdated.
Does the CKS exam actually allow trivy/falco docs?
Yes, the allowed-docs list for CKS includes specific tool documentation alongside kubernetes.io/docs. Practice navigating those tool docs during your timed mocks so it’s not the first time on exam day.
Should I take CKS if I’m not in a security role?
CKS is one of the strongest signals that you can run Kubernetes in production at all. Many SRE and platform engineers take it specifically because security and reliability overlap so heavily. See CKA vs CKAD vs CKS, which certification first?.
How does CKS compare to KCSA?
KCSA is the Kubernetes Cloud Security Associate, multiple choice, foundational. CKS is performance-based and senior-level. See CKS vs KCSA for the full comparison.
The shortcut nobody tells you: the engineers who pass CKS aren’t the ones who watched the most security videos. They’re the ones who logged the most hours adversarially, breaking misconfigured clusters and fixing them under a timer. Free tools have closed the gap. Now it’s just about putting in the reps.
Ready to Lock In Your CKS Pass?
When you’ve outgrown free practice and want calibrated, exam-mapped mock exams with per-domain analytics, the Sailor.sh CKS bundle is built for the final 2 weeks before exam day:
→ Certified Kubernetes Security Specialist (CKS) Exam-Ready Mock Exam Bundle
Going for all three Kubernetes certifications? The matching bundles:
Same CK-X engine you’ve been practicing on, calibrated difficulty curve, per-domain weak-spot reports.