How To Conquer the 2024 Certified Kubernetes Security Specialist (CKS) Exam

Strategies From My Personal Journey

Patrick Kalkman

8 min read
How To Conquer the 2024 Certified Kubernetes Security Specialist (CKS) Exam
Studying for the Certified Kubernetes Security Specialist (CKS) Exam, image generated by Midjourney, prompt by author

Last Thursday, 11 April 2024, I passed the Certified Kubernetes Security Specialist (CKS) exam with a score of 89, well above the required minimum of 67.

Scoring an 89 on the Certified Kubernetes Security Specialist (CKS) exam might give the impression of a trouble-free success. Yet, beneath that achievement was an undercurrent of challenge, beginning with a nerve-wracking hiccup during the identity verification process.

While this didn’t eat into my exam time, it was a pulse-quickening test of patience, setting the stage for an experience where every minute was precious, and the pressure was palpable.

This was my third certification exam through the Linux Foundation, having previously passed the Certified Kubernetes Application Developer (CKAD) and Certified Kubernetes Administrator (CKA) exams.

It's important to note that it builds on the foundational knowledge tested in the CKA exam, which must be passed and active before attempting the CKS.

The exam was based on Kubernetes v1.29 and conducted in a remote desktop environment using the secure PSI browser.

This article describes my preparation strategy and experiences studying for and taking the CKS exam. By sharing my approach, I aim to guide and inform you on the most effective ways to prepare for this challenging yet rewarding certification.

My exam preparation

I work with Kubernetes daily, so I have experience managing a Kubernetes cluster and using managed Kubernetes services.

I used two courses for preparation. First, I started with the Kubernetes CKS Complete Course — Theory — Practice from Kim Wuestkamp on Udemy, a very good course. I think Kim is also one of the creators of the killer shell environment.

Kim Wuestkamp recently closed the course on Udemy, which no longer accepts new enrollments, and uploaded it to YouTube. If you don’t mind some advertisements, you can watch it for free.

Kim shows you how to set up a Kubeadm cluster on Google Cloud so you can practice while studying.

Secondly, I used Mumshad Mannambeth’s course Certified Kubernetes Security Specialist (CKS) on Kodecloud. It is a perfect preparation course that includes several practice examples from within the study environment.

After I completed both courses, I went on to perform the killer.sh mock exam. When you register for the exam at the Linux Foundation, you get two free Killer.sh simulator sessions. Each session, you have 36-hour access to a Kubernetes cluster where you have to answer the 24 exam questions.

Killer.sh states that its exam is more challenging than the actual exam. I don't see it this way. They are the same. The difference is that the killer.sh exam had 22 questions, while on the actual exam, there were 16.

Observations before and during my exam

Before delving into the tactical intricacies of the exam, let’s explore some observations and challenges that arose both in the preparation phase and on the day of the exam itself.

Identity Verification Challenges

During my exam setup, I encountered an issue with the identity verification step, which a proctor oversees. The process offers two options for submitting identification: using your webcam or a mobile phone.

I initially opted to use my webcam to submit a photo of my passport. However, the proctor could not verify my passport due to technical issues, resulting in a disconnection from the exam environment. This required intervention from technical support.

Tip: Use Mobile Phone Verification

Based on my experience, I recommend using your mobile phone for identity verification. The technical support team assisted me in successfully scanning my passport using my phone, which proved more reliable.

Dealing with technical issues during the identity verification can add significant stress and distract from your focus on the exam. You can minimize disruptions and maintain concentration by ensuring a smooth and swift verification process using your mobile phone.

Adapting to the Absence of Question Ratings

In previous exams, I adopted a strategy of prioritizing questions based on their ratings, typically skipping those that were rated as more difficult or time-consuming.

For instance, if I encountered persistent syntax errors in my YAML files during kubectl operations, I would flag the troublesome question and tackle others that might yield quicker results.

However, in the latest iteration of the exam, the familiar ratings for each question were absent, a change that required a shift in my approach. After completing the exam, I sought clarification and discovered from the Linux Foundation’s FAQ that they had removed these ratings.

“The item weights (once available for certain exams) were removed to reduce the use of “test-taking strategy” during exams. (Before the removal of the weights, candidates tended to hyper focus on the highest weighted tasks, causing them to waste time during the exam and ultimately not perform as well.)”

Troubleshooting the Kube-apiserver startup Issues

While preparing for the CKS exam, it’s crucial to master troubleshooting the kube-apiserver, especially since it’s prone to issues if misconfigured. I’ve encountered such problems a few times, typically due to errors in configuring the kube-apiserver static pod. It’s crucial to pinpoint the cause to keep everything running smoothly and quickly.

Diagnosing Issues with kube-apiserver Configurations

  1. Errors in the YAML Configuration

If there is a mistake in the YAML file of the kube-apiserver, the kubelet won’t be able to start it, and interestingly, you won’t find any kube-apiserver logs in /var/log. This is because the kubelet logs are the first place to check since they capture the errors related to pod startup. Use the command journalctl -u kubelet to view these logs and identify what's incorrect in your YAML configuration.

2. Errors in the Configuration Referenced by kube-apiserver Arguments:

Even if your kube-apiserver YAML is configured correctly, errors can still arise from incorrect configurations in the arguments referenced by the kube-apiserver, such as a faulty audit policy file. In such cases, kube-apiserver attempts to start but fails, logging the issue in a specific log file found under /var/log/pod. Navigate to this directory, locate the kube-apiserver log file, and open it to diagnose the error.

Swift and efficient command-line proficiency isn’t just an asset—it’s necessary for navigating the stringent time constraints of the CKS exam. In the next section, I’ll describe the tactical maneuvers and strategies that improved my speed and efficiency during my study sessions and the exam itself.

The Need for Speed

Speed is a critical factor in the success of performance-based exams, a common theme across all the Linux Foundation tests I have encountered. There isn’t enough time to leisurely browse the documentation, copy examples, and modify them to fit your answers.

Efficiency is key. Below, I’ll share some practical tips that have helped me increase my speed during these exams, ensuring I make the most of the limited time available.

Speed Tip 1: Use Imperative Commands

You might be accustomed to using declarative commands in your day-to-day work within a production Kubernetes environment. This approach involves defining the desired state of a Kubernetes object through a YAML file and applying it via kubectl to the Kubernetes API. The cluster then creates the object and achieves the specified state.

However, for the exam, where time is of the essence, you can gain a significant speed advantage by opting for imperative commands. These commands allow you to create and modify resources directly and quickly without the need to draft a YAML file each time.

Say that we want to create a Kubernetes ConfigMap called MyConfigMap in the namespace fire that contains a key of database_host with the value 192.168.16.1.

You must apply the following yaml file to the cluster using declarative syntax. In this case, you must remember which apiVersion to use and format the file correctly.

A quicker way is to build the ConfigMap using imperative syntax. See below. It takes a lot less to type and is easier to remember.

k -n fire create cm MyConfigMap --from-literal=database_host=192.168.16.1

However, it’s important to note that not all Kubernetes objects can be created using imperative kubectl commands. For instance, using imperative syntax, you cannot directly create a persistent volume or a persistent volume claim. To see which objects you can create imperatively, consult the help section by running kubectl create --help.

Despite these limitations, mastering imperative commands for the objects that do support them can drastically reduce the time you spend on each task. Ensure that you are comfortable with the following imperative commands, as they are commonly used and supported:

  • Creating a Role:
    kubectl create role myrole --verb=get --resource=pods
  • Creating a RoleBinding:
    kubectl create rolebinding myrolebinding --role=myrole --user=jane
  • Creating a Secret:
    kubectl create secret generic mysecret --from-literal=key1=value1
  • Creating a Pod:
    kubectl run mypod --image=nginx
  • Creating a Deployment:
    kubectl create deploy mydeploy --image=nginx

Familiarizing yourself with these commands can help you navigate the exam more efficiently, saving time for complex scenarios requiring detailed YAML configurations.

Speed Tip 2: Start with the Namespace in Your Commands

One of the powerful features available during the CKS exam is command-line completion, which can greatly accelerate your ability to execute commands accurately.

It is advisable to specify the namespace immediately after the kubectl command to maximize this advantage. This simple practice ensures that kubectl customizes command completion to the specified namespace, significantly enhancing the speed and accuracy of command entry.

Example: Begin your commands like this: kubectl -n mynamespace.

After typing this and pressing the tab key, the completion suggestions will be limited to resources within mynamespace. This focused approach reduces the confusion of sifting through global resources and sharpens your command-line interface toward pertinent tasks.

Adopting this method minimizes the risk of errors and saves valuable time by filtering out irrelevant command suggestions. Streamlining your commands can markedly improve your performance in an exam as critical as the CKS, where every second is vital.

Speed Tip 3: Utilize Multiple Terminals

Effectively managing your workspace can dramatically enhance your efficiency during the CKS exam. One effective strategy that seems obvious is to open multiple terminal windows. This setup allows you to multitask efficiently, performing parallel operations continuously without pausing or switching contexts.

Example Workflow: While conducting security checks with tools like kube-bench, you can output the report to a file in one terminal using the command kube-bench > result.txt. After completion, open the file in the same terminal and execute the proposed changes in another terminal.

Benefits:

  • Parallel Processing: Generate reports or logs in one terminal while writing scripts or applying configurations in another. This can be particularly useful when you need to apply fixes or changes based on the output of security scans or logs.
  • Immediate Access to Information: You can keep reference material or command output visible in one terminal while you work in another. This reduces the need to toggle between tasks and keeps critical information at your fingertips.
  • Efficient Troubleshooting: If an operation fails in one terminal, you can use another to troubleshoot without disturbing the original command’s setup.

Speed Tip 4: Advanced Setup and Shortcuts

With the previous version of the exam and environment, you had to create a kubectl alias and correctly configure your .vimrc. Luckily for us, this is already configured in the current environment.

When studying via the Killer.sh simulator, ensure you learn the correct keyboard shortcuts for copying and pasting from the terminal and web browser. I had more success with my Windows machine than my MacBook, so I used my Windows machine for the exam.

I still used the following two environment variables during the exam to speed up the interaction with the Kubernetes cluster.

export do="--dry-run=client -o yaml" 
export now="--grace-period 0 --force"

This enabled me to use an imperative command to create a skeleton for a resource and change the generated yaml with some options.

For example, you can do the following to generate a pod template before setting an AppArmor profile for a pod.

k -n security run apparmor_pod --image=nginx $do > apparmor_pod.yaml

Then, you can open up the generated apparmor_pod.yaml and add the annotations for the apparmor profile.

apiVersion: v1 
kind: Pod 
metadata: 
  annotations: 
    container.apparmor.security.beta.kubernetes.io/apparmor_pod: localhost/profile 
  creationTimestamp: null 
  labels: 
    run: apparmor_pod 
  name: apparmor_pod 
  namespace: security 
spec: 
  containers: 
  - image: nginx 
    name: apparmor_pod 
    resources: {} 
  dnsPolicy: ClusterFirst 
  restartPolicy: Always 
status: {}

I used these variables less than I did with the previous CKAD and CKA exams. Now, I just directly used the --force argument to delete a resource without waiting instead of using $now.

Conclusion

Embarking on the journey through the Certified Kubernetes Security Specialist (CKS) exam has been a riveting chapter of my professional growth.

Alongside the enjoyment and the wealth of knowledge gained, it marked a significant milestone — this was the third and final Kubernetes certification for me, bringing a sense of completion to my endeavors in this domain.

Though my daily work will continue to intertwine with Kubernetes, my hunger for knowledge urges me to pivot my focus toward new study horizons.

The key takeaway from this experience is the indispensable role of agility on the command line with kubectl, bolstered by the myriad of resources at our disposal for practice.

To those embarking on this path, know that dedication and diligent practice are your allies. Invest time and harness these resources; you can also celebrate success in this demanding yet immensely rewarding examination.

If you need additional information or have questions about the exam, let me know in the comments.

Happy studying!

Read more