I felt obliged to write an article because I got too many messages about CKS preparation after the my post on Linkedin
The CKS exam was released on 17 November by Linux Foundation and CNCF as the last (I hope not latest :)) part of Kubernetes certification.
First of all I have to say if you have taken the CKA and / or CKAD exam, you will see that there are questions in the familiar template in CKS. Therefore, do not be afraid of the thought of a completely different exam.
As in the other Kubernetes exams, it will be advantageous for you to tune the text editor settings at the beginning of the exam and to adjust the abbreviations of the commands according to your own with ‘alias’ like ‘k’ for ‘kubectl’.
When I took the CKA exam in 2019, exam time was 3 hours. As far as I know, the duration of the exam has been reduced to 2 hours and the number of questions has also been reduced. Nevertheless, when I compared it with the other two exams, I found that the exam time caused more problems in CKS. You have to complete 15 questions in 2 hours. Although it seems to be 8 minutes per question, some questions can be solved in less time. Of course, there is a need to check that the changes made after completing the question are valid.
I did not receive any training to prepare for the exam, so I will not suggest a book or online education to avoid misleading. I can’t give direct information about the questions, but I can give some tips for the topics you need to study.
‘Immutable’ as an approach for Kubernetes, Docker containers
Investigate what ‘immutable’ means. I can’t give more spoiler for this :)
Static Dockerfile analysis - best practices for hardening
You should read and learn the best practices for docker images and some kubernetes components as well. Although it may seem like an easy subject, you may not get any points if you miss a small detail.
NetworkPolicies and PodSecurityPolicies
NetworkPolicies are important. As you can still use it’s own documentation, Ahmet Alp Balkan’s recipes are a very good source for this topic. Instead of memorizing the rules, it is useful to apply different communication rules between your pods and observe the results. In this way, you will better understand what is going on.
You should know PodSecurityPolicies and their implementation with Roles.
RBAC, ServiceAccounts - Roles - ClusterRoles - Bindings
Create your own RBAC environment with ServiceAccounts - Roles - ClusterRoles - Bindings and check their relationship with each other. This subject also related to PodSecurityPolicy.
Once you learn how they work, you will find that the rest is easy.
Image vulnerability scanners
Installing scanner tools on your own system and performing some actions in your cluster environments will provide you with practicality in the exam. The question regarding this subject was very simple.
You should know how to control a CVE with these tools and what kind of actions should be taken on the pod.
Security best practices for API server, kubelet, etcd
kube-apiserver, kubelet and etcd have their own parameters. You must know how these parameters working. The important point here is that an incorrect configuration will affect the cluster. It is important to work with copy component.
Sandboxed containers, gVisor - runc
RuntimeClass object is keyword for these topics but not enough alone.
Runtime scanners such as Falco & sysdig and anomaly detection
There are not many articles about Falco, but you can find more information about sysdig. I sent a mail to Linux Foundation support because the question about this is not very clear. There was a difference between the file structure requested in the question and the documentation.
At least you should test how the filters work in your own environment.
AppArmor and Audit
It’s easy to build and test AppArmor in your own test environment. As for the audit, Kubernetes’s own documentation is quite sufficient.
I think I encountered a similar question in the CKA exam. The question that came up on the CKS was also quite similar, there was just something extra wanted. So you need to know how to use Secret.
- You can find information on almost all topics in kubernetes.io
- I guess, due to the limited time, the skeleton files of the required components were given readily unlike CKA and CKAD. So no need to write everything from scratch.
- Copying structures directly from Kubernetes documentation can make you mistake.
- Spending more than 10 minutes on the same question will waste you time. When you get stuck on a question, go to the next question from the 11th minute.
- Shorten commands with alias according to your own style.
- If you do not know at least 70% of the topics, do not take the exam.
- Set up your own cluster with 1 master and at least 2 worker nodes and test the above subjects.
- Some questions have tricks, read well.
- If you have time, check again for changes that you are not sure about.
- It is useful to know the systemd structure of Linux. In some questions this is important.
- Don’t forget to make context changes.
Remember that, certification is not an end but a means to success.