Skip to content


This class prepares students for the Certified Kubernetes Security Specialist (CKS) exam.

Select a date below


Dates are listed in Pacific Time Zone

= Guaranteed to run date


Print Friendly, PDF & Email


This class prepares students for the Certified Kubernetes Security Specialist (CKS) exam. Kubernetes is a Cloud Orchestration Platform providing reliability, replication, and stability while maximizing resource utilization for applications and services. By the conclusion of this hands-on, vendor agnostic training you will be equipped with a thorough understanding of cloud security fundamentals, along with the knowledge, skills and abilities to secure a Kubernetes cluster, detect threats, and properly resolve a security catastrophe. This course includes hands-on instruction which develops skills and knowledge for securing container-based applications and Kubernetes platforms, during build, deployment, and runtime. We prioritize covering all objectives and concepts necessary for passing the Certified Kubernetes Security Specialist (CKS) exam.  You will be provided the components necessary to assemble your own high availability Kubernetes environment and harden it for your security needs.


This course is intended for students who have experience with the core components of Kubernetes.

It is suggested that students take the Certified Kubernetes Administrator course prior to taking the Certified Kubernetes Security Specialist course. However, instructors will always strive to assure every student gains a very thorough understanding of the material covered, regardless of the students’ prior experience. Furthermore, this course has already taken into consideration the attendance of less experienced learners.

Finally, experience and knowledge of Linux fundamentals is strongly recommended.


  • Security Professionals working with Kubernetes Clusters
  • Container Orchestration Engineers
  • DevOps Professionals


Module 1: Learning Your Environment

  • Underlying Infrastructure
  • Using Vim
  • Tmux

Module 2: Cloud Security Primer

  • Basic Principles
  • Threat Analysis
  • Approach
  • CIS Benchmarks

Module 3: Securing your Kubernetes Cluster

  • Kubernetes Architecture
  • Pods and the Control Plane
  • Kubernetes Security Concepts

Module 4: Install Kubernetes using kubeadm

  • Configure Network Plugin Requirements
  • Kubeadm Basic Cluster
  • Installing Kubeadm
  • Join Node to Cluster
  • Kubeadm Token
  • Manage Kubeadm Tokens
  • Kubeadm Cluster Upgrade

Module 5: Securing the kube-apiserver

  • Configuring the kube-apiserver
  • Enable Audit Logging
  • Falco
  • Deploy Falco to Monitor System Calls
  • Enable Pod Security Policies
  • Encrypt Data at Rest
  • Encryption Configuration
  • Benchmark Cluster with Kube-Bench
  • Kube-Bench

Module 6: Securing ETCD

  • ETCD Isolation
  • ETCD Disaster Recovery
  • ETCD Snapshot and Restore

Module 7: Purge Kubernetes

  • Purge Kubeadm

Module 8: Image Scanning

  • Container Essentials
  • Secure Containers
  • Creating a Docker Image
  • Scanning with Trivy
  • Trivy
  • Snyk Security

Module 9: Manually Installing Kubernetes

  • Kubernetes the Alta3 Way
  • Deploy Kubernetes the Alta3 Way
  • Validate your Kubernetes Installation
  • Sonobuoy K8s Validation Test

Module 10: Kubectl (Optional)

  • Kubectl get and sorting
  • kubectl get
  • kubectl describe

Module 11: Labels (Optional)

  • Labels
  • Labels and Selectors
  • Annotations
  • Insert an Annotation

Module 12: Securing your Application

  • Scan a Running Container
  • Tracee
  • Security Contexts for Pods
  • Understanding Security Contexts
  • AppArmor Profiles
  • AppArmor
  • Isolate Container Kernels
  • gVisor

Module 13: Pod Security

  • Pod Security Policies
  • Deploy a PSP
  • Pod Security Standards
  • Enable PSS

Module 14: Open Policy Agent (OPA)

  • Admission Controller
  • Create a LimitRange
  • Open Policy Agent
  • Policy as Code
  • Deploy Gatekeeper

Module 15: User Administration

  • Contexts
  • Authentication and Authorization
  • Role Based Access Control
  • RBAC Distributing Access
  • Service Accounts
  • Limit Pod Service Accounts

Module 16: Securing Secrets

  • Secrets
  • Create and Consume Secrets
  • Hashicorp Vault
  • Deploy Vault

Module 17: Securing the Network

  • Networking Plugins
  • NetworkPolicy
  • Deploy a NetworkPolicy
  • mTLS
  • Linkerd
  • mTLS with istio
  • istio

Module 18: Threat Detection

  • Active Threat Analysis
  • Host Intrusion Detection
  • Deploy OSSEC
  • Network Intrusion Detection
  • Deploy Suricata
  • Physical Intrusion Detection

Module 19: Disaster Recovery

  • Harsh Reality of Security
  • Deploy a Response Plan
  • Kasten K10 Backups
  • Deploy K10

Additional information


5 days

Guaranteed to run