This article is based on my experience studying for and passing the Certified Kubernetes Security Specialist exam. I recently cleared the CKS (Certified Kubernetes Security Specialist) exam with a decent score in my first attempt. So I thought I should share my story of the exam preparation along with the tips and tricks that helped me in clearing the exam. If you are also preparing for the CKS exam, then this article will help you get a good idea on what is the format of the exam, what resources to utilize, how to manage the time during the exam, how to prepare & some important tips related to the exam.

A note before we begin [A brief about Kubernetes]:

If you think getting a CK{A or AD or S} certification seems like a lot of work, you’re right. But that hard work is worth it for many. Since Kubernetes was open-sourced by Google in 2014, it has skyrocketed in popularity. Now a graduated project of the Cloud Native Computing Foundation (CNCF), Kubernetes dominates the market, with 78% of enterprises reporting that they use it to orchestrate containerised workloads and services in production.

With this level of adoption, organisations are eager and struggling to find skilled Kubernetes developers and administrators. A quick search on LinkedIn shows that there are around 50k (47,385) jobs with Kubernetes in the title or description.

Given that the demand is growing for Kubernetes knowledge and skills, getting certified as a Kubernetes specialist makes a lot of sense, and this is just one part of the story.

Kubernetes is the future of infrastructure and almost every company is adopting it nowadays or has plans to adopt it in the near future. This is one of the most sought after skills that customers need now. Almost every organisation is either converting their legacy applications into cloud-native apps or building new apps which are cloud-native.

I have divided the article into relevant sections. Some sections would help you with the preparation phase while some would help you in the actual exam hence feel free to skip any of the sections depending on the current preparation phase you are at.

CKS Pre-Requisites:

Certified Kubernetes Security Specialist (CKS) candidates must have taken and passed the Certified Kubernetes Administrator (CKA) exam prior to attempting the CKS exam.

Apart from this, there are no official prerequisites for this certification. However, before thinking of CKA or CKS, having knowledge of Kubernetes basics is crucial. If you’re a complete newbie and do not know what on earth is Kubernetes? It is highly recommended to get familiar with the basic concepts of Kubernetes before you book your exam dates.

Syllabus:

This is the curriculum for the exam:

The domain-wise syllabus can be seen in the above image, but figuring out which chapters do fall under which domain is a difficult part, thankfully Walid A. Shaari’s Github Repo has already a detailed curated list of the syllabus topics. The repo has all the useful links for the exam and it’s highly recommended to go through it at least once.

You can also check the complete topic wise syllabus at Leandro Martins’s Github Repository.

CKS Exam Format:

The exam is kind of “put your hands on”, where you have some problems to fix within 120 minutes.

This exam is a performance-based exam with no multiple-choice questions. You will be given a set of performance-based problems to be solved in a command line and is expected to take approximately two hours to complete.

The old platform relies on screen sharing in order for the proctor to see the candidate’s screen. This will no longer be the case for the new as they moved from the remote terminal to a complete remote desktop session. The reason behind the change as the Linux Foundation put it, is to improve further the security and privacy of the candidate (no longer screen sharing) and since the exam will take place from PSI’s secured browser, candidates can expect similar experiences who take the exam since everything is done in a single environment that works the same way for everyone.

My tip: Spend time wisely. Use the Notebook feature (provided in exam’s UI) to keep track of your progress, where you might take notes of each question, and put some annotations to help you.

Resources Allowed:

The CKS exam is an open-book exam. You have access to the resources:

1. There are YAML templates provided in a few of the questions. If you want you can re-use them & change the variable values as per the ask.
2. Use the browser within the VM to access the following documentation:

• Kubernetes Documentation: It’s important to mention that you have access to Kubernetes Official Documentation during the exam. So get yourself familiar with Kubernetes online documentation, and know where to find all specific topics listed below. It might be helpful for you during the exam.

• https://kubernetes.io/docs/ and their subdomains
• https://kubernetes.io/blog/ and their subdomains

• Tools

• Trivy documentation https://aquasecurity.github.io/trivy/
• Falco documentation https://falco.org/docs/

• AppArmor

• Documentation https://gitlab.com/apparmor/apparmor/-/wikis/Documentation

CKS Important Resources

Currently, the Linux Foundation provides the CKS certification. Keep your eye out for promotions & discounts during the Cyber Monday or Black Friday sale. I would not recommend purchasing any training material on Linux Foundation. Just purchase only the certification. You can schedule the exam date within 1 year of the purchase date and it also includes one retake in case you don’t get through it the first time. It would also include 2 free exam simulator sessions on Killer.sh.

The following are a few awesome resources available on passing the CKS exam:

• Buy the Certified Kubernetes Security Specialist (CKS) by KodeKloud : A good starting point, well-structured to help you prepare for the exam. It’s not only a good starting point but is well structured to help you prepare for the exam.
• Certified Kubernetes Security Specialist by Killer.sh : Crisp & to the point content
• Walid Shaari has gathered some indispensable materials for the CKS exam
• Zeal Vora CKS Course on Udemy — Another popular course with total video content of ten hours
• Abdennour’s References for CKS Exam Objectives
• Ibrahim Jelliti’s collection of resources to prepare for the Certified Kubernetes Security Specialist (CKSS) exam

CKAD Exam Practice Lab Setups

Now after getting knowledge on all the topics expected in the exam curriculum, the next step should be to PRACTICE.

• Kim Wustkamp’s Course and Zeal Vora’s Course have some questions which you can practice.
• KodeKloud CKS Course Mock tests: The mock tests are super cool to gain confidence while solving the exam problems. I felt that the difficulty level of the course’s mock tests is a little lower than the actual exam (the course may get updated in the future, I am saying this based on my experience when I attempted the exam).
• For the AppArmor and Seccomp, you can take the help of the different learning platforms. I used AcloudGuru for that.
• When you book your exam, there are 2 exam simulator sessions provided by killer.sh. These mock exams are VERY tough as compared to the actual exams, as they mention, but do provide a great learning experience. Do not get demotivated if you flunk badly on time on this one 🙂

CKS Tips & Tricks

• Use kubectl imperative commands to create Kubernetes resources. Copy YAML from the documentation only when you can’t create it using kubectl.
• Carefully change context while attempting questions.
• Time Management is the main concern in the CKS Exam, but if you know the thing and have a clear understanding of what needs to be done in question, you will be able to complete the exam in 2 hrs.
• Don't get panicked because First:- if it is your first attempt then you have the other left.
  Second:- is that you only need 67% to crack the exam.
• And in the exam, you need to modify some of the files, so please take the backup of that file before making any changes, so if anything goes wrong or something is not working you can restore and start it again.
• A good thing in the CKS Exam is, that in some questions you will find the example manifest of the task which you need to perform in questions, the file is stored at some location. It saves time from copying from documentation and then modifying
• You will have to deal with a lot of YAML files in the exam. As such, vi/vim is the to-go option. I would strongly encourage you to invest your time on vi/vim if you are not familiar with it because it will save your time significantly during the exam.
• Use kubectl run with the — dry-run flag as much as you can. If you create a YAML file with — dry-run flag, it’s an easier and faster way to create resources in the cluster.
• The priority is to attempt the questions which you have high confidence that you can complete. Keep in mind that percentages of each question appear on top. This will help you determine if it’s worthwhile to spend time on the question of skip over to attempt the next one.
• Place the resource in a specific namespace as asked in the question. But if you forgot to specify it, it will be placed on the “default” namespace as the default behavior. And you’ll be penalized with a 0 mark for that answer.
• If you are not familiar with any question or problem, just skip it and come back later and use the notepad as a tracking pad. Put all the questions you skipped with the weight as well. For example, if you skip 2 questions with the weight 8% and 2%, you should come back to the question which has more weight.
• In the exam, some questions may require you to edit an already existing Kubernetes resource to apply a different configuration. You can export the resource to a new file, and then delete the resource, then edit the file and create a new resource from the file. Alternatively, you can edit the resource in place using the “kubectl edit” command. This will open the Vim editor with the resource’s YAML where you can make changes as usual. Once you save your changes and exit the editor, Kubernetes will apply the new YAML on top of the existing resource.
• Kubernetes release versions quite frequently. Practice based on the current kubernetes version for the exam.
• Prefer using short names as it will save a lot of time in the exam. I’d encourage you to memorize them at least the commonly used ones such as: po for pods, deploy for deployments ,pv for persistentvolumes
• Create your own alias to save typing the long command. Always do these at the beginning of the exam.

alias k=’kubectl’ : This will save you the time of pressing 7 keystrokes spent on each kubectl command. You only have to do this in Udemy labs. The actual exam will have this preconfigured.

The following kubectl configurations will save you a few seconds from each command execution, which will add up to several precious minutes. Do note that the exam interface will come with the alias k and bash auto-completion for kubectl preconfigured.

• export do=” — dry-run=client -o yaml” Example : k create deploy nginx –image nginx $do > nginx.yaml
• export now=” — grace-period 0 –force” Example: k delete po nginx $now : When you request deletion of a Pod, By default, all pod deletions are graceful within 30 seconds. But you don’t want to wait for 30 seconds in your exams as every second counts so the kubectl delete command supports the — grace-period=<seconds> option which allows you to override the default and specify your own value. Setting the grace period to 0 immediately deletes the Pod from the API server.

DO’s

• Give a lot of practice exams, identify your weak topics and spend more time on those.
• Do labs and mock tests repeatedly (at least three times). Identify what is slowing you down and plan accordingly.
• With each K8 exam purchase you also get 2 free exam simulator practice tests on killer.sh. This gives you access to a test environment which comes very close to the original one. The current exam simulator has 20 complex questions/scenarios to solve in 120 minutes. After the session you will get access to detailed solutions. Go through the detailed solution to see the approach.
• In the exam, if you analyse that any particular question is going to take more than 6–7 mins to solve, flag/mark it to solve for later and come back once you solve the rest.
• Familiarize yourself with tools such as openssl, journald, systemd, etcdctl (for managing etcd)

DON’T’s

• Don’t directly rush over the terminal to solve the question, read it twice before doing anything.
• Don't write YAML files from the beginning
• Don’t overwhelm yourself with alias for everything
• Don't rely on bookmarks
• Don’t ignore the candidate handbook. It has important instructions related to your exam like you’re system requirements . The specifications are: You should have a Reliable Internet Connection, A working Webcam and Microphone, Chrome, Verify things from compatibility checker tool before the start of the exam, Make sure to provide govt issued photo identification, Close non-required programs
• Don’t panic if you are stuck; simply flag/mark the particular question and move ahead. You can always come back to it later. Every question has a weightage associated with it; Prioritise questions according to the time and the weightage.
• Don’t give the exam on the last day , you will have no time left for the re-take.

My Exam Experience

On the exam day, try to log in 30 minutes before the exam. Since the migration to the PSI bridge software, you can check in to the exam yourself 30 minutes before the exam start time. You need to download and install the PSI secure browser but the download button will only become active 30 minutes before the exam (you can’t download and install it a day or two in advance). So don’t wait until the last minute and be there 30 minutes early. Sometimes, you may face trouble while installing the software so make sure to read the installation guide relevant to your OS before the exam. Make sure you don’t have any other processes running during the exam.

Proctor will make sure to follow their process to check your ID proof, room and your desk. The entire process should normally take 25–30 minutes or more, but don’t panic as the proctor will only start the exam after all the verification process is complete and you’re comfortable to start the exam. The exam is easy to pass as long as you know your stuff and have practiced your stuff. Knowing Kubernetes is simply not enough unless you have practice because you will be fighting against time. On any other day, you can open your favourite text editor and write YAML and save them and apply them, at your own pace. But at the exam, that is not feasible. Always you must take the shortest path possible to achieve a result. I followed the 1 min-1 mark rule for managing time. In short, what the rule says is if a question has a weightage of 10 marks, then try not to spend more than 10 minutes on the same question.

As soon as the exam started, I first finished setting up the kubectl aliases by running the commands(kubectl auto-complete is pre-configured). One important thing which I followed throughout the exam was to take a backup of every resource in a separate YAML file, that you are either going to DELETE or UPDATE. Especially the KubeAPIServer, KubeScheduler, and ETCD YAML files as if any of the files is misconfigured, the cluster won’t function properly. Taking backup of one resource may take around 10–30 seconds but believe me if things go south, it can save a lot of time. While taking the backup into a YAML file, add the question number as the prefix of the name of the YAML.

Example: If you are asked to change the network-policy app-netpol in question number 8, then take the backup using a command kubectl get networkpolicy app-netpol -oyaml > 8_netpol.yaml. Trust me, this will help you audit the changes you did at the end of the exam or continue unfinished work in a flagged question.

A very important tip for the last, though this holds good for any certification exam but try to be on a fast, stable internet connection as you will be using a terminal running inside a GUI Linux virtual machine. The lesser the lag, the better the exam experience.

Finally, I would say be calm & enjoy problem-solving. Don’t get bummed out if you don’t get the desired result on your exam. You get one free retake per exam if you haven’t otherwise been deemed ineligible for certification or a retake.

Useful Bookmarks:

You can add or remove the items below list at your convenience, and yes give some good annotations for the bookmarks.

kubectl Cheat Sheet — https://kubernetes.io/docs/reference/kubectl/cheatsheet/

Kubectl Commands — https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands

Network Policies — https://kubernetes.io/docs/concepts/services-networking/network-policies/

Security Context — https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

Secrets — https://kubernetes.io/docs/concepts/configuration/secret/

RBAC — https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Seccomp — https://kubernetes.io/docs/tutorials/clusters/seccomp/

Apparmor — https://kubernetes.io/docs/tutorials/clusters/apparmor/

ImageWebhookPolicy — https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/

Audit Policy — https://kubernetes.io/docs/tasks/debug-application-cluster/audit/

PodSecurityPolicy — https://kubernetes.io/docs/concepts/policy/pod-security-policy/

Kubelet Config — https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/

RuntimeClass — https://kubernetes.io/docs/concepts/containers/runtime-class/

Admission Controllers — https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy

automountServiceAccountToken — https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

Pod Volumes — https://kubernetes.io/docs/concepts/storage/volumes/

PV PVC — https://kubernetes.io/docs/tasks/configure-pod-container/configure-persistent-volume-storage/

Ingress — https://kubernetes.io/docs/concepts/services-networking/ingress/

Third-party links

• Falco Supported fields — https://falco.org/docs/rules/supported-fields/
• AppArmor Documentation — https://gitlab.com/apparmor/apparmor/-/wikis/Documentation

I hope this article’s content helps you with your CKS certification journey. All the best for your exam. Happy Learning!