Who Is It For

A Certified Kubernetes Security Specialist (CKS) is an accomplished Kubernetes practitioner (must be CKA certified) who has demonstrated competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.

About This Certification

CKS is a performance-based certification exam that tests candidates’ knowledge of Kubernetes and cloud security in a simulated, real world environment. Candidates must have taken and passed the Certified Kubernetes Administrator (CKA) exam prior to attempting the CKS exam. CKS may be purchased but not scheduled until CKA certification has been achieved.
CKA Certification must be active (non-expired) on the date the CKS exam (including Retakes) is scheduled.

What It Demonstrates

Obtaining a CKS demonstrates a candidate possesses the requisite abilities to secure container-based applications and Kubernetes platforms during build, deployment and runtime, and is qualified to perform these tasks in a professional setting.

The certification exam tests specific domains and competencies including:

Domains & CompetenciesWeight
Cluster Setup
– Use Network security policies to restrict cluster level access
– Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
– Properly set up Ingress objects with security control
– Protect node metadata and endpoints
– Minimize use of, and access to, GUI elements
– Verify platform binaries before deploying
10%
Cluster Hardening
– Restrict access to Kubernetes API
– Use Role Based Access Controls to minimize exposure
– Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
– Update Kubernetes frequently
15%
System Hardening
– Minimize host OS footprint (reduce attack surface)
– Minimize IAM roles
– Minimize external access to the network
– Appropriately use kernel hardening tools such as AppArmor, seccomp
15%
Minimize Microservice Vulnerabilities
– Setup appropriate OS level security domains e.g. using PSP, OPA, security contexts
– Manage Kubernetes secrets
– Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
– Implement pod to pod encryption by use of mTLS
20%
Supply Chain Security
– Minimize base image footprint
– Secure your supply chain: whitelist allowed registries, sign and validate images
– Use static analysis of user workloads (e.g.Kubernetes resources, Docker files)
– Scan images for known vulnerabilities
20%
Monitoring, Logging, and Runtime Security
– Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
– Detect threats within physical infrastructure, apps, networks, data, users and workloads
– Detect all phases of attack regardless where it occurs and how it spreads
– Perform deep analytical investigation and identification of bad actors within environment
– Ensure immutability of containers at runtime
– Use Audit Logs to monitor access
20%

Exam Details & Resources

This exam is an online, proctored, performance-based test that requires solving multiple tasks from a command line running Kubernetes. Candidates have 2 hours to complete the tasks.

Candidates who register for the Certified Kubernetes Security Specialist (CKS) exam will have 2 attempts (per exam registration) to an exam simulator, provided by Killer.sh.  

Certified Kubernetes Security Specialist (CKS) candidates must have taken and passed the Certified Kubernetes Administrator (CKA) exam prior to attempting the CKS exam.

CKS may be purchased but not scheduled until CKA certification has been achieved.
CKA Certification must be active (non-expired) on the date the CKS exam (including Retakes) is scheduled.

The exam is based on Kubernetes v1.23
The CKS exam environment will be aligned with the most recent K8s minor version within approximately 4 to 8 weeks of the K8s release date

Please review the Candidate Handbook, Curriculum Overview and Exam Tips along with other recommended resources below.

PrerequisitesActive

(non-expired) CKA certification is a prerequisite for this exam.

Who Is It For

This certification is for Kubernetes engineers, cloud engineers and other IT professionals responsible for building, deploying, and configuring cloud native applications with Kubernetes.

About This Certification

CKAD has been developed by The Linux Foundation and the Cloud Native Computing Foundation (CNCF), to help expand the Kubernetes ecosystem through standardized training and certification. This exam is an online, proctored, performance-based test that consists of a set of performance-based tasks (problems) to be solved in a command line.

What It Demonstrates

The Certified Kubernetes Application Developer (CKAD) can design, build and deploy cloud-native applications for Kubernetes.
A CKAD can define application resources and use Kubernetes core primitives to create/migrate, configure, expose and observe scalable applications.
The exam assumes working knowledge of container runtimes and microservice architecture.

The successful candidate will be comfortable:
– working with (OCI-compliant) container images
– applying Cloud Native application concepts and architectures
– working with and validating Kubernetes resource definitions

This exam curriculum includes these general domains and their weights on the exam:

Exam Details & Resources

This exam is an online, proctored, performance-based test that consists of a set of performance-based tasks (problems) to be solved in a command line. Candidates have 2 hours to complete the tasks.

Candidates who register for the Certified Kubernetes Application Developer (CKAD) exam will have 2 attempts (per exam registration) to an exam simulator, provided by Killer.sh.  

The exam is based on Kubernetes v1.24.
The CKAD exam environment will be aligned with the most recent K8s minor version within approximately 4 to 8 weeks of the K8s release date

Prerequisites

There are no pre-requisites for this exam.

Who Is It For

This certification is for Kubernetes administrators, cloud administrators and other IT professionals who manage Kubernetes instances.

About This Certification

CKA was created by The Linux Foundation and the Cloud Native Computing Foundation (CNCF) as a part of their ongoing effort to help develop the Kubernetes ecosystem. The exam is an online, proctored, performance-based test that requires solving multiple tasks from a command line running Kubernetes.

What It Demonstrates

A certified K8s administrator has demonstrated the ability to do basic installation as well as configuring and managing production-grade Kubernetes clusters. They will have an understanding of key concepts such as Kubernetes networking, storage, security, maintenance, logging and monitoring, application lifecycle, troubleshooting, API object primitives and the ability to establish basic use-cases for end users.

The Certification focuses on the skills required to be a successful Kubernetes Administrator in industry today. This includes these general domains and their weights on the exam:

Domains & CompetenciesWeight
Storage
– Understand storage classes, persistent volumes
– Understand volume mode, access modes and reclaim policies for volumes
– Understand persistent volume claims primitive
– Know how to configure applications with persistent storage
10%
Troubleshooting
– Evaluate cluster and node logging
– Understand how to monitor applications
– Manage container stdout & stderr logs
– Troubleshoot application failure
– Troubleshoot cluster component failure
– Troubleshoot networking
30%
Workloads & Scheduling
– Understand deployments and how to perform rolling update and rollbacks
– Use ConfigMaps and Secrets to configure applications
– Know how to scale applications
– Understand the primitives used to create robust, self-healing, application deployments
– Understand how resource limits can affect Pod scheduling
– Awareness of manifest management and common templating tools
15%
Cluster Architecture, Installation & Configuration
– Manage role based access control (RBAC)
– Use Kubeadm to install a basic cluster
– Manage a highly-available Kubernetes cluster
– Provision underlying infrastructure to deploy a Kubernetes cluster
– Perform a version upgrade on a Kubernetes cluster using Kubeadm
– Implement etcd backup and restore
25%
Services & Networking
– Understand host networking configuration on the cluster nodes
– Understand connectivity between Pods
– Understand ClusterIP, NodePort, LoadBalancer service types and endpoints
– Know how to use Ingress controllers and Ingress resources
– Know how to configure and use CoreDNS
– Choose an appropriate container network interface plugin
20%

Exam Details & Resources

This exam is an online, proctored, performance-based test that requires solving multiple tasks from a command line running Kubernetes.

Candidates have 2 hours to complete the tasks.

Candidates who register for the Certified Kubernetes Administrator (CKA) exam will have 2 attempts (per exam registration) to an exam simulator, provided by Killer.sh.  

The exam is based on Kubernetes v1.27
The CKA exam environment will be aligned with the most recent K8s minor version within approximately 4 to 8 weeks of the K8s release date

Prerequisites

There are no pre-requisites for this exam.

CHEATSHEET

This cheatsheet with useful commands and information that will be handy to review before taking the exam. This cheatsheet NOT the exam answer , just for your revision and reference ONLY!!!

Core Concepts

View resources in namespace dev:

kubectl get pods -n dev

View all pods in all namespaces:

kubectl get pods -A

View all resources in all namespaces:

kubectl get all -A

Generate a pod yaml file with nginx image and label env=prod:

kubectl run nginx --image=nginx --labels=env=pro --dry-run=client -o yaml > nginx_pod.yaml

Delete a pod nginx fast:

kubectl delete pod ngin --grace-period 0 --force

Generate Deployment yaml file:

kubectl create deploy --image=nginx nginx --dry-run=client -o yaml > nginx-deployment.yaml

Access a service test-service in a different namespace dev:

test-service.dev

Create a service for a pod valid-pod, which serves on port 444 with the name frontend:

kubectl expose pod valid-pod --port=444 --name=frontend

Recreate the contents of a yaml file:

kubectl replace --force -f nginx.yaml

Edit details of a deployment nginx:

kubectl edit deploy nginx

Set image of a deployment nginx:

kubectl set image deploy nginx nginx=nginx:1.18

Scale deployment nginx to 4 replicas and record the action:

kubectl scale deploy nginx --repliacs=4 --record

Get events in the current namespace:

kubectl get events

Scheduling

Get pods with their labels:

kubectl get pods --show-labels

Get the pods that are labeled env=dev:

kubectl get pods -l env=dev

Get taints of node node01:

kubectl describe node node01 | grep -i Taints:

Label node node01 with label size=small:

kubectl label nodes node01 size=small

Default static pods path:

/etc/kubernetes/manifests

Check pod nginx logs:

kubectl logs nginx

Check pod logs with multiple containers:

kubectl logs <pod_name> -c <container_name>

Monitoring

Check node resources usage:

kubectl top node

Check pod and their containers resource usage:

kubectl top pod --containers=true

Application Lifecycle Management

Check rollout status of deployment app:

kubectl rollout status deployment/app

Check rollout history of deployment app:

kubectl rollout history deployment/app

Undo rollout:

kubectl rollout undo deployment/app

Create configmap app-config with env=dev:

kubectl create configmap app-config --from-literal=env=dev

Create secret app-secret with pass=123:

kubectl create secret generic app-secret --from-literal=pass=123

Cluster Maintenance

Drain node node01 of all workloads:

kubectl drain node01

Make the node schedulable again:

kubectl uncordon node01

Upgrade cluster to 1.18 with kubeadm:

kubeadm upgrade plan
apt-get upgrade -y kubeadm=1.18.0–00
kubeadm upgrade apply v1.18.0
apt-get upgrade -y kubelet=1.18.0–00
systemctl restart kubelet

Backup etcd:

export ETCDCTL_API=3
etcdctl \
--endpoints=https://127.0.0.1:2379 \
--cacert=/etc/kubernetes/pki/etcd/ca.crt \
--cert=/etc/kubernetes/pki/etcd/server.crt \
--key=/etc/kubernetes/pki/etcd/server.key \
snapshot save /tmp/etcd-backup.db

Restore etcd:

ETCDCTL_API=3 etcdctl snapshot restore /tmp/etcd-backup.db --data-dir /var/lib/etcd-backup

After edit /etc/kubernetes/manifests/etcd.yaml and change /var/lib/etcd to /var/lib/etcd-backup.

Security

Create service account sa_1:

kubectl create serviceaccount sa_1

Check kube-apiserver certificate details:

openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout

Approve certificate singing request for user john:

kubectl certificate approve john

Check the current kubeconfig file:

kubectl config view

Check current context:

kubectl config current-context

Use context dev-user@dev:

kubectl config use-context prod-user@production

Validate if user john can create deployments:

kubectl auth can-i create deployments --as john

Create role dev to be able to create secrets:

kubectl create role dev --verb=create --resource=secret

Bind the role dev to user john:

kubectl create rolebinding dev-john --role dev --user john

Check namespaced resources:

kubectl api-resources --namespaced=true

Troubleshooting

View all the kube-system related pods:

kubectl get pods -n kube-system

Check if all nodes are in ready state:

kubectl get nodes

Check memory, cpu and disk usage on node:

df -h
top

Check status of kubelet service on node:

systemctl status kubelet

Check kubelet service logs:

sudo journalctl -u kubelet

View kubelet service details:

ps -aux | grep kubelet

Check cluster info:

kubectl cluster-info

Gather info

Find pod CIDR:

kubectl describe node | less -p PodCIDR

Get pods in all namespaces sorted by creation timestamp:

kubectl get pod -A --sort-by=.metadata.creationTimestamp

Find the service CIDR of node-master:

ssh node0master
cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep range

Find which CNI plugin is used on node-master:

ls /etc/cni/net.d/

Find events ordered by creation timestamp:

kubectl get events -A --sort-by=.metadata.creationTimestamp

Find internal IP of all nodes:

kubectl get nodes -o jsonpath=’{.items[*].status.addresses[?(@.type==”InternalIP”)].address}’
Exam Voucher (Kubernetes Related) – TCC Consulting Limited

Exam Voucher (Kubernetes Related)

b1 b1 b1