2021-10-06

Back to Kubernetes blog.

CKAD CKA CKS Allowed URLs and Bookmarks

Colorful bookmarks

A few common questions many people have around the Kubernetes exams (including myself) are what websites are you allowed to access during the exam and how many web browsers or tabs can you have open? As I prepare for my CKS exam this week, I wanted to make sure I knew what resources we have available to us. You can, and will, be kicked out of your exam if you do not follow their strict guidelines.

You can only have two tabs open: (1) with the actual exam and (2) with documentation. No other windows are allowed (web browser or otherwise) which means no split-screen windows. Sorry to all the 4K and/or ultra-wide monitor users out there. Below are the list of documentation websites you can access and bookmark:

CKA and CKAD:

CKS:

For setting yourself up for success, organize all of your bookmarks into at least one folder. Sort them by importance. The concepts or references you need the most should be at the top for quick and easy access.

Hopefully these small tips help prepare you for success! Good luck with your exams!

Source: “Important Instructions: CKA and CKAD.” September 29, 2021. Accessed October 6, 2021. https://docs.linuxfoundation.org/tc-docs/certification/faq-cka-ckad-cks

2021-08-03

Back to Kubernetes blog.

CKS Exam Expectations

These are my expectations for the kind of questions to expect on the Certified Kubernetes Security (CKS) exam.

DISCLAIMER: These are predictions largely based on the official CKS Curriculum and courses found on Udemy. I’ve NOT taken any CKS exams (practice, real, or otherwise). I’m writing my thoughts down now before I start taking practice exams and enter NDA territory. These questions will NOT reflect what is exactly on the exam and are only educated guesses for what we should be prepared for.

Practice Exam

Without further ado, here is a practice exam I’ve created that you can use as study material. Do not consider this a comprehensive/complete list of questions. Use it as a starting point.

  • Build a container using a Dockerfile with a multi-stage build.
    • The last stage should use the lightweight “alpine” image.
  • Create a PodSecurityPolicy to force Pods to be read-only.
  • Deploy a WordPress website with a HTTP front-end (nginx) and a database back-end (mysql).
    • Pod configuartion:
      • Use the gVisor/runsc container runtime class.
      • Apply an existing AppArmor profile for the NGINX container.
      • Run as a non-root user.
      • Add the “CAP_SYS_ADMIN” capability.
        • (Production tip: avoid using this capability as it grants near-root levels of access).
      • Disable the ServiceAccount mount.
    • Use NetworkPolicies to only allow traffic to/from the relevant ports (80 and 3306) used by the Pods.
    • Create a self-signed certificate and store it as a Secret object.
    • Create an Ingress object with the TLS certificate.
      • (Lab tip: use “cert-manager” to automate certificate creation).
  • Encrypt all existing Secret objects and ensure new Secrets will also be encrypted.
  • Use crictl to manually access a container running on a worker node.
  • Upgrade Kubernetes from one minor version to the next: 1.21.0 to 1.22.0.
  • Create a new user account using the ClusterRole, ClusterRoleBinding, and CertificateSigningRequest APIs.
  • Create a new ServiceAccount.
  • Create a new ConstraintTemplate object with a provided OPA policy.
  • Scan the “nginx:1.18.0” image with Trivy.
  • Run CIS benchmarks with ‘kube-bench’.
  • Run a system scan with Falco.
  • Find all non-Kubernetes systemd services and stop them.
  • Enable audit logging in the kupe-apiserver.
    • Identify which users are interacting with the API.
  • Enable ImagePolicyWebhook in the kube-apiserver.
    • Allow the container image “nginx:1.18.0” to be used on the Kubernetes cluster.
  • Verify the checksum of the binaries installed with those mentioned in the official Kubernetes change log.

If you can do everything from above, you’re most likely in a good spot to get a passing score.

Parting Words

The CKS builds on-top of concepts from what the Certified Kubernetes Administrator (CKA) exam is about. That also makes it the most challenging exam the Cloud Native Computing Foundation (CNCF) has made to date. Only take the CKS if you’ve already passed the CKA.

Be sure to also check out my related guide on Tips to Help You Pass Any Kubernetes Exam.

2021-05-18

Back to Kubernetes blog.

Tips to Help You Pass Any Kubernetes Exam

Person nervously biting pencil while studying

Trying to get your CKA, CKAD, and/or CKS certification for fun, profit, and/or glory? Here are the top tips for success based on my own experiences!

Exams Order/Priority

All of the exams are very similar and build off one another. Assuming your goal is to obtain all of the certifications, tackle them in the order below. This provides a clear path of adding on additional APIs and tools one exam at a time. That means that, for example, taking the CKA before the CKAD would probably be a harder experience.

  1. Certified Kubernetes Application Developer (CKAD)
  2. Certified Kubernetes Administrator (CKA)
  3. Certified Kubernetes Security Specialist (CKS)

Schedule a Date

“If you talk about it, it’s a dream. If you envision it, it’s possible. But if you schedule it, it’s real.” - Anthony Robbins. This is hands-down one of my favorite quotes I discovered from a mentoree/mentor of mine.

I found that I was ready for the CKA exam after a few months of studying. My biggest downfall was never scheduling the exam in the first place. I spent extra time over-preparing and trying to always dig deeper. After all, the end-goal wasn’t to get a seemingly worthless piece of a paper. It’s to build up your skills to help you with your job! Just make sure you have a clear goal to work towards or otherwise you won’t have anything to show for it!

Get the certification first and then your time will be freed up to go that extra mile of learning more of the related and advanced Kubernetes topics. If nothing else, this will unlock new job opportunities sooner. Recruiters will be knocking on your door!

Study Time

If you want to become an expert in anything, you need to devote time every day. No exceptions. I aim for 1 hour a day. Even if I can’t commit a full hour, I try to spend a minimum of 30 minutes. On “cheat days” I’ll just watch tutorial videos online and not do hands-on. However, the hands-on experience is the most valuable.

Study Resources

Great, you want to dedicate time every day to learn! Now what?

For learning the primary exam materials, there are no better courses than the ones offered by KodeKloud. Use the free Katakoda Kubernetes Playground to test things you have learned. A couple of weeks before your exams, take a Killer Shell (killer.sh) practice exam. It’s designed to be harder than the actual exam to prepare you better. From that, identify areas of improvement and continue to review those sections in KodeKloud and run through the related end-of-chapter practice tests.

Bookmarks

Yes, you’re allowed to use bookmarks during the exam! More specifically, you’re allowed two tabs: one for the exam and the second for searching official Kubernetes resources. From the official Kubernetes websites, I can assure you that the Kubernetes Documentation is all you need. There are lots of great real-world example manifests and hints to be found. Identify your weak areas and bookmark related documentation pages. Consider keeping all of your bookmarks in a single bookmark folder that is clearly visible and easily accessible.

The kubectl Cheat Sheet and kubectl Command Reference are great examples of hidden gem bookmarks.

P.S. - You are NOT allowed to have one of your tabs open in a separate window. This means that if you have a large 4K or ultrawide monitor, you won’t be able to take full advantage of the extra screen real estate.

Manifests

Most Kubernetes professionals will tell you to never use kubectl run. I’m here to tell you that you should use it and use it all the time. The catch is, however, that you should never create objects with it. Instead, use it to create YAML manifests. For the exam, you’ll have a copy of it that you can examine later. For work/play, you’ll have a manifest you can git commit for the invaluable version control/history.

Say hello to your new friend: --dry-run=client -o yaml. This’ll output an example YAML manifest. It lays down the foundation so you can then tweak it based on the object you need.

  • kubectl run nginx --image nginx --dry-run=client -o yaml >> pod-nginx.yaml

Pods

Creating Pods on the CLI uses a special command: kubectl run. This is intentionally meant to be similar to docker run. You don’t even need to memorize the options. Most times, you can get away with grabbing the relevant help information:

  • kubectl run --help | grep run

Everything Else

Most of the common APIs can be created via the CLI. View the ones you can create (look for “Available Commands”):

  • kubectl create --help

Again, do a simple grep to help find pre-made examples of arguments that can be used:

  • kubectl create <API> --help | grep create

kubectl

Ah, look what we have here. kubectl. Get used to it, my friends. You’ll be using this a lot. Here’s a brain dump of useful, and not very well-known, commands for the exam and also in the real-world:

  • Shortcuts

    • alias k=kubectl # Save time by not having to type 6 extra letters! This, however, negates bash completion. Pick your kryptonite.
    • export d="--dry-run=client -o yaml" # Set a shell variable to save time when creating YAML manifests. Add $d to the end of the kubectl [run|create] command.
  • API

    • kubectl api-resources # View all of the APIs available.
    • kubectl api-resources --namespaced # View all of the APIs that support being namespaced.
    • kubectl api-versions # View all of the API versions available.
    • kubectl explain <API> –recursive # View all of the available options for a specific API.
    • kubectl explain <API>.spec # View the “spec[ification]” field of a specific API.
  • Create, Read, Update, and Delete (CRUD)

    • kubectl create <API> | grep create # View examples of how to create objects.
    • kubectl get <API> --show-labels # View the labels for each object.
    • kubectl get <API> -w # Watch for updates to a particular resource
    • kubectl top pod --containers # View the resource consumption of all containers.
    • EDITOR=nano kubectl edit --record <OBJECT> # Update the manifest of a running object using the specified $EDITOR variable. Record the previous object manifest as a single-line annotation.
    • kubectl delete <API> <OBJECT> --wait=0 # Do not wait for the object deletion to finish. Return back to the shell prompt immediately.
  • Cluster

    • kubectl get events -A --sort-by=.metadata.creationTimestamp # Get all (most, actually, as -A only applies to a handful of APIs) events from a cluster ordered by the newest first.
    • kubectl describe node <NODE> | grep -i cidr # Find the Pod network CIDR allocated to a specific Node.
    • kubectl cluster-info dump | grep -- --service # Find the cluster-wide Service CIDR
  • Role-Based Access Control (RBAC)

    • kubectl create sa ...; kubectl create role ...; kubectl create rolebinding ... # Create a ServiceAccount, a Role which defines which permissions are granted, and active the ServiceAccount by assigning the Role via a RoleBinding (or ClusterRoleBinding).
    • kubectl auth can-i --list # View all of the permissions the current user has.
    • kubectl auth can-i <ACTION> <API> --as system:serviceaccount:<NAMESPACE>:<SERVICEACCOUNT_NAME> # Verify that a ServiceAccount can perform the specified action.
  • kubeadm

    • kubeadm certs check-expiration # View the TLS certificates expirations for Kubernetes services.
    • kubeadm certs renew <KUBERNETES_SERVICE> # Renew a TLS certificate.
    • kubeadm token create --print-join-command # Print the command to join a Worker Node. Copy that command and run it on the new Worker Node to add it to the Kubernetes cluster.

Retake

Worst case scenario, you fail your exam. That’s okay becase you get a free retake! Better yet, now you now know what to expect. Think back to the questions you didn’t understand and/or took too much time on. Build up your skills from there. Get better at solving those kinds of scenarios and solving them quickly.

What Next?

You have your certification! Congratulations! Now what?

Find your niche. Heck, you can even use your shiny new certification as an inspiration for your starting point. Here are a few high-level examples (there are many ways to tackle each):

  • Administration = Familiarize yourself a few different deployment tools. Customize the Kubernetes services to expose (or even disable) different features.
  • Application Developer = Find frameworks to help build and deploy cloud-native applications automatically.
  • Security Specialist = Brush up on more advanced RBAC topics and how to lock-down clusters in such a way that any government agency would be proud.

Get a promotion, a new job, or even create a start-up! Sky’s the limit for what you want to do with your new skills!

P.S. - VMware, where I currently work, is always hiring for our Kubernetes teams. If you’re looking for a job, let me know! We’re especially interested in hiring women and people of different races and ethnicities. We’ve got amazingly ambitious diversity goals! Don’t believe me? Read more about our goals here.

Closing Thoughts

Even if only one piece of advice helps you on your journey then I’m happy to have written this article. If you truly want a Kubernetes certification, you’ll get it.

Reach out to me on Twitter @LukeShortCloud (previously @ekultails) or on LinkedIn if you need any help with your Kubernetes journey. I’d be glad to provide guidance!

  • Luke Short

2021-04-18

Back to Kubernetes blog.

Free Ways to Use and Learn Kubernetes

Person reading on top of a pile of coins

You don’t even have to spend a dime!

While doing additional research for this blog post, I came across a very cool project. Let me introduce you to Free Kubernetes. This git project contains a variety of ways you can run your own Kubernetes cluster for free. Most of these use public clouds so you don’t even need to worry about requiring any hardware.

For my own learning and growth, I’ve found these to be great tools and hope you do as well!

  • Cloud:
    • Katakoda Playground = This is all you need. You get a single Control Plane Node and a single Worker Node for 1 hour.
      • Once you get good at Kubernetes, you can even use this to create your own training. Companies such as KodeKloud built Kubernetes courses using it.
    • Civo = Civo uses k3s in the back-end. You can get a highly-available cluster in literally a few minutes. No exaggeration! Their Kubernetes service used to offer $70/month for free for its beta program. That’s now ending and they’re instead offering a one-time $250 credit.
      • Using “Small” Nodes, you could get 8 months with three Nodes or 25 months with a single Node!
  • Local workstation/server:
    • Minikube/Minishift = Honestly, I haven’t used these much because they’re so limited out-of-the-box. That being said, this is easy and it works. They provide a golden virtual machine image of a working all-in-one (Controle Plane + Worker) Kubernetes Node.
    • k3s = The ultimate home lab tool for your Raspberry Pi cluster. A single binary, one minute install, and one minute upgrades. What’s not to love?
    • kubeadm = The official tool for installing Kubernetes. This is important to know! Even many third-party Kubernetes installers, such as VMware’s Tanzu, are built on-top of this. It’s also featured in the Certified Kubernetes Administrator (CKA) exam. Spin up a virtual machine with Vagrant and hack around with the tool.

Bonus:

  • AWS Lamba = I’m not 100% sure on what’s used in the back-end. I would guess Kubernetes and honestly it doesn’t matter. This concept of “function-as-a-service” or “serverless” is a huge topic in Kubernetes and I’d argue it’s the next big thing. You can learn the concepts of it with the AWS Free Tier and later apply it to Kubernetes via the use of Knative or OpenFaaS. You can use 1 million requests or 3.2 million compute seconds. Whichever comes first.

Have any questions about setting up a lab? Reach out to me at @ekultails and I’ll see if I can help! - Luke Short

2021-04-08

Back to Kubernetes blog.

How You Can Become a Kubernetes Expert

Ocean shipyard with containers

Here’s how.

  • YAML = What do Kubernetes, Ansible, and GItHub Actions have in common? YAML! It’s important. My colleagues and I constantly joke about how we are YAML Engineers(™). Don’t be intimated! It’s so popular because it was made to be easy and human-readable.
  • Containers = Do you know and understand what containers are and how they work?
    • No? Start here before you go any further. Kubernetes is an automation and orchestration platform of sorts. You need to understand the underlying technology first before you start adding on extra layers of features and complexity. Checkout the KodeKloud Docker for Beginners course.
    • Yes? Great! Moving on.
  • Vanilla Kubernetes = A quick note! This is a mistake that I’ve made and many others make. Do NOT start by studying a vendor-specific implementation such as OpenShift. They are extremely biased and have features that are not portable across other Kubernetes clusters. OpenShift, in particular, is overly complex. It tries to give you everything including the kitchen sink. If you learn Kubernetes then, by extension, you’ll learn OpenShift. The same cannot be said for the other way around.
  • Kubernetes basics = Learn the basics of Kubernetes. VMware has free training on KubeAcademy that does a great job of going through those fundamentals.
  • APIs = Don’t sweat how to install Kubernetes or how it works. Focus on using the APIs which is as simple as writing some YAML manifests. I’ll be writing future tutorials on my blog to help out here.
  • Community group = Okay, now you know enough to be dangerous. Nice! Find fellow friends, coworkers, even strangers! Just anyone who wants to learn Kubernetes and gets excited by it! Having others around to help motivate you is more powerful than anything else.
  • Find use cases = Figure out how you could use Kubernetes at home or for work. Try to move existing apps you use into containers (if not already) and then into Kubernetes. Here are some example use-cases for real applications I run on my home Kubernetes cluster:
    • Application development = I’m a cloud native developer at heart so when I’m testing my apps, I test them as containers on my Chromebook and then push them to Kubernetes.
    • CI/CD
    • DNS
    • Gitea
    • Blog (staging area)
    • CIFS server
    • NFS server
    • Game servers (ex., Minecraft, Halo Custom Edition) = These aren’t very cloud-native but they’re fun to get working!
  • Certifications = Studying for the Kubernetes certifications is a great goal to set for yourself. You’ll learn a lot and have the credentials to help you get that shiny new Kubernetes job! There are currently 3 different certs: the Administrator, Application Developer, and (recently released) Security. Pick your own adventure!
  • Going beyond = The final step is to go to, as Buzz Lightyear from Toy Story would say, “to infinity and beyond!” These are a collection a great resources to help you learn about extra features you can add on Kubernetes. Use this as an opportunity to find your niche(s).

My final thoughts are this: Kubernetes is a lot easier than you think. You can do anything if you put your mind to it! I wish you the best with your Kubernetes adventure! - Luke Short

2021-01-31

Back to Kubernetes blog.

The State of Kubernetes According to One of Its Creators

Containers and Clouds

Recently, there was a webinar Q&A session with Joe Beda. He’s one of the authors of “Kubernetes Up & Running”. Here are his thoughts on the past, present, and future of Kubernetes.

Note: this information has been paraphrased.

Joe Beda’s thoughts:

  • The #1 goal for Kubernetes it to become boring and “just work”. It’s almost there!
  • How can someone learn Kubernetes?
    • Start small and focus on vanilla Kubernetes. Don’t start off trying to learn a very vendor-specific product like OpenShift. If you learn pure Kubernetes, you can seamlessly migrate between different clouds.
  • Was YAML supposed to be the primary way to interact with and use Kubernetes?
    • No, YAML had a long-term goal of being replaced but never was. There are a handful of tools out there that make applications on Kubernetes easier to manage. The first evolution of the interaction with the API was Helm. ytt is now the second evolution.
  • What are your thoughts on Platform-as-a-Service (PaaS) offerings such as “low-code” and “no-code”?
    • They are too restrictive and won’t provide developers all the features they need. Eventually, they will need to migrate to Kubernetes where they will have more power, control, and features.
  • What is the future of PaaS?
    • Serverless and other frameworks built ontop of Kubernetes will replace the traditional PaaS services we know today.
  • What is the future of Infrastructure-as-a-Service (IaaS)?
    • Managing Kubernetes on baremetal is difficult. The best way to manage it is with programmable infrastructure (via IaaS APIs). Platforms such as Amazon EC2 and OpenStack Nova will still be needed for that.
  • What are the top problems for developers using Kubernetes today?
    • Networking. The Service and Ingress APIs have created a lot of confusion for developers on how to expose an application to the Internet. A new unified networking API is being worked on in the upstream Kubernetes community to help with this.
  • How can developers closely replicate their production (prod) environment as a development (dev) environment?
    • The drift between prod and dev leads to inconsistencies which leads to bugs. Things that need to be aligned as much as possible: node count, networking, storage, and external (non-Kubernetes) services integration. For at least address the node count, the Kind and Cluster API projects provide a seamless way to spin-up Kubernetes clouds of any size instantly using docker containers. There is no real solution for everything else.
  • What is Isito?
    • Features: secure communication between Pods, dynamic routing, observability, and service mesh configurability.
  • Why is Istio not part of Kubernetes?
    • Google wants full control over the project. There are also many other Kubernetes plugins in the open source community that solve similar problems usch as Open Service Mesh and Linkerd.
  • What book are you reading right now?
    • Range. It explains how generalist can succeed with not well defined problems. It’s about identifying larger patterns/issues and how different things can come together to solve those common issues.
  • If people aren’t using a specific Kubernetes API or a functionality of it, maybe we did it wrong. We need to rethink it and get community feedback on how to make all APIs useful.
  • What is the future of Kubernetes?
    • GPUs (A.I./M.L.) are gaining a lot of traction right now. However, Kubernetes does not solve every problem. What it did great was embrace the idea of declarative infrastructure state. In 10-20 years, there may be a similar declarative tool and it may not be Kubernetes.

My thoughts and biggest takeaways:

  • It’s fascinating that YAML was not meant to be the long-term solution to using Kubernetes. Helm was an amazing leap forward for deploying applications and has been a joy for me to work with over the years. I’m now starting to get my hands dirty with ytt on a few projects I’m working on so we’ll see how that compares.
  • I love the attitude of if the end-users aren’t using the APIs then it was probably designed or implemented wrong. It’s important to fail fast, gather feedback, and then iterate again.
  • For development environments, I love Kind. It’s so easy to get started with. It’s a much better experience than trying to lab OpenShift (outside of the limited Minishift environment).
  • People always wrongly assume projects like OpenStack are dead. They aren’t. They’re just boring and work. That’s where Kubernetes is heading. Arguably, I actually think Kubernetes reached the boring state about two years ago. IaaS is important and it’s not a problem Kubernetes tries to solve. It needs IaaS to prosper.
  • The future of technology, in my eyes, has always been serverless and machine learning. Joe seems to echo these thoughts which makes me feel even more confident in my choice of career. At work, I’m focusing on making those my niche so that I may help customers adopt these concepts and get the most out of Kubernetes.