Security domains & threat model
The six domains and what an attacker does with a foothold.
Securing a cluster is CKA plus a security lens — you already know how the pieces work, now the question is how they fail and who is trying to make them fail. The material here is organized the way the CKS curriculum is: six domains, each a layer an attacker has to get through, and each mapped to concrete controls you configure by hand. Nothing in this course is theoretical; every lesson ends at a manifest, a flag, or a command you would actually run.
The exam it mirrors is hands-on and unforgiving: two hours, fifteen to twenty tasks on live clusters, 67% to pass, with the official Kubernetes docs open in a second tab. That format shapes how you should learn it — not as trivia but as muscle memory. You are not asked “what is a NetworkPolicy”; you are dropped on a cluster with a task that says “default-deny the payments namespace but keep DNS working,” and the clock is running.
Think like the foothold
Every control in this course answers a step an attacker takes after landing in one pod — a remote-code-execution bug in your app, a token scraped from a mounted secret, a dependency someone poisoned upstream. The useful question is never “is the cluster secure,” which has no answer, but “what can someone do from inside this one container, and how far can they get before something stops or notices them.” Every domain severs one link in that chain.
Defence in depth, concretely
Defence in depth is not a slogan here — it is the assumption that any single layer will fail, so the next one has to cost the attacker something. A pod that gets popped should already be non-root with a read-only filesystem (so there is little to do), on a default-deny network (so there is nowhere to pivot), running a signed image (so it could not have been swapped), watched by Falco (so the shell fires an alert) with the API call landing in an audit log (so you can reconstruct it). No layer is trusted to be sufficient alone.
This also tells you where to spend effort. The runtime-heavy domains — microservice security, supply chain, and detection — are both the highest-weighted on the exam and the ones that matter most in a real breach, because they govern what a workload can do once it is running and whether you find out. Cluster and system hardening are the foundation under them: necessary, lower drama, and mostly a matter of knowing the flags.