CKS CNCF Announcement and Exam Study Tips

KubeCon Announcement and Linux Foundation Update

On Tuesday during KubeCon, the Cloud Native Computing Foundation (CNCF) announced the Certified Kubernetes Security Specialist certification is now generally available. The announcement confirmed important information that we previously outlined in our most recent blog detailing the CKS. Thanks to the updates from the Linux Foundation documentation, the updated exam structure is:

• 2 hours long
• Require a passing score of 67%
• 15–20 performance-based tasks
• Uses Kubernetes version 1.19
• Cost $300 USD
• Free exam retake
• Certification valid for two years
• 12-month exam eligibility

Further, the Linux Foundation also outlined the course format, and it is worth reading to help with exam expectations:

• Each task on this exam must be completed using a designated cluster/configuration context.
• Sixteen clusters comprise the exam environment, one for each task. Each cluster is made up of one master node and one worker node.
• At the start of each task, an infobox provides you with the cluster name/context and the master and worker node’s hostname.
• You can switch the cluster/configuration context using a command such as the following: kubectl config use-context <cluster/context name>.
• Nodes making up each cluster can be reached via ssh, using a command such as the following: ssh <nodename>.
• You have elevated privileges on any node by default, so there is no need to assume elevated privileges.
• You must return to the base node (hostname CLI) after completing each task.
• Nested−ssh is not supported.
• You can use kubectl and the appropriate context to work on any cluster from the base node. When connected to a cluster member via ssh, you will only work on that cluster via kubectl.
• Further instructions for connecting to cluster nodes will be provided in the appropriate tasks.
• The CKS environment is currently running Kubernetes v1.19. (Quarterly exam updates are planned to match future Kubernetes releases).

With the exam’s cemented details, it is time to prepare for the exam with some tips and tasks to pass the exam.

Preparing for the Exam

To help prepare for the CKS exam, I have created a GitHub Repo that will create a Kubernetes cluster using version 1.19 and provide Kubernetes security tasks to evaluate your expertise. Over the coming months, I will be updating the repo with various Kubernetes security concepts, topics, and creating new tasks to test your knowledge.

Follow along by starring our Kubernetes Security Specialist Study Guide GitHub repository and open issues about concepts/functionality.

Tips for Taking the Exam

With learned lessons from the CKA exam, here are some general tips for dealing with the performance and task-based Kubernetes exams.

• Always review the Linux Foundations documentation. For frequently asked questions and any updates to the exam structure.
• Read each question carefully and manage the time accordingly. If a question asks for a pod, make sure to create a pod and not a deployment. The exam will evaluate based on the outputs to files and deployment/pod names. Errors in filenames/pods names may cause the question to be evaluated as incorrect.
• Bookmark and use any resources form the following domains and their respective subdomains:
  • https://kubernetes.io/docs/
  • https://github.com/kubernetes/
  • https://kubernetes.io/blog/
• Recording task progression will help to prioritize where to spend the final moments during the exam. There is a notepad during the exam, and I recommended keeping track of all questions, their point value, and your confidence in the answer.
• Since time is of the essence, take advantage of the kubectl cheat sheet, and use aliases to cut down on kubectl typos.
• Be proficient in vi/vim/nano for file editing during the test and be aware of tabs/spacing.
• Pay attention to the question context. There will be a context change command at the beginning of every question. Since there are 16 unique clusters, make sure to address the correct cluster to use time efficiently (and produce fewer headaches).
• Never write a YAML file from scratch. Use the –dry-run=client -o yaml > example.yaml to output example formats without submitting the commands to the cluster. Similarly, pipe kubectl outputs to files for easier edits to objects in the cluster.
• Learn how to sort through JSON outputs. There will most likely be a question where the question calls for a search through active pods/deployments for labels, memory limits, CPU limits, etc. Save a significant amount of time on a low-value question by sifting through objects efficiently.
• The exam will most likely use kubeadm for creating the Kubernetes Cluster. Review the Systemd basics, and review where the cluster configuration yaml files are located.
• When using ssh, ensure that you exit from the node to the central node.

During the Exam

For the two hours during the exam, you will not be able to do anything. The Linux Foundation is strict on the exam requirements and calls for an empty room, no visible writing materials, and a clean desk. Make sure to get a good night’s sleep, drink some water beforehand, take 30 minutes before the test to get up, walk around, and take a few deep breaths. You got this!

How Can I Contribute and Get Started?

1. Register for the CKS at the Linux Foundation website.
2. Star the Kubernetes Security Specialist Study Guide GitHub repository and review the other resources outlined in the README to a better understand the various concepts.
3. Lastly, the CNCF and StackRox want to help users become more security conscious about Kubernetes and cloud-native technologies. Please, give the exam and preparation feedback to help the community grow.