Click to upload or drag and drop
PDF, DOCX, PPTX, TXT, JPG, JPEG, PNG, HEIC, ODP, ODT, BMP, or TIFF
up to 20MB
Uploading...
The CKS is widely rated the hardest of the three Kubernetes certifications, and the structure explains why: 2 hours of live command-line tasks on real clusters, a passing score of 67% (one point above the CKA and CKAD), and it is the only Linux Foundation Kubernetes exam with a hard prerequisite, a valid CKA. Every person sitting the CKS has already passed one hands-on Kubernetes exam, so the difficulty is not the format. It is the breadth of security tooling layered on top of cluster fluency you are assumed to have: pod security standards, admission control, AppArmor and seccomp profiles, supply chain checks, and audit log analysis, all against a clock that does not leave time to look much up.
| Detail | CKS (Certified Kubernetes Security Specialist) |
|---|---|
| Format | Performance-based: live command-line tasks on real clusters, no multiple choice |
| Duration | 2 hours |
| Passing score | 67% (CKA and CKAD pass at 66%) |
| Prerequisite | A valid, unexpired CKA (the CKAD does not count) |
| Cost | US$445 exam-only, one free retake, 12-month eligibility window |
| Included | Two official simulator sessions (killer.sh), 36 hours of access each, 17 questions per session |
| Kubernetes version | v1.35 |
| Validity | 2 years |
The CKA tests whether you can operate a cluster. The CKS assumes you can, then tests whether you can secure one, and security is a wider surface than administration. On the CKA, most tasks live inside kubectl and a handful of config files. On the CKS, a single task can require you to write a NetworkPolicy, check it against a running workload, and confirm the traffic behavior, while the next asks you to load an AppArmor profile on a node, and the one after that has you reading audit logs to spot what a misbehaving workload touched.
Three things fail prepared-looking candidates. First, tool breadth: the exam expects working familiarity with security tooling around Kubernetes, not just Kubernetes itself, and each tool costs setup and syntax time you cannot spare. Second, the prerequisite effect: because everyone in the room already holds a CKA, the question difficulty is calibrated to a stronger baseline. Third, time: 2 hours feels short when individual tasks span multiple objects. The candidates who pass treat speed as a first-class skill and rehearse until the common security objects come out of their fingers without documentation.
| Domain | Weight | What it covers |
|---|---|---|
| Minimize Microservice Vulnerabilities | 20% | Pod security standards, admission control, secrets management, sandboxed runtimes |
| Supply Chain Security | 20% | Image scanning, SBOMs, artifact signing and validation, static analysis of workloads |
| Monitoring, Logging and Runtime Security | 20% | Behavioral analytics, audit logs, container immutability, detecting threats at runtime |
| Cluster Setup | 15% | NetworkPolicies, CIS benchmark checks, ingress with TLS, protecting node metadata |
| Cluster Hardening | 15% | RBAC, ServiceAccounts, restricting API server exposure, upgrade cadence |
| System Hardening | 10% | AppArmor, seccomp, least-privilege access, reducing the host attack surface |
Notice that the three 20% domains are the newer-skills territory. Supply chain security in particular trips up candidates who prepared on older material, because SBOMs and artifact signing were not part of most Kubernetes study guides until recently. If your course never mentions SBOMs or seccomp, it predates the current curriculum and will leave scored gaps. The same supply chain discipline is spreading beyond Kubernetes: teams shipping AI agents now put a dedicated security layer around agent tool use and data access for exactly the reasons this domain exists, because the runtime is only as trustworthy as what you allow into it and what you watch it do.
| CKA | CKAD | CKS | |
|---|---|---|---|
| Passing score | 66% | 66% | 67% |
| Prerequisite | None | None | Valid CKA required |
| Assumed baseline | Kubernetes basics | Kubernetes basics | Full CKA-level cluster fluency |
| Skill surface | Cluster operations | Workload development | Security tooling on top of operations |
| Typical rating by holders | Hard | Hard, narrower | Hardest of the three |
The comparison clarifies what "hardest" means here. The CKA and CKAD are hard because the hands-on format punishes shallow prep. The CKS keeps that format, raises the baseline to people who already beat it once, and adds a security stack on top. Same clock, more surface, stronger field.
Yes, and it is a hard requirement, not a recommendation. You must hold a valid, unexpired CKA before you can sit the CKS, and the CKAD does not substitute. If your CKA has lapsed, you have to renew it first. Practically, this means the CKS is a second US$445 commitment on top of maintaining the first one, and both stay on a rolling 2-year renewal cycle once you hold them.
67%, one point higher than the 66% bar on the CKA and CKAD. The score comes from weighted hands-on tasks, partial credit exists within tasks, and your report is emailed within 24 hours. The fee includes one free retake with a 12-month eligibility window, so a first-attempt miss is recoverable without new spend, but the retake calibration should be honest: if you failed on breadth, two more weeks of the same prep will not change the outcome.
It depends almost entirely on how much of the six domains you already do at work. A platform engineer who writes NetworkPolicies and manages RBAC daily is mostly closing tool gaps like AppArmor profiles and SBOM generation. An administrator who passed the CKA but has never touched admission controllers is learning a genuinely new skill set and should plan accordingly. The two included simulator sessions are the best calibration instrument you get: take the first one early, not as a final dress rehearsal, and let the score tell you which domains need the remaining weeks. Save the second session for the week before your date.
The simulator rehearses execution, but execution rests on recall: you cannot type a pod security standard you cannot remember. That recall layer is fastest to build from your own material. Upload your Kubernetes security notes, course PDFs, or the current curriculum to the CKS practice exam generator and it writes unlimited practice questions with an answer key across all six domains, so you drill secrets handling, admission control, and audit log reading until answers are automatic before you spend simulator hours on typing speed. The same upload-and-drill approach works for the prerequisite via the CKA practice exam page, and developers on your team who do not need the security track usually want the CKAD practice exam instead.
Hard enough that it filters, which is the point. The prerequisite means the CKS is the only Kubernetes cert where every holder has passed two hands-on exams, and US hiring for platform security, DevSecOps, and senior SRE roles treats it accordingly. If you can already do cluster security work, the exam is mostly a speed and breadth check. If you cannot yet, the curriculum is an unusually good map of what US companies actually mean by Kubernetes security in 2026: supply chain checks, runtime detection, and hardening at every layer. Build the recall first, rehearse in the simulator second, and book the date when your first simulator score clears the bar with room to spare.
Z tej samej rodziny narzędzi