What Preparing for CKS Taught Me About Kubernetes Security
Preparing for the CKS certification was less about passing an exam and more about understanding how Kubernetes security works in real environments.
Instead of focusing on specific scenarios, the preparation pushed me to think about how clusters fail, how security gaps appear over time and how small misconfigurations can slowly turn into real risks.
Below are the key security lessons, with references and practical commands included under each topic, so this remains useful beyond just reading.
Runtime Security is About Behavior
Runtime security is about understanding what ‘normal’ looks like for a workload. Containers are designed to be predictable. When they behave differently, it is often a signal that something is wrong. Focusing on meaningful behavior changes is far more effective than reacting to every single alert.
References
Useful Commands
kubectl get pods -A
kubectl logs <pod-name> -n <namespace>
systemctl status falco
Network Policies Force Clarity
Network policies make communication paths explicit. When everything can talk to everything, security risks remain hidden, and troubleshooting becomes harder. Clear rules improve both security and overall system understanding.
References
Useful Commands
kubectl get networkpolicy -A
kubectl describe networkpolicy <policy-name> -n <namespace>
Pod Security Reduces Blast Radius
Pod Security Standards encourage running workloads with the least privilege possible. Non-root users, read-only filesystems and dropped capabilities reduce the impact of mistakes or vulnerabilities. This is one of the simplest ways to improve cluster security.
References
- https://kubernetes.io/docs/concepts/security/pod-security-standards/
- https://kubernetes.io/docs/concepts/security/pod-security-admission/
Useful Commands
kubectl get ns
kubectl label namespace <ns> pod-security.kubernetes.io/enforce=restricted
kubectl describe pod <pod-name> -n <namespace>
Prevent Problems Before They Reach the Cluster
Admission controls help stop unsafe configurations before workloads are deployed. This approach saves far more time than fixing issues during or after incidents. Security works best when it is enforced early.
References
Audit Logs Answer Hard Questions
Audit logs are useful when they clearly show who made a change, what was changed and when it happened. Without this visibility, security investigations become guesswork. Good auditing supports both security and accountability.
References
Useful Commands
kubectl get events -A
kubectl logs kube-apiserver-<node> -n kube-system
Upgrades Are a Security Activity
Cluster and node upgrades are not just maintenance tasks — they remove known vulnerabilities and improve overall stability. Delaying upgrades quietly increases risk. Regular upgrades are part of a healthy security posture.
References
Useful Commands
kubectl get nodes
kubectl drain <node-name> --ignore-daemonsets
kubectl uncordon <node-name>
Image and Supply Chain Security Start Early
Kubernetes cannot fix insecure images. Using minimal images and understanding what is inside them reduce risk before workloads even run. Supply chain visibility is becoming increasingly important.
References
Useful Commands
kubectl describe pod <pod-name> -n <namespace>
kubectl exec -it <pod-name> -n <namespace> -- sh
Access Should Always Be Explicit
Secrets, service accounts and permissions should be clearly defined. Defaults often provide more access than necessary, which increases risk. Explicit access makes systems easier to secure and audit.
References
- https://kubernetes.io/docs/concepts/configuration/secret/
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
Useful Commands
kubectl get secrets -n <namespace>
kubectl describe serviceaccount <sa-name> -n <namespace>
Final Thoughts
Preparing for CKS reinforced that Kubernetes security is not about a single tool or feature. It is about good defaults, clear boundaries and consistent operational practices.
These lessons apply directly to running safer, more reliable Kubernetes clusters in production.


