Back to Kubernetes blog.
CKS Exam Expectations
These are my expectations for the kind of questions to expect on the Certified Kubernetes Security (CKS) exam.
DISCLAIMER: These are predictions largely based on the official CKS Curriculum and courses found on Udemy. I’ve NOT taken any CKS exams (practice, real, or otherwise). I’m writing my thoughts down now before I start taking practice exams and enter NDA territory. These questions will NOT reflect what is exactly on the exam and are only educated guesses for what we should be prepared for.
Without further ado, here is a practice exam I’ve created that you can use as study material. Do not consider this a comprehensive/complete list of questions. Use it as a starting point.
- Build a container using a Dockerfile with a multi-stage build.
- The last stage should use the lightweight “alpine” image.
- Create a PodSecurityPolicy to force Pods to be read-only.
- Deploy a WordPress website with a HTTP front-end (nginx) and a database back-end (mysql).
- Pod configuartion:
- Use the gVisor/runsc container runtime class.
- Apply an existing AppArmor profile for the NGINX container.
- Run as a non-root user.
- Add the “CAP_SYS_ADMIN” capability.
- (Production tip: avoid using this capability as it grants near-root levels of access).
- Disable the ServiceAccount mount.
- Use NetworkPolicies to only allow traffic to/from the relevant ports (80 and 3306) used by the Pods.
- Create a self-signed certificate and store it as a Secret object.
- Create an Ingress object with the TLS certificate.
- (Lab tip: use “cert-manager” to automate certificate creation).
- Encrypt all existing Secret objects and ensure new Secrets will also be encrypted.
crictl to manually access a container running on a worker node.
- Upgrade Kubernetes from one minor version to the next: 1.21.0 to 1.22.0.
- Create a new user account using the ClusterRole, ClusterRoleBinding, and CertificateSigningRequest APIs.
- Create a new ServiceAccount.
- Create a new ConstraintTemplate object with a provided OPA policy.
- Scan the “nginx:1.18.0” image with Trivy.
- Run CIS benchmarks with ‘kube-bench’.
- Run a system scan with Falco.
- Find all non-Kubernetes systemd services and stop them.
- Enable audit logging in the kupe-apiserver.
- Identify which users are interacting with the API.
- Enable ImagePolicyWebhook in the kube-apiserver.
- Allow the container image “nginx:1.18.0” to be used on the Kubernetes cluster.
- Verify the checksum of the binaries installed with those mentioned in the official Kubernetes change log.
If you can do everything from above, you’re most likely in a good spot to get a passing score.
The CKS builds on-top of concepts from what the Certified Kubernetes Administrator (CKA) exam is about. That also makes it the most challenging exam the Cloud Native Computing Foundation (CNCF) has made to date. Only take the CKS if you’ve already passed the CKA.
Be sure to also check out my related guide on Tips to Help You Pass Any Kubernetes Exam.
Back to Kubernetes blog.
Tips to Help You Pass Any Kubernetes Exam
Trying to get your CKA, CKAD, and/or CKS certification for fun, profit, and/or glory? Here are the top tips for success based on my own experiences!
All of the exams are very similar and build off one another. Assuming your goal is to obtain all of the certifications, tackle them in the order below. This provides a clear path of adding on additional APIs and tools one exam at a time. That means that, for example, taking the CKA before the CKAD would probably be a harder experience.
- Certified Kubernetes Application Developer (CKAD)
- Certified Kubernetes Administrator (CKA)
- Certified Kubernetes Security Specialist (CKS)
Schedule a Date
“If you talk about it, it’s a dream. If you envision it, it’s possible. But if you schedule it, it’s real.” - Anthony Robbins. This is hands-down one of my favorite quotes I discovered from a mentoree/mentor of mine.
I found that I was ready for the CKA exam after a few months of studying. My biggest downfall was never scheduling the exam in the first place. I spent extra time over-preparing and trying to always dig deeper. After all, the end-goal wasn’t to get a seemingly worthless piece of a paper. It’s to build up your skills to help you with your job! Just make sure you have a clear goal to work towards or otherwise you won’t have anything to show for it!
Get the certification first and then your time will be freed up to go that extra mile of learning more of the related and advanced Kubernetes topics. If nothing else, this will unlock new job opportunities sooner. Recruiters will be knocking on your door!
If you want to become an expert in anything, you need to devote time every day. No exceptions. I aim for 1 hour a day. Even if I can’t commit a full hour, I try to spend a minimum of 30 minutes. On “cheat days” I’ll just watch tutorial videos online and not do hands-on. However, the hands-on experience is the most valuable.
Great, you want to dedicate time every day to learn! Now what?
For learning the primary exam materials, there are no better courses than the ones offered by KodeKloud. Use the free Katakoda Kubernetes Playground to test things you have learned. A couple of weeks before your exams, take a Killer Shell (killer.sh) practice exam. It’s designed to be harder than the actual exam to prepare you better. From that, identify areas of improvement and continue to review those sections in KodeKloud and run through the related end-of-chapter practice tests.
Yes, you’re allowed to use bookmarks during the exam! More specifically, you’re allowed two tabs: one for the exam and the second for searching official Kubernetes resources. From the official Kubernetes websites, I can assure you that the Kubernetes Documentation is all you need. There are lots of great real-world example manifests and hints to be found. Identify your weak areas and bookmark related documentation pages. Consider keeping all of your bookmarks in a single bookmark folder that is clearly visible and easily accessible.
The kubectl Cheat Sheet and kubectl Command Reference are great examples of hidden gem bookmarks.
P.S. - You are NOT allowed to have one of your tabs open in a separate window. This means that if you have a large 4K or ultrawide monitor, you won’t be able to take full advantage of the extra screen real estate.
Most Kubernetes professionals will tell you to never use
kubectl run. I’m here to tell you that you should use it and use it all the time. The catch is, however, that you should never create objects with it. Instead, use it to create YAML manifests. For the exam, you’ll have a copy of it that you can examine later. For work/play, you’ll have a manifest you can git commit for the invaluable version control/history.
Say hello to your new friend:
--dry-run=client -o yaml. This’ll output an example YAML manifest. It lays down the foundation so you can then tweak it based on the object you need.
kubectl run nginx --image nginx --dry-run=client -o yaml >> pod-nginx.yaml
Creating Pods on the CLI uses a special command:
kubectl run. This is intentionally meant to be similar to
docker run. You don’t even need to memorize the options. Most times, you can get away with grabbing the relevant help information:
kubectl run --help | grep run
Most of the common APIs can be created via the CLI. View the ones you can create (look for “Available Commands”):
Again, do a simple grep to help find pre-made examples of arguments that can be used:
kubectl create <API> --help | grep create
Ah, look what we have here.
kubectl. Get used to it, my friends. You’ll be using this a lot. Here’s a brain dump of useful, and not very well-known, commands for the exam and also in the real-world:
alias k=kubectl # Save time by not having to type 6 extra letters! This, however, negates bash completion. Pick your kryptonite.
export d="--dry-run=client -o yaml" # Set a shell variable to save time when creating YAML manifests. Add
$d to the end of the
kubectl [run|create] command.
kubectl api-resources # View all of the APIs available.
kubectl api-resources --namespaced # View all of the APIs that support being namespaced.
kubectl api-versions # View all of the API versions available.
kubectl explain <API> –recursive # View all of the available options for a specific API.
kubectl explain <API>.spec # View the “spec[ification]” field of a specific API.
Create, Read, Update, and Delete (CRUD)
kubectl create <API> | grep create # View examples of how to create objects.
kubectl get <API> --show-labels # View the labels for each object.
kubectl get <API> -w # Watch for updates to a particular resource
kubectl top pod --containers # View the resource consumption of all containers.
EDITOR=nano kubectl edit --record <OBJECT> # Update the manifest of a running object using the specified $EDITOR variable. Record the previous object manifest as a single-line annotation.
kubectl delete <API> <OBJECT> --wait=0 # Do not wait for the object deletion to finish. Return back to the shell prompt immediately.
kubectl get events -A --sort-by=.metadata.creationTimestamp # Get all (most, actually, as
-A only applies to a handful of APIs) events from a cluster ordered by the newest first.
kubectl describe node <NODE> | grep -i cidr # Find the Pod network CIDR allocated to a specific Node.
kubectl cluster-info dump | grep -- --service # Find the cluster-wide Service CIDR
Role-Based Access Control (RBAC)
kubectl create sa ...; kubectl create role ...; kubectl create rolebinding ... # Create a ServiceAccount, a Role which defines which permissions are granted, and active the ServiceAccount by assigning the Role via a RoleBinding (or ClusterRoleBinding).
kubectl auth can-i --list # View all of the permissions the current user has.
kubectl auth can-i <ACTION> <API> --as system:serviceaccount:<NAMESPACE>:<SERVICEACCOUNT_NAME> # Verify that a ServiceAccount can perform the specified action.
kubeadm certs check-expiration # View the TLS certificates expirations for Kubernetes services.
kubeadm certs renew <KUBERNETES_SERVICE> # Renew a TLS certificate.
kubeadm token create --print-join-command # Print the command to join a Worker Node. Copy that command and run it on the new Worker Node to add it to the Kubernetes cluster.
Worst case scenario, you fail your exam. That’s okay becase you get a free retake! Better yet, now you now know what to expect. Think back to the questions you didn’t understand and/or took too much time on. Build up your skills from there. Get better at solving those kinds of scenarios and solving them quickly.
You have your certification! Congratulations! Now what?
Find your niche. Heck, you can even use your shiny new certification as an inspiration for your starting point. Here are a few high-level examples (there are many ways to tackle each):
- Administration = Familiarize yourself a few different deployment tools. Customize the Kubernetes services to expose (or even disable) different features.
- Application Developer = Find frameworks to help build and deploy cloud-native applications automatically.
- Security Specialist = Brush up on more advanced RBAC topics and how to lock-down clusters in such a way that any government agency would be proud.
Get a promotion, a new job, or even create a start-up! Sky’s the limit for what you want to do with your new skills!
P.S. - VMware, where I currently work, is always hiring for our Kubernetes teams. If you’re looking for a job, let me know! We’re especially interested in hiring women and people of different races and ethnicities. We’ve got amazingly ambitious diversity goals! Don’t believe me? Read more about our goals here.
Even if only one piece of advice helps you on your journey then I’m happy to have written this article. If you truly want a Kubernetes certification, you’ll get it.
Reach out to me on Twitter @LukeShortCloud (previously @ekultails) or on LinkedIn if you need any help with your Kubernetes journey. I’d be glad to provide guidance!