Who Is It For

A Certified Kubernetes Security Specialist (CKS) is an accomplished Kubernetes practitioner (must be CKA certified) who has demonstrated competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.

About This Certification

CKS is a performance-based certification exam that tests candidates’ knowledge of Kubernetes and cloud security in a simulated, real world environment. Candidates must have taken and passed the Certified Kubernetes Administrator (CKA) exam prior to attempting the CKS exam. CKS may be purchased but not scheduled until CKA certification has been achieved.
CKA Certification must be active (non-expired) on the date the CKS exam (including Retakes) is scheduled.

What It Demonstrates

Obtaining a CKS demonstrates a candidate possesses the requisite abilities to secure container-based applications and Kubernetes platforms during build, deployment and runtime, and is qualified to perform these tasks in a professional setting.

The certification exam tests specific domains and competencies including:

Exam Details & Resources

This exam is an online, proctored, performance-based test that requires solving multiple tasks from a command line running Kubernetes. Candidates have 2 hours to complete the tasks.

Candidates who register for the Certified Kubernetes Security Specialist (CKS) exam will have 2 attempts (per exam registration) to an exam simulator, provided by Killer.sh.  

Certified Kubernetes Security Specialist (CKS) candidates must have taken and passed the Certified Kubernetes Administrator (CKA) exam prior to attempting the CKS exam.

CKS may be purchased but not scheduled until CKA certification has been achieved.
CKA Certification must be active (non-expired) on the date the CKS exam (including Retakes) is scheduled.

The exam is based on Kubernetes v1.23
The CKS exam environment will be aligned with the most recent K8s minor version within approximately 4 to 8 weeks of the K8s release date

Please review the Candidate Handbook, Curriculum Overview and Exam Tips along with other recommended resources below.

• Candidate Handbook
• Curriculum Overview
• Exam Tips
• Frequently Asked Questions
• Linux Foundation Global Certification and Confidentiality Agreement
• Verify Certification
• Exam Environment Demo

PrerequisitesActive

(non-expired) CKA certification is a prerequisite for this exam.

Who Is It For

This certification is for Kubernetes engineers, cloud engineers and other IT professionals responsible for building, deploying, and configuring cloud native applications with Kubernetes.

About This Certification

CKAD has been developed by The Linux Foundation and the Cloud Native Computing Foundation (CNCF), to help expand the Kubernetes ecosystem through standardized training and certification. This exam is an online, proctored, performance-based test that consists of a set of performance-based tasks (problems) to be solved in a command line.

What It Demonstrates

The Certified Kubernetes Application Developer (CKAD) can design, build and deploy cloud-native applications for Kubernetes.
A CKAD can define application resources and use Kubernetes core primitives to create/migrate, configure, expose and observe scalable applications.
The exam assumes working knowledge of container runtimes and microservice architecture.

The successful candidate will be comfortable:
– working with (OCI-compliant) container images
– applying Cloud Native application concepts and architectures
– working with and validating Kubernetes resource definitions

This exam curriculum includes these general domains and their weights on the exam:

• Application Design and Build – 20%
  • Define, build and modify container images
  • Understand Jobs and CronJobs
  • Understand multi-container Pod design patterns (e.g. sidecar, init and others)
  • Utilize persistent and ephemeral volumes
• Application Deployment – 20%
  • Use Kubernetes primitives to implement common deployment strategies (e.g. blue/green or canary)
  • Understand Deployments and how to perform rolling updates
  • Use the Helm package manager to deploy existing packages
• Application Observability and Maintenance – 15%
  • Understand API deprecations
  • Implement probes and health checks
  • Use provided tools to monitor Kubernetes applications
  • Utilize container logs
  • Debugging in Kubernetes
• Application Environment, Configuration and Security – 25%
  • Discover and use resources that extend Kubernetes (CRD)
  • Understand authentication, authorization and admission control
  • Understanding and defining resource requirements, limits and quotas
  • Understand ConfigMaps
  • Create & consume Secrets
  • Understand ServiceAccounts
  • Understand SecurityContexts
• Services and Networking – 20%
  • Demonstrate basic understanding of NetworkPolicies
  • Provide and troubleshoot access to applications via services
  • Use Ingress rules to expose applications

Exam Details & Resources

This exam is an online, proctored, performance-based test that consists of a set of performance-based tasks (problems) to be solved in a command line. Candidates have 2 hours to complete the tasks.

Candidates who register for the Certified Kubernetes Application Developer (CKAD) exam will have 2 attempts (per exam registration) to an exam simulator, provided by Killer.sh.  

The exam is based on Kubernetes v1.24.
The CKAD exam environment will be aligned with the most recent K8s minor version within approximately 4 to 8 weeks of the K8s release date

• Candidate Handbook
• Curriculum Overview
• Linux Foundation Global Certification and Confidentiality Agreement
• Exam Tips
• Frequently Asked Questions

Prerequisites

There are no pre-requisites for this exam.

Who Is It For

This certification is for Kubernetes administrators, cloud administrators and other IT professionals who manage Kubernetes instances.

About This Certification

CKA was created by The Linux Foundation and the Cloud Native Computing Foundation (CNCF) as a part of their ongoing effort to help develop the Kubernetes ecosystem. The exam is an online, proctored, performance-based test that requires solving multiple tasks from a command line running Kubernetes.

What It Demonstrates

A certified K8s administrator has demonstrated the ability to do basic installation as well as configuring and managing production-grade Kubernetes clusters. They will have an understanding of key concepts such as Kubernetes networking, storage, security, maintenance, logging and monitoring, application lifecycle, troubleshooting, API object primitives and the ability to establish basic use-cases for end users.

The Certification focuses on the skills required to be a successful Kubernetes Administrator in industry today. This includes these general domains and their weights on the exam:

Exam Details & Resources

This exam is an online, proctored, performance-based test that requires solving multiple tasks from a command line running Kubernetes.

Candidates have 2 hours to complete the tasks.

Candidates who register for the Certified Kubernetes Administrator (CKA) exam will have 2 attempts (per exam registration) to an exam simulator, provided by Killer.sh.  

The exam is based on Kubernetes v1.27
The CKA exam environment will be aligned with the most recent K8s minor version within approximately 4 to 8 weeks of the K8s release date

• Candidate Handbook
• Curriculum Overview
• Exam Tips
• Frequently Asked Questions
• Linux Foundation Global Certification and Confidentiality Agreement
• Verify Certification
• CKA Reseller FAQs

Prerequisites

There are no pre-requisites for this exam.

CHEATSHEET

This cheatsheet with useful commands and information that will be handy to review before taking the exam. This cheatsheet NOT the exam answer , just for your revision and reference ONLY!!!

Core Concepts

View resources in namespace dev:

kubectl get pods -n dev

View all pods in all namespaces:

kubectl get pods -A

View all resources in all namespaces:

kubectl get all -A

Generate a pod yaml file with nginx image and label env=prod:

kubectl run nginx --image=nginx --labels=env=pro --dry-run=client -o yaml > nginx_pod.yaml

Delete a pod nginx fast:

kubectl delete pod ngin --grace-period 0 --force

Generate Deployment yaml file:

kubectl create deploy --image=nginx nginx --dry-run=client -o yaml > nginx-deployment.yaml

Access a service test-service in a different namespace dev:

test-service.dev

Create a service for a pod valid-pod, which serves on port 444 with the name frontend:

kubectl expose pod valid-pod --port=444 --name=frontend

Recreate the contents of a yaml file:

kubectl replace --force -f nginx.yaml

Edit details of a deployment nginx:

kubectl edit deploy nginx

Set image of a deployment nginx:

kubectl set image deploy nginx nginx=nginx:1.18

Scale deployment nginx to 4 replicas and record the action:

kubectl scale deploy nginx --repliacs=4 --record

Get events in the current namespace:

kubectl get events

Scheduling

Get pods with their labels:

kubectl get pods --show-labels

Get the pods that are labeled env=dev:

kubectl get pods -l env=dev

Get taints of node node01:

kubectl describe node node01 | grep -i Taints:

Label node node01 with label size=small:

kubectl label nodes node01 size=small

Default static pods path:

/etc/kubernetes/manifests

Check pod nginx logs:

kubectl logs nginx

Check pod logs with multiple containers:

kubectl logs <pod_name> -c <container_name>

Monitoring

Check node resources usage:

kubectl top node

Check pod and their containers resource usage:

kubectl top pod --containers=true

Application Lifecycle Management

Check rollout status of deployment app:

kubectl rollout status deployment/app

Check rollout history of deployment app:

kubectl rollout history deployment/app

Undo rollout:

kubectl rollout undo deployment/app

Create configmap app-config with env=dev:

kubectl create configmap app-config --from-literal=env=dev

Create secret app-secret with pass=123:

kubectl create secret generic app-secret --from-literal=pass=123

Cluster Maintenance

Drain node node01 of all workloads:

kubectl drain node01

Make the node schedulable again:

kubectl uncordon node01

Upgrade cluster to 1.18 with kubeadm:

kubeadm upgrade plan
apt-get upgrade -y kubeadm=1.18.0–00
kubeadm upgrade apply v1.18.0
apt-get upgrade -y kubelet=1.18.0–00
systemctl restart kubelet

Backup etcd:

export ETCDCTL_API=3
etcdctl \
--endpoints=https://127.0.0.1:2379 \
--cacert=/etc/kubernetes/pki/etcd/ca.crt \
--cert=/etc/kubernetes/pki/etcd/server.crt \
--key=/etc/kubernetes/pki/etcd/server.key \
snapshot save /tmp/etcd-backup.db

Restore etcd:

ETCDCTL_API=3 etcdctl snapshot restore /tmp/etcd-backup.db --data-dir /var/lib/etcd-backup

After edit /etc/kubernetes/manifests/etcd.yaml and change /var/lib/etcd to /var/lib/etcd-backup.

Security

Create service account sa_1:

kubectl create serviceaccount sa_1

Check kube-apiserver certificate details:

openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout

Approve certificate singing request for user john:

kubectl certificate approve john

Check the current kubeconfig file:

kubectl config view

Check current context:

kubectl config current-context

Use context dev-user@dev:

kubectl config use-context prod-user@production

Validate if user john can create deployments:

kubectl auth can-i create deployments --as john

Create role dev to be able to create secrets:

kubectl create role dev --verb=create --resource=secret

Bind the role dev to user john:

kubectl create rolebinding dev-john --role dev --user john

Check namespaced resources:

kubectl api-resources --namespaced=true

Troubleshooting

View all the kube-system related pods:

kubectl get pods -n kube-system

Check if all nodes are in ready state:

kubectl get nodes

Check memory, cpu and disk usage on node:

df -h
top

Check status of kubelet service on node:

systemctl status kubelet

Check kubelet service logs:

sudo journalctl -u kubelet

View kubelet service details:

ps -aux | grep kubelet

Check cluster info:

kubectl cluster-info

Gather info

Find pod CIDR:

kubectl describe node | less -p PodCIDR

Get pods in all namespaces sorted by creation timestamp:

kubectl get pod -A --sort-by=.metadata.creationTimestamp

Find the service CIDR of node-master:

ssh node0master
cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep range

Find which CNI plugin is used on node-master:

ls /etc/cni/net.d/

Find events ordered by creation timestamp:

kubectl get events -A --sort-by=.metadata.creationTimestamp

Find internal IP of all nodes:

kubectl get nodes -o jsonpath=’{.items[*].status.addresses[?(@.type==”InternalIP”)].address}’

Exam Voucher (Kubernetes Related)

b1

Exam Voucher (Kubernetes Related)

[CKS EXAM Voucher] – Certified Kubernetes Security Specialist

18 5 月, 2021

Who Is It For A Certified Kubernetes Security Specialist (CKS) is an accomplished Kubernetes practitioner (must be CKA certified) who has demonstrated...

b1

Exam Voucher (Kubernetes Related)

[CKAD EXAM Voucher] – Certified Kubernetes Application Developer

17 5 月, 2021

Who Is It For This certification is for Kubernetes engineers, cloud engineers and other IT professionals responsible for building, deploying, and configuring...

b1

Exam Voucher (Kubernetes Related)

[CKA EXAM Voucher] – Certified Kubernetes Administrator

21 4 月, 2021

Who Is It For This certification is for Kubernetes administrators, cloud administrators and other IT professionals who manage Kubernetes instances. About This...