One week ago, I passed the exam for the Certified Kubernetes Administrator (CKA) certification. My eventual goal is the Certified Kubernetes Security Specialist (CKS), for which the CKA is a prerequisite. There are many descriptions of the CKA exam process on the internet, but not that many from a security engineering perspective, so I thought it might be useful to discuss how I found the course, the preparation I did, and my experience of the exam.
To begin, some background on me. I have been working in what would traditionally be called the ‘security industry’ for maybe 5 years now, although my prior experience as a developer was also security-related. I touched Kubernetes for the first time roughly three years ago, and I’m lucky enough that in my current job I work with Kubernetes daily. This involves both deploying and maintaining applications in Kubernetes clusters, as well as securing and monitoring the same clusters. As a result, I was interested in the CKA from two perspectives:
- Improving my understanding of what a Kubernetes cluster actually consists of, from the perspective of an end-user who might need to debug broken resources (although hopefully not a broken cluster itself).
- Improving my understanding of the security architecture of Kubernetes, in particular building a complete understanding of Kubernetes-native security features.
Preparation
My employer purchased a CKA + CKS exam bundle that included Linux Foundation courses on both certifications. I didn’t start there, however. Based on the strong recommendations of some colleagues and several blog posts, I instead began by running through Kelsey Hightower’s Kubernetes The Hard Way, which walks you through manually bootstrapping a Kubernetes cluster. While this was vaguely interesting, I don’t think it alone was as useful a learning experience as some blog posts suggest. The actual steps in the exercise are presented without much context, and I expect that if you did the exercise using GCP (the default instructions are for GCP), you could finish the entire thing by simply copy-pasting, without learning much at all. To make the most of it, I would suggest not using GCP, which would force you to think about how any particular instruction would translate to the infrastructure you are working on, removing the temptation to blindly copy commands. I would also suggest spending time reading in detail about each new component you encounter.
Once I had my Kubernetes cluster, I tore it down and started going through the Linux Foundation material. I found the written material on their CKA course to be OK, although I occasionally saw hints in the material that the author was less certain about Kubernetes commands than me (unnecessary flags/insructions). Overall, it was a decent guide to what the curriculum was, but not a brilliant learning resource. The most useful part of the course were the hands-on questions that are included; I worked through all of them, and they were decent practice for the actual exam. I wouldn’t necessarily pay for the course, but if like me, you have got the course as part of a bundle on offer, it is maybe worth going through the exercises alone.
One course that came up in nearly every blog post I read was Mumshad Mannambeth’s CKA course on Udemy. The consistency with which it was recommended was intriguing enough that I felt obliged to give it a go next, although I didn’t bother with the course material, having just gone through the Linux Foundation material. Instead, I worked through the included lab exercises. These were a really nice interactive way to work through sets of questions on different Kubernetes domains, with the difficulty building until you reach two mock exams. I see why it is recommended so highly, although in general I found the difficulty of all the questions to be marginally lower than what I encountered in the actual exam. The course is often on offer, so can be picked up for far less than I think it’s worth.
Finally, based on some more blog post recommendations, I worked through killer.sh. killer.sh is pretty intense - for the CKA, you get access to 25 questions, all of which are at the higher end of the difficulty scale. It has the feel of a product in beta: the ‘exam’ mode simply offers you all 25 questions with a 2-hour clock, while the real exam only makes you do 15-20 questions of lower difficulty in the same time. The automated marking is also kind of rudimentary at the moment. I suspect all of this will improve over time, and I thought the overall difficulty level was great practice for the actual exam. Even if you start a set of questions in ‘exam mode’, once the two hour clock runs out you get the environment for 34 hours more, so it’s possible to work through all the questions you haven’t managed to finish in your own time. It is 30 EUR for two simulator sessions, so pretty expensive compared to Mumshad’s course. Overall, however, I think it’s better practice once you’re familiar with the basics.
If I had to do it again, I would skip Kubernetes The Hard Way and the Linux Foundation course. I don’t feel as if either of these were as effective a learning experience as killer.sh or Mumshad’s Udemy course, and I think that because I started with the wrong two options, I spent much longer preparing for the exam than I really needed to.
Exam
The exam itself was alright, relatively relaxing compared to the difficulty of killer.sh. I found the wording of a couple of questions slightly vague, but nothing that was a significant issue. The only point worth noting is that it took roughly 15 minutes at the start of the exam for the proctor to verify over webcam that I wasn’t trying to cheat, which was longer than I was expecting. My results were emailed to me roughly 22h after my exam finished, within the 24h that Linux Foundation promises.
Overall opinions
In terms of my two initial goals, I do have a much better understanding of Kubernetes concepts in some areas, in particular those areas which you might never touch as a user of a Kubernetes cluster (Endpoints, Static Pods, etc.). While this might sound somewhat futile, it’s important to understand how all the different pieces of a cluster fit together in order to secure it, so I’m glad that I have a more complete grasp of concepts here.
Aside from the tangential benefits that come from understanding the system better, there was not much security-related material in the CKA. This is not a surprise, but just a note for anyone looking to do the CKS - it’s best to look at the CKA entirely as a preparatory step for the CKS.
There are also some things
which are expected knowledge for the certification that I will never have to touch again, such as
hands on work with backing up and restoring etcd
clusters, or upgrading
a cluster using kubeadm
. Learning how to do such work at speed seemed slightly
futile in terms of anything I would ever be expected to do as a security specialist.
By its nature as a timed exam,
the certification also ends up forcing you to spend time learning imperative
CLI commands that you would be unlikely to ever use in the real world. As
a security engineer, if I was ever invoking kubectl
on a production cluster
with the wild abandon that the CKA encourages, something would be very wrong.
I’m not sure how easy this problem is to solve, but it’s another area where I
felt like I was learning something just for certification.
In addition, with industry trends moving towards tools like Digital Ocean’s
managed Kubernetes and GKE Autopilot, I’m also unsure about the long-term
relevance of the ‘Cluster Maintenance’ section of the CKA in general. All the
companies I know who are running their own
Kubernetes clusters are moving over to EKS/GKE/etc. Setting aside my focus on
security, is there anyone who’s going to be backing up an etcd
database
manually in 5 years time?
Overall, however, I am glad I did the CKA. It has confirmed that I have a good understanding of concepts in some areas, and reinforced my understanding of concepts in others. I’ve been ambivalent about certifications, but I do like how it made me sit down and go through all the Kubernetes fundamentals in a structured manner, something that I doubt I would have bothered doing on my own time. The lab-based exam also means you’re being tested on your ability to do things rather than your theoretical knowledge, which is much more meaningful, regardless of its imperfections. Onwards to the CKS I guess!