Passing the KCSA & CKS to become a Kubestronaut

I can’t figure out image sizes…

For those of you who have been reading my blog posts and following along, you might have guessed a bit of a theme... If you haven't guessed, I've been on a real learning journey to learn and get my hands on as much Kubernetes as I can.

This is a write-up of my approach to the final 2 exams for me, the KCSA and the CKS.

Opening thoughts on certifications as part of development

As a goal driven individual, I learn and develop best when there is an end goal to reach for and aspire to (There is no real end to this but don’t tell my brain that…)

In my case, the Kubestornaut Certification, one blue jacket to rule them all!

Which is why certifications matter to me. There is a bit of a debate with certs: “certifications don’t maketh the engineer”, which is right, they don’t, but they are a great way to validate skills and experience.

So I get both sides of the coin.

I’ve met and worked with some amazing DevOps, Data engineers, and developers who don’t have a cert to their name and never will; they don’t see the point in it. I’ve also interviewed some people who had 5 Google Cloud certs and could explain a simple architecture from a design they clearly “liberated” from the internet and had clearly exam dumped to pass certs without the experience to back it up with. So, I get it.

For me, I want to learn the real fundamentals of a thing, so with Kubernetes Security, I refreshed my Docker skills and went back to basics, breaking and fixing clusters before diving into the security topics of the Certified Kubernetes Security Specialist.

Sorry for the long ramble of an intro, I was a cloud trainer for 2 and a half years, and it’s questions and thoughts I got asked about a lot, so I thought I’d add my 2 pence worth.

TL;DR certs are good, but not the be-all and end-all; experience and fundamental learning absolutely matter.

The Kubernetes and Cloud Security Associate (KCSA)

While I was preparing and learning the technical security skills for the CKS, I'll add my thoughts after this. I wanted to get the KCSA out of the way, so here's my take and how I approached it.

It's a multiple-choice exam and focuses more on fundamental and overview understanding of cloud-native security with Kubernetes and container-based design at the forefront. Ergo, it's a nice introductory cert into Kubernetes Cloud Native Security.

This exam is an online, proctored, multiple-choice exam.

If you’ve been in the industry long enough and have some experience with a cloud-native culture and tools, chances are you probably have some fundamental knowledge already in the topic areas of Overview of Cloud Native Security, Platform Security, and Compliance and Security Frameworks.

Compliance and Threat Modelling

I did find myself brushing up on some of the compliance frameworks, as it had been a while since I had read about any of them. I read up on what they are and what they cover: NIST, CIS, GDPR, and PCI DSS. Google is your friend for that.

I also read up on some threat modeling frameworks, STRIDE and DREAD. These were also mentioned in the exam I took.

Cluster component security

The slightly trickier areas I found I had to think about a bit more were Kubernetes Cluster Component Security, Kubernetes Security Fundamentals, and Kubernetes Threat Model.

The cluster component security and security fundamentals question areas focused on the components themselves, which are considered best practices that you apply to protect secrets around etcd, for example.

In my exam experience, there were definitely some questions I had to flag and return to, some real head-scratchers. It’s not an “easy” exam (there aren’t any), but it is an “easier” exam. I passed the first time with a decent score in the low 90s, I think. I wasn’t expecting a score that high!

Links I used for studying:

Kode Kloud KCSA course

Kubernetes Threat Modelling

Kubernetes STRIDE, DREAD & PASTA threat models

Now for the main event! Certified Kubernetes Security Specialist (CKS)

Chat GPT is getting better at drawing me pictures for my blogs

I had already passed the CKA and the CKAD. I wrote about how I prepped for the CKA and creating a cluster to practice.

In a previous life, I was a Linux SysAdmin, and I use Linux as part of my day job; it’s a fundamental skill. As I tell people who are just getting started, make sure they have grasped basic Linux skills, networking, and containers before getting into Kubernetes.

I found the jump felt smaller when I first started learning about Kubernetes years ago because I had the fundamental skills mentioned. Learning about the abstraction, context, and importantly, the “why” was much easier with those fundamental skill sets and experience in my toolbelt.

That certainly helped with the CKA and CKAD, but it is not a guaranteed pass for the CKS. This is a very tough exam, and I did not pass on my first try!

Which, at the time, stung, but it helped me focus on what I was good at and what I needed to improve on #FailureisnotFinal

CKS Exam overview

Some information about the exam:

Make sure you check out the full information on the domains and competencies on the official CKS exam page.

It’s a performance based test that requires solving multiple tasks from a command line running Kubernetes. You have 2 hours to complete the tasks.

I’m not aiming to give any direct, exact questions I got in my exam, that’s not the point of this post and it’s pretty much NDA’d and frowned upon for me to disclose that.

My focus areas. Yours may differ….

These are some areas that were new to me, needed a refresh and needed my extra focus:

• Falco (I wrote about it here) Know where to look for logs, how to update rules and find pods based on alerts firing.

• A real cheeky one, I thought at the time. I had an Istio task which does appear under Minimize Microservice Vulnerabilities domain, I’m just really glad I did a deep dive (shameless plug of blog post here)

• Bom/SBom - Tools like Trivy and the Bom utility by the Kubernetes project. Learn how to use them, you will get tasks related to and using these tools, which covers the Supply Chain Security Domain part of the exam.

• Remember updating a Cluster from your CKA? You should still remember how to do that…..

• Know about etcd and how to make configuration changes to it regarding secrets and security best practices.

• Get well practised at making changes to the kube-api-server (implementing logging, plugins and security changes) and practice getting fast and accurate at it. This helped me a lot during my re-take. I was too slow the first time around.

• Know about AppArmor and how to implement profiles on nodes and pods.

• Know about Seccomp and how it restricts which system calls are allowed.

• Practice Network Policies. While you're at it, go practice Cilium Network policies too. Network policy editor is a great tool; try it out.

• Speaking of speed, the 2 hours pass by incredibly quickly! In both attempts, I flagged 3 out of the 16 tasks that I didn't even try. I simply ran out of time.

Time is not on your side

That said, manage your time and tasks accordingly. Flag the questions you won’t answer right away or those you anticipate requiring more time and effort.

I tried to answer the smaller/easier/preferred tasks first (there were no easy questions on the CKS, only easier and personally preferred).

Then I returned to the bigger and harder tasks. I was working right up to the last second. Time is the real test of this exam.

I passed on my second attempt after failing the first time with a score of 57. I had a good understanding of what I needed to improve, which was generally completing tasks more quickly and focusing on areas like Falco, making changes to the etcd configuration, refreshing my knowledge of working with Service Accounts and Tokens, and refactoring deployments to run in a restricted namespace with Pod Security Admission.

My closing thoughts

I didn’t feel hard done by failing my first attempt, it felt hard and I didn’t feel like I knew it all enough, a bit like when you die in Dark Souls, you didn’t die because the games unfair just like I didn’t fail my first exam because the exam was unfair. It’s because I wasn’t good enough (This is why I don’t play Souls games….)

I passed 2nd time around on the nose, with a very efficient 67. My failures helped me get to the point that I passed.

My advice….. Practice. Just practice for speed and accuracy. There are some great scenarios over on killercoda’s Killer Shell. I went through these a lot until I could get through them with minimal documentation help (I spent too much time searching the docs on my first attempt).

I worked and studied every day leading up to the CKS, just practising scenarios and reading. I learn best in small, frequent sessions rather than once per week for a long time. But we’re all different. Little and often is a real-time commitment on top of full-time project work and being a dad of two (with a very supportive and understanding wife!).

Sorry, this one turned into a bit of a long one. This was a real journey, and I'm super happy to be a part of the Kubestronaut program. Passing all 5 certification exams was a real test of skill and experience, and I really enjoyed the learning process.

#FailureisnotFinal #PracticeMakesPermanent

Study resources I found useful:

• I shouldn’t have to tell you, but kubernetes.io and get good and searching for what you need quickly!

• It might be obvious, but check the official CKS exam page for all the domains and competencies

• Kode Kloud - The CKS course is quite comprehensive and has some great practice labs

• Kode Kloud - Challenge labs

• Killer Coda - Killer Shell CKS scenarios

• Kubernetes CKS Full course on YouTube

• Network Policy Editor online tool

• Make use of the Exam simulator with the exam purchase, you get 2 36 hour sessions. Use them!

Let me know what you think of certifications, Kubernetes or the Kubestronaut programme!

I’ve had a couple of people message me via LinkedIn asking about learning paths and development, so don’t be a stranger!