My Journey towards Certified Kubernetes Security Specialist (CKS)

Background

Quoting verbatim from the Linux Foundation website, “The Certified Kubernetes Security Specialist (CKS) program assures that one learns the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment, and runtime. CKA certification is required to sit for this exam.”

Why get certified?

Sure we get what it is, but why the heck would you like to be certified?

Kubernetes(K8s) as technology is relatively new, so are the security paradigms around it. K8s is catching steam and is being widely adopted; knowing how to secure K8 applications, their deployment, etc., would be a key thing to address as the technology scales.

One way to learn is maybe by going through the documentation, which might work out well, but for me personally, it is not just time-consuming but also not very structured. The CKS certification helps us learn these technologies but helps us apply the same in practical scenarios, which was the key thing that drove me to try it out. Plus, of course, the certification is well recognized, so that's an added advantage.

Cool, I am interested. How to get started?

A common question for a lot of folks would be, how should I get started. There are tons of resources that can overwhelm one and cause confusion. Choosing the right resource is the key to optimizing the studying process. Below are a few things IMHO one should do

The first thing would be to go over the pre-requisites. The CKA exam must be passed before one can attempt CKS.

The second thing I usually like is to go over the syllabus from the certifying body, like here. It covers a lot of details and provides a nice framework for things to study around.

The third thing is to start with a course which one can finish quickly and be easy to follow. Something like this might be a good one to start with. Make sure first time around you go with understanding all the details in depth, but quickly too. I personally went with an in-person course as learning in a group can be fun. Make sure to take notes. I personally prefer to take notes in an excel sheet with each tab for a different topic.

Something which might be complimentary is having a K8s cluster to practice on. I find this very handy to understand concepts and try out a few things quickly.

What are some of the available courses?

  1. For an in-person course would recommend this
  2. kodekloud cks course
  3. CKS course from Kim
  4. CKS course from Zeal
  5. Book from Saiyam

Strategizing studying?

It’s important to note that not all topics have the same weight. Some of the topics are already covered in CKA (like RBAC, Network Policies, etc.). So it might be good to pick the topics which have more weightage and newer ones to focus on. Three topics carry 20% each as per this i.e.

  1. Minimize Microservice Vulnerabilities — 20%
  2. Supply Chain Security — 20%
  3. Monitoring, Logging, and Runtime Security — 20%

Solve exercises for each topic from kodekloud cks course or any course you choose. The goal here should be understanding & not racing to solutions; it’s okay to fail as it will help one understand things better. Take good notes.

I usually like to take one set of detailed notes and one set of short notes focussing on the exams. This way, it’s easier to revise a day before the exam without getting lost in the details.

When and how to book for exams?

I would pick a date asap because you can reschedule the exams 24 hours before the date if you feel you are not ready. Picking a date will help bring a completion plan into action.

Watch out for discounts on the course; currently, there is a Black-Friday deal going on, but in general, there are a lot of discounts all around the year.

This page has all details on registering for the exam(it’s supported in different languages too).

Also, the exam voucher expires one year after the purchase.

Exam tips?

This is one exam where having tricks which can save time can be super useful, as time is pretty essential. You have 2 hours and around 15–18 questions to solve. It’s an open book exam where you are allowed to use some documents. Exam timings are available round the clock and seven days a week, which I felt was super comfortable (as I have two kids, and early mornings work best for me).

The exam handbook has all details on all allowed links for the exam, be very careful not to use links that are not allowed as they can disqualify you.

Please note all questions are practical in nature(not multiple choice). Here are a few tips I found to be super useful

  1. Setting your vim environment is important in being quick. I personally like to use the below in ~/.vimrc and run source ~/.vimrc. The option of cuc is extremely helpful as it can help quickly fix errors in YAML files related to alignments.

I personally like to use only one alias i.e. alias k=kubectl and auto-complete, but use what works best for you. Kubernetes cheat sheet has most of the details.

This blog is a hidden gem; it helped me save a lot of time during the exam.

2. Mark the questions that take a lot of time(you can mark in the exam) and return to them later. This is extremely important to complete the exam.

3. I searched for more weightage in the exam and solved them first to help secure the minimum required marks. Some questions might even have 12–15% of marks allocated.

4. If you don’t know the answer to a question, move on and come back to it later. Don’t let your ego come in between ;)

5. Use bookmarks; they will help navigate the document links easily. Search online; there are tons available; make sure to use them even when you practice; this way, you are super familiar. These are the ones I used.

6. There is a Notepad available to take notes; I personally felt it was a waste of time and could have done better without the Notepad(as opening and closing it takes some time)

7. On Network Policies, make sure you are super thorough. There are multiple corner cases here; make sure you understand all those.

8. RBAC policies are critical; make sure you can create roles, bindings, etc., all from the command line(imperative way); this will save a lot of time. Also, spend a lot of time validating the RBACs; there are some corner cases with namespaces that can get tricky. Make sure you understand how to validate these with kubectl auth can-i --as <user/service-account>

9. Make sure you practice using all tools(Apparmor, seccomp, etc.) for pods and other K8s objects like deployments.

10. Make sure you enable the required plugins(PodSecurityPolicy, ImagePolicyWebhook, AdmissionWebhook etc.) in kube-api-server else all the effort of configuring policies would be useless.

11. Validation is key, so make sure you can quickly validate your answers.

12. Make sure you use the right context(the command will be given in the exam). Also, if you ssh into the controller or worker nodes, make sure you return to the base node(where you started at)

13. Make sure you read the question carefully and see whether it’s asking you to perform the operations on the controller or worker nodes.

14. Configuring Audit, ImagePolicyWebHook or PodSecurityPolicy, or any of the complicated configurations can mess up but don’t panic; you can always find the logs in /var/log/pods on the controller node and quickly fix things

15. Practicing for exams with killer.sh was super helpful, though the questions are tougher than the actual exam.

16. Found notes from the book from Saiyam, super useful for exams, specifically for revising things quickly.

17. Found this exam series extremely useful.

18. Understand secrets in depth, how they can be stored both as volume and environment variables.

Concluding thoughts

Overall I found the course and exam super useful and practical. I would say among the trio of CKA, CKAD, and CKS, I enjoyed more CKS. Also, it builds on CKA(not throwing everything on you).

I would highly recommend this if security for K8s interests you. Good luck and till next time, ciao 🎉

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sandeep Baldawa

Sandeep Baldawa

whoami >> Slack, Prev — Springpath (Acquired by Cisco), VMware, Backend Engineer, Build & Release, Infra, Devops & Cybersecurity Enthusiast