CKS Exam Glossary - 70 Terms

Search the terminology pack for Certified Kubernetes Security Specialist. Use these definitions with the study guide and practice questions.

Download App Study Guide Free Practice Exam

A

Anchore Enterprise: A commercial vulnerability scanning tool mentioned for image scanning.
AppArmor: A Linux kernel hardening framework used to apply security profiles to containers.
attestations: Verifiable statements attached to OCI artifacts to support supply chain validation.
audit-policy.yaml: The Kubernetes audit policy configuration file used to control audit log levels such as None, Metadata, Request, and RequestResponse.
AWS Secrets Manager: An AWS external secret manager used for Kubernetes secret integration.

B

BoundServiceAccountTokenVolume: A Kubernetes feature for using projected service account tokens instead of legacy long-lived tokens.

C

CI/CD: Continuous integration and continuous delivery/deployment pipelines, mentioned as the place where scanning and admission webhook checks can be integrated.
CIS Kubernetes Benchmark: A security benchmark used to review and score the security configuration of Kubernetes components.
Clair: A tool used for container image vulnerability scanning.
ClusterRole: A cluster-scoped RBAC role used to grant permissions across the cluster; contrasted in the text with Role.
ClusterRoleBinding: An RBAC binding that attaches a ClusterRole to subjects at cluster scope; contrasted in the text with RoleBinding.
CNI: Container Network Interface, the plugin framework used by Kubernetes networking components. In the text, Calico, Cilium, and Weave Net are mentioned as CNI plugins that can enforce NetworkPolicy.
Connaisseur: A tool used for container image verification.
Cosign: A Sigstore project tool used for container image signing.
CSPM: Cloud Security Posture Management, a class of tools used to detect threats across infrastructure, apps, networks, data, users, and workloads.
CVE: Common Vulnerabilities and Exposures, a vulnerability identifier system used in the text for tracking Kubernetes version security issues.

D

Distroless images: Container images built with minimal or no operating-system userland to reduce base image footprint.

E

eBPF: Extended Berkeley Packet Filter, a kernel technology used by Tracee and Tetragon for runtime security monitoring.

F

Falco: A runtime threat detection tool that performs behavioral analytics on syscall, process, and file activity.

G

GCP Secret Manager: A Google Cloud external secret manager used for Kubernetes secret integration.
Grype: A tool used for container image vulnerability scanning.
gVisor: A container runtime sandbox mentioned as a RuntimeClass option for multi-tenant environments.

H

Hadolint: A linter used for Dockerfile analysis.
HashiCorp Vault: An external secret manager used to store and provide secrets to Kubernetes workloads.

I

Image pull policy: A Kubernetes image retrieval setting; the text notes that setting it to Always can bypass tag pinning.
ImagePolicyWebhook: A Kubernetes admission controller used to whitelist allowed image registries and enforce image validation policies.
IMDS: Instance Metadata Service, a node metadata endpoint that should be protected from unauthorized access.
Ingress: A Kubernetes object used to configure external access to services, including TLS termination at the Ingress layer.
Ingress Controller: A controller that implements Ingress rules and can be security-configured; the text names Nginx, Traefik, and Contour.
IRSA: IAM Roles for Service Accounts, an AWS mechanism for assigning cloud IAM permissions to Kubernetes service accounts.
Istio: A service mesh mentioned as providing automatic mTLS for pod-to-pod encryption.

K

Kata Containers: A container runtime sandbox mentioned as a RuntimeClass option for multi-tenant environments.
kube-bench: An automated audit tool used to check Kubernetes clusters against the CIS Kubernetes Benchmark.
kube-linter: A static analysis tool for scanning Kubernetes manifests.
kube-score: A static analysis tool for scanning Kubernetes manifests.
kubeadm: A Kubernetes bootstrap and lifecycle tool used here for upgrade planning and applying upgrades.
kubectl debug: A Kubernetes command used for live troubleshooting and ephemeral debug containers.
Kubernetes NetworkPolicy: A Kubernetes resource used to restrict cluster-level network access by defining ingress and egress rules for pods. The text highlights default-deny policies and namespace isolation as common uses.
kubesec: A static analysis tool for scanning Kubernetes manifests.
Kyverno: A Kubernetes policy engine used for policy enforcement.

L

Linkerd: A service mesh mentioned as providing automatic mTLS for pod-to-pod encryption.
Loki: A log storage and query system mentioned as a sink for webhook-backed audit logs.

M

MITRE ATT&CK: A threat framework used to detect and map attack phases, including for containers and Kubernetes.
mTLS: Mutual TLS, a transport security mechanism used for pod-to-pod encryption in service meshes.
Multi-stage Docker builds: A Docker build technique that uses multiple build stages to reduce the final image size.

N

Notary: A tool used for container image verification.

O

OCI: Open Container Initiative, referenced in the text through OCI artifact attestations.
OPA Gatekeeper: A policy enforcement tool for Kubernetes admission control.
OpenSearch: A search and analytics engine mentioned as a sink for webhook-backed audit logs.

P

Pod Security Admission: The Kubernetes admission mechanism for enforcing Pod Security Standards using namespace-level labels.
Pod Security Standards: Kubernetes pod security levels defined as Privileged, Baseline, and Restricted.
PodSecurityPolicy: A deprecated Kubernetes mechanism previously used to control pod security, noted as being migrated away from in favor of Pod Security Admission.

R

RBAC: Role Based Access Control, the Kubernetes authorization model used to limit access through roles, bindings, and least-privilege permissions.
readOnlyRootFilesystem: A pod or container security setting that makes the root filesystem read-only to improve runtime immutability.
Role: A namespace-scoped RBAC role used to grant permissions within a namespace; contrasted in the text with ClusterRole.
RoleBinding: An RBAC binding that attaches a Role to subjects within a namespace; contrasted in the text with ClusterRoleBinding.
RuntimeClass: A Kubernetes mechanism for selecting a container runtime such as gVisor or Kata Containers.

S

scratch images: Container images based on an empty base image, used to minimize image footprint.
seccomp: A Linux kernel hardening mechanism that restricts system calls through security profiles such as Default, RuntimeDefault, and Localhost.
Secret encryption at rest: Encryption of Kubernetes Secrets while stored in the cluster, configured with an encryption provider config.
SELinux: Security-Enhanced Linux, a Linux security framework whose contexts can be set in Kubernetes SecurityContext.
ServiceAccount: A Kubernetes identity used by pods and workloads; the text notes that its token can be auto-mounted or projected.
Sigstore: A project associated with Cosign for image signing and verification.
Snyk: A commercial vulnerability scanning tool mentioned for image scanning.
SPIFFE: The Secure Production Identity Framework for Everyone, used for workload identity in Kubernetes environments.
SPIRE: The SPIFFE Runtime Environment, used with SPIFFE for workload identity.

T

Tetragon: An eBPF-based runtime security tool mentioned for threat detection.
Tracee: An eBPF-based runtime security tool mentioned for threat detection.
Trivy: A tool used for container image vulnerability scanning.

W

Workload Identity: A GKE identity mechanism that maps Kubernetes workloads to cloud identities, mentioned as an alternative to IRSA.

About These Definitions

These definitions are loaded from the shared release pack. Use them with the study guide and practice questions to connect vocabulary to exam scenarios.

Download App Read the full study guide Take the free practice exam