Security in Cloud native with CKS — My Review

certified kubernetes security specialist

Today, i was qualified by CNCF as CKS or CKSS— Certified Kubernetes Security Specialist. This article is about my journey towards that.

Enjoy it … !

General Background

I am doing that because i believe that #SRE (reliability engineering) cannot be reached without software engineering … everywhere.

Accordingly, being specialized in other fields is required for that purpose.

Marriage of security ♥ software engineering give a birth of 4 children 👨‍👩‍👧‍👦:

  • Security as Code — Bake security in DNA
  • Expose security features as services via API
  • Automate everything so everything scales
  • real security change management based on principles of release engineering which is a subfield of software engineering.

Security Background

Five years ago, I was assigned the responsibility of maintaining the AWS infrastructure in term of production deployment, provisioning, security, HA, DR and in general DevOps. This was a big shift in my professional career; from pure software engineer to a cloud engineer.

That time, AWS architect speciality gave me the big picture; actually i was introduced to infra world for free.

That time, i practiced security on the cloud which is more complicated than security on-prem. Indeed, i found myself use the cloud to protect the cloud 😁 !!

That was really amazing days practicing cloud security on many layers: AWS WAF, security groups, ELB/ALB for mitigating DDoS, prewarming process and others.

2 years ago, i worked on Openshift OCP clusters. Openshift introduced me the topic of container security : rootless container, .. so on.

In summary, this was my background in security before hitting CKS.

Security in General

i/ Defense in depth:

  • Multi security layers (Layered defence )
  • redundancy (vs RDY)

ii/ Least privileges

  • give the access which just allows to do the work

iii/ Limiting the attach surface

  • limiting/removing possibility for any attacker to even exploit anything in your system

A security framework should have 4 capabilities:

  • directive :
  • preventive
  • Detective
  • Responsive

Data security has 2 categories:

  • Data security at rest ( data stored and archived)
  • Data security in transit ( data in traffic )

Security in Cloud Native

  1. Host OS security ( Node OS)
  2. Kubernetes Cluster Security
  3. Application Security

Techs & topics related to k8s security:

  • falco & sysdig
  • appArmor & SECCOMP
  • admission controller & webhooks
  • trivy
  • OPA
  • and others

Tips for Preparation

Exam Review

I found that the exam is comfortable because of 3 reasons:

  • the duration of exam is reasonable comparing with the number of tasks
  • each task has its own cluster. which means a task execution cannot impact the others.
  • Each task highlights notes/warning using a clear colored boxes. This help to avoid mistakes.

Tips for Exam

While you are allowed to access many websites during the exam , you should not be happy of this advantage because if you think that you will have time to read and learn during the exam, you may not finish the half of tasks.

Instead, You should use these websites to search quickly on the snippets of code that you need, copy it, edit it and apply it for your tasks.


Your speed can be boosted by 3 configuration :

  • configuring kubectl autocomplete
  • configuring vim with YAML to avoid TABs while adding new line
# cat ~/.vim
autocmd FileType yaml setlocal ai ts=2 sw=2 et
  • handy aliases like “k” as alias of “kubectl”.. and this set of aliases can be concluded depending on how long you worked with kubernetes in your professional career.

Software engineer, Cloud Architect, 5/5 AWS|GCP|PSM Certified, Owner of