Awesome CKS – Tips and tricks

Preparing for a certification exam is always challenging. You have to retrieve the material to study, the exercises, and above all, to have a suitable environment to practice.

Awesome CKS – Tips and tricks

The certifications on Kubernetes help you to have a context applicable to reality, which in most cases you can also find yourself facing in your daily routine.

We can consider the Kubernetes certifications, CKA, CKAD, CKS, as very similar to each other on a practical level. You can apply the same study and practice method to all of them. The thing that changes is the content.

In this article, I want to share my study strategies, tips, and tricks to take the exam in a prepared and safe way. They are remote exams, consisting of hands-on questions. You may think a person who works daily in this kind of technology can pass exams in a very easy way. In reality, the real variable is time management.

Tips for studying:

Kode Cloud Course

The structure of the course, divided between theory and practical exercises, allows you to acquire the skills and apply them right away. It is also important because it gives direction to the contents and a guide to follow.
I did the theory exercises several times before moving on to the mock exams. Don't make the mistake of throwing yourself straight into mock exams, because not everything is covered with just those exercises.

Course link

Here there are more complex exercises than the real exam, and the mock exam user interface is very similar to the real exam. They were helpful in preparing for the exam mentally and becoming familiar with time management.

Information link

Github (Pay attention to the Kubernetes version!)

It goes without saying that GitHub is truly a resource pit. If you try typing CKS in the search bar, you will be spoiled for choice by how much material there is and how many people have been willing to take the time to help others. Let’s do it!

CKS-Exercises-Certified-Kubernetes-Security-Specialist/7-mock-exam-questions at main · moabukar/CKS-Exercises-Certified-Kubernetes-Security-Specialist
A set of curated exercises to help you prepare for the CKS exam - CKS-Exercises-Certified-Kubernetes-Security-Specialist/7-mock-exam-questions at main · moabukar/CKS-Exercises-Certified-Kubernetes-...

Practical advice for the exam

Shortcut #1  

alias k=kubectl
alias keti='kubectl exec -it'

kubectl is the command you will almost always use; try also to remember contract form of Kubernetes Object, like the following examples:

k get po     
k get netpol     
k get svc
keti <pod-name> -- bash #Open shell inside pod quickly

Shortcut #2

export DRY="--dry-run=client -o yaml"
export NOW="--force --grace-period=0"

Although you can use the documentation to recover yaml, I recommend using this command for creating and editing the working yaml file:

k run nginx --image=nginx $DRY > nginx.yaml
k delete pod nginx $NOW

Learning Vim is a lifesaver
Read this simple article with all basic commands that are very useful, not only for the exam. The exam will show you some really long Yaml such as Api Server or Falco. Being familiar with Vim on search and basic commands allows you to not waste precious time.

Imperative command
Knowing the yaml is important but for the exam, my advice is to exploit the imperative commands as much as possible. I think they are the things that make the most difference in saving time. Use a lot of kubectl, which is packed with examples, and very often they cover what you are looking for.

For example:

k create role --help
Create a role with single rule.

  # Create a Role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
  kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods

  # Create a Role named "pod-reader" with ResourceName specified
  kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod

  # Create a Role named "foo" with API Group specified
  kubectl create role foo --verb=get,list,watch --resource=rs.extensions

  # Create a Role named "foo" with SubResource specified
  kubectl create role foo --verb=get,list,watch --resource=pods,pods/status

Learn more about the tools

The exercises you find in the courses are more than enough. What I would like to share with you is the repo that you can use to have a clean cluster and not have everything ready as gvisor and falco, trivi, kube-bench, kubesec already installed.

GitHub - alessandrolomanto/k8s-vanilla-containerd: Can Kubernetes run without docker?
Can Kubernetes run without docker? Contribute to alessandrolomanto/k8s-vanilla-containerd development by creating an account on GitHub.

You can use this cluster to practice in this way:

1.  Upgrade Kubernetes cluster
The version required for the exam: you can find the exam version HERE. You can find the official guide on how to update the cluster with kubeadm among the bookmarks.

2. Trivy
E.g. Create pods like below:

k run nginx --image=nginx 
k run nginx --image=nginx:alpine
k run nginx --image=nginx:1.19.1
k run nginx --image=redis

Identify and delete the pods which have CRITICAL vulnerabilities.

Trivy Installation

3.  Kube-bench
Read the kube-bench assessment report. Fix the tests that have FAIL status for the all configuration.

Kube-bench Installation

4. Runtime Classes
Install and create a RuntimeClass with "gVisor" using the handler "runsc". Create a pod that uses the runtime class "gVisor".

gVisor Installation

5. Audit
Enable auditing in this Kubernetes cluster. Create an audit policy file that will log events of your cluster.

Auditing Docs

6. Falco
Install Falco and generate events that can produce alerts.

Falco Installation
Falco Generate Fake Events

7. OPA
Install OPA. Make sure that it will not be possible to install images from a not-trusted registry or that it will not be possible to install images with the latest tag.

Opa Gatekeeper Installation

General advice and problems I have addressed

Test your webcam and make sure your documents are clearly visible.

I bought a 1080p webcam but it was a flop because the proctor could not display the identification document numbers, I had to switch into the laptop’s built-in one before moving on. Get a good webcam and before the exam try to understand if the characters of your identification documents are visible and not blurry.

Create your browser favorites

During the exam you have an additional tab to view the official k8s documentation. I found it convenient as I followed the courses and mocks to save the pages and organize them so that I could consult them quickly.

I share mine and I hope that with practice you can take manual skills in the search for resources.

Attention! The exam rules can change at any time. Always check if the address is allowed before consulting it during the exam.

My last piece of advice: create your local cluster and practice, practice and practice!