Learning how to pass the CKS exam in 2026 is less about memorising facts and more about proving you can harden a live Kubernetes cluster under time pressure. The Certified Kubernetes Security Specialist (CKS) is a two-hour, fully hands-on exam with no multiple-choice questions, so a reading-heavy revision plan will not get you there. You need a schedule that puts you in a terminal from day one.
This guide gives you a realistic 6-week study plan built around the current v1.34 blueprint, the exact domain weights, and the specific tools the exam expects you to run from memory. If you have already passed the CKA and can commit to focused evening and weekend study, six weeks is enough to walk in prepared.
What the CKS Exam Actually Tests in 2026
The CKS is the security specialist tier of the CNCF Kubernetes certification ladder. It assumes you already know how to operate a cluster and instead asks whether you can secure one across its whole lifecycle, from build to runtime.
Here are the current exam facts you should plan around:
- The CKS exam costs $445, and that fee includes one free retake within 12 months plus two killer.sh simulator attempts.
- It is a performance-based exam lasting 2 hours, delivered in a remote Linux terminal on real clusters.
- You face roughly 15 to 16 hands-on tasks, each carrying its own weight.
- The pass mark is 67%.
- You must hold an active, unexpired CKA before the Linux Foundation will let you register.
Exam Tip: The CKA prerequisite is a hard gate, not a suggestion. If your CKA has lapsed you cannot sit the CKS until you renew or retake it, so check your certification expiry date before you book.
The exam environment tracks the most recent Kubernetes minor version, usually within four to eight weeks of that version's release, which is why the 2026 sitting is aligned to the v1.34 and v1.35 line. Practising on an older cluster is fine for fundamentals, but confirm that any version-specific behaviour you rely on still holds on a current release.
The v1.34 CKS Domains and Their Weights
Every task on the exam maps to one of six domains. Knowing the weights tells you where to spend your study hours, because the three heaviest domains together make up 60% of your score.
| Domain | Weight | What it covers |
|---|---|---|
| Minimize Microservice Vulnerabilities | 20% | Security contexts, Pod Security Standards, mTLS, OPA Gatekeeper or Kyverno policies |
| Supply Chain Security | 20% | Image scanning, image signing, SBOMs, whitelisting base images, static analysis |
| Monitoring, Logging and Runtime Security | 20% | Falco rules, behavioural analytics, audit logging, immutability at runtime |
| Cluster Setup | 15% | Network policies, CIS benchmarks, ingress TLS, protecting node metadata |
| Cluster Hardening | 15% | RBAC, service account hardening, restricting API access, upgrading Kubernetes |
| System Hardening | 10% | AppArmor, seccomp, kernel hardening, minimising host footprint |
Two lessons fall straight out of that table. First, Supply Chain Security and Minimize Microservice Vulnerabilities are now weighted 20% each, so tooling like Trivy, image signing and admission policies are no longer edge cases, they are core marks. Second, System Hardening at 10% is the lightest domain, so do not sink days into obscure kernel tuning at the expense of RBAC or network policies.
Exam Tip: If you are short on time, prioritise the three 20% domains. Getting fluent in NetworkPolicy, Pod Security Standards, Trivy scanning and Falco rules covers a large share of the available marks.
The Tools You Must Be Able to Run Without Notes
The CKS is a tools exam. You are given one browser tab pointed at the official kubernetes.io/docs, kubernetes.io/blog and github.com/kubernetes, and nothing else. You cannot rely on searching a vendor's docs mid-exam, so the following tools need to be muscle memory:
- kube-bench for auditing a cluster against the CIS Kubernetes Benchmark.
- Trivy for scanning container images for known vulnerabilities.
- Falco for runtime threat detection and writing or reading custom rules.
- AppArmor and seccomp for restricting what a container can do at the syscall and profile level.
- OPA Gatekeeper or Kyverno for admission control policies that block non-compliant workloads.
- NetworkPolicy manifests for building a default-deny posture and then allowing only the traffic you intend.
You should be able to apply, verify and troubleshoot each of these from the command line quickly, because the clock is the hardest part of the exam. Slow reasoning fails candidates far more often than gaps in knowledge.
The 6-Week CKS Study Plan
This plan assumes you passed the CKA within the last year, so the core operational skills are fresh, and that you can commit around 8 to 10 hours a week. Spend roughly 80% of that time in a terminal and only 20% reading. If your security background is thin, stretch the plan to 8 weeks by giving the two 20% supply chain and microservice domains an extra week each.
Week 1: Cluster Setup and Network Policies
Start with the perimeter. Build a kind or minikube cluster you are happy to break repeatedly. Work through NetworkPolicy from a default-deny baseline, then add ingress and egress rules until only intended traffic flows. Set up ingress with TLS termination and lock down access to node metadata endpoints.
Run kube-bench against your cluster and read every failed CIS control so you understand what a hardened baseline looks like. This is your foundation for the rest of the plan.
Week 2: Cluster Hardening and RBAC
Spend the week inside RBAC. Create roles and cluster roles, bind them tightly, and practise restricting service accounts to the least privilege a workload needs. Disable automatic service account token mounting where it is not required. Practise restricting anonymous and unauthenticated access to the API server, and rehearse a minor version upgrade of the cluster, because upgrading Kubernetes safely is an examinable skill.
Week 3: Minimize Microservice Vulnerabilities
This is a 20% domain, so give it a full week. Drill Pod Security Standards and security contexts until you can lock a Pod down from memory: non-root users, read-only root filesystems, dropped capabilities. Deploy OPA Gatekeeper or Kyverno and write admission policies that reject workloads breaking your rules. Set up mTLS between services so you understand how in-cluster traffic is authenticated and encrypted.
Week 4: Supply Chain Security
The second 20% domain. Scan images with Trivy and learn to read the output, then practise whitelisting approved base images and blocking everything else through an admission controller. Work through image signing and verification, generate a software bill of materials (SBOM), and add static analysis of your Kubernetes manifests to catch insecure settings before they ship.
Exam Tip: Take your first killer.sh simulator attempt at the end of week 4. It runs about 15% to 20% harder than the real exam, so treat a middling score as normal and use it to find your weak domains, not as a pass or fail verdict.
Week 5: Runtime Security, Monitoring and System Hardening
Cover the third 20% domain plus the lightest one together. Install Falco, read its default rules, and write a custom rule that alerts on a suspicious action such as a shell spawning inside a container. Enable and configure audit logging on the API server so you can trace who did what. Then handle System Hardening: apply an AppArmor profile to a Pod, attach a seccomp profile, and confirm both are actually enforced.
Week 6: Full Simulations and Weak-Spot Repair
Stop learning new material. Run timed, full-length practice sessions under exam conditions, using only the allowed documentation tab. Fix every task type that slows you down, and rehearse the fast context-switching between clusters that the exam requires. Take your second killer.sh attempt around 48 hours before exam day as a final calibration, then rest the day before rather than cramming.
Common Reasons Candidates Fail the CKS
Most CKS failures are not knowledge failures, they are speed and habit failures. Watch for these:
- Running out of time. With around 15 to 16 tasks in two hours, you have roughly seven to eight minutes each. Flag anything that stalls you and move on.
- Never using the allowed docs efficiently. Bookmark the exact kubernetes.io/docs pages for NetworkPolicy, Pod Security and seccomp so you can jump to a working YAML example in seconds.
- Forgetting to set the context. Each task can target a different cluster. Skipping the kubectl context switch means you harden the wrong environment and lose the marks.
- Not verifying your work. Applying a manifest is not the same as it working. Confirm the policy blocks or the profile enforces before you move on.
Avoiding those four mistakes is often the difference between a comfortable pass and a narrow miss.
CKA vs CKS: How the Two Compare
If you are weighing up where the CKS sits, this quick comparison against the CKA you already hold puts it in context.
| Feature | CKA | CKS |
|---|---|---|
| Focus | Operating and administering clusters | Securing clusters end to end |
| Prerequisite | None | Active CKA required |
| Format | Hands-on, performance-based | Hands-on, performance-based |
| Pass mark | 67% | 67% |
| Core tools | kubectl, etcd, kubeadm | Falco, Trivy, kube-bench, OPA or Kyverno |
If you want a refresher on the administrator exam first, our guide on how to pass the CKA exam in 2026 walks through the operational foundation the CKS builds on. For a broader view of which credentials pay off this year, see our roundup of the best IT certifications for 2026.
Ready to Start Practising?
The CKS rewards hands-on repetition, and the fastest way to find your weak domains is to test yourself against realistic questions before you sit the real thing. CertCrush gives you targeted practice across Kubernetes security so you walk in knowing exactly which domains need more work.
Create your free CertCrush account and start drilling CKS-style questions today, then explore the full range of security and cloud native tracks on our courses page. Build the terminal fluency now, and the two-hour clock on exam day stops being the thing that beats you.