Open in app

Sign in

Write

Sign in

Mastodon

CKS: Evolution 2021–2023

What changed between 10.2021 and 10.2023

Artem Lajko
5 min readNov 2, 2023

Note: This is not a guide on how to prepare for the CKS. In this blog, I am only going to share my experience regarding what changed from my point of view over the past 2 years, and how it impacted my approach to the exam itself.

Challenge successful!

Introduction

In this blog, I am going to share my personal insights on the changes I observed in the certification process between 2021 and 2023 🔄. I initially earned my CKS on 30.10.2021 (ID: LF-fgm53ab5sy) and attempted to renew it on 30.10.2023 (ID: LF-7ylw42e6m7) 📅.

I say “attempted” as I received a new ID along with an email which, if I understood correctly, mentioned that it might take up to 7 days to reflect the new expiration date against the old ID: LF-fgm53ab5sy 🔄.

For my renewal, I primarily relied on two sources. The first one was kodekloud.com by Mumshad Mannambeth and the second was killer.sh by Kim Wüstkamp for Linux Foundation Exam Simulators 🖥️. That’s not entirely true, I also utilized the allowed resources such as kubernetes.io/docs 📚.

The Big Change

Two years have flown by since I secured my first CKS, and I was under the impression that a plethora of things might have changed. However, to my surprise, the alterations in the exam topics themselves were minimal.

The most significant and unexpected change was in the exam environment itself. During my exam on 30.10.2021, I had the convenience of using the Chrome Browser with a specific extension that proctored the entire exam procedure. One tab housed the exam simulation, and I was permitted to open another tab for accessing allowed resources like kubernetes.io/docs. This was indeed a boon as I had bookmarked everything I needed for various topics 📑.

Contrastingly, for my exam on 30.10.2023, I was required to download the PSI Secure Browser which initiated a Remote Session to Ubuntu VMs. Now, the playing field had changed — I was confined to using the session and the Firefox Browser within the VM, and that too with only one additional tab. My treasured bookmarks were no longer accessible 🚫. The onus was now on me to remember all crucial keywords to navigate to the right documentation page for the task at hand. Moreover, I had to zoom out on both the terminal and the Firefox browser to obtain a decent overview 🔍. This new setup inevitably came with a handicap — the familiar shortcuts and my OS no longer functioned as usual, extending the time needed to complete the tasks ⏳.

This is a substantial factor worth serious consideration. In my exam on 30.10.2021, I breezed through the tasks, requiring only 100 of the 120 minutes to complete and review my solutions, ensuring nothing was overlooked. However, the scenario on 30.10.2023 was starkly different. I needed more than the allotted 120 minutes (but you have only 120 minutes), despite the exams’ difficulty being quite similar. The altered environment undeniably introduced an added layer of challenge, making time a more scarce commodity ⌛

The exam itself:

I had 16 tasks with different weighting between 4% and 11%, depends on the tasks.

The topics of my exam are (only a little brain dump)

  • RBAC: ServiceAccount has too much privilege, so reduce it. Create two new Roles and RoleBindings, to allow the SA only get pods and delete namespaces.
  • RuntimeClass: create a new RuntimeClass with runsc (gVisor) and use it
  • Networkpolicies-1: deny all incoming requests to the backend-pod in the NS XY.
  • Networkpolicies-2: Only specific pods can access the backend-pod in the same namespace (podSelector) and access to the pod is only allowed from specific NS (namespaceSelector)
  • Falco or Sysdig: a pod has suspicious activities and execute commands that he should. Please analyze it and save the logs over 30 seconds as (time, container_id, user_name, cmd). You can use falco or sysdig.
  • Audit: (Rules: Meta, RequestResponse, Request, etc. and config kube-apiserver to load config, logs and set maxbackup)
  • Kube-Bench: solve Fail tests (kubelet and etcd)
  • Best-Practices: check and change only two rows on Dockerfile and Deployment. Use Security-Best-Practices.
  • Immutable Containers: check the deployment and make sure the container running inside are immutable (Volumes: emptyDir, SecurityContet: runsAsUser, readOnlyRootFileSystem, privileged, capabilities)
  • Apparmor: load profile and use it
  • Trivy: remove all pods with severity=CRITICAL,HIGH
  • Secrets Management: read, decrypt and save secret. Create new secret, create new pod and mount it.
  • Dynamic Admission Control (WebHook): fix admission-config.yaml, fix kubeconfig.yaml to point the right server, load the plugin ImagePolicyWebhook and load the config
  • Restrict Communication (API-Server): use min VersionTLS12 and cipher-suites=…
  • Restrict Communication from Kubelet to API-Server: disable anonymus-auth, delete clusterolebinding system:anonymus, use Webhook as auth-mode, etc.
  • Pod Security Standard (PSS): enforce baseline PSS on the namespace XY. Deploy the pod.yaml and save the logs to xy.log.

What really stood out as new when I compare it to the exam from 10.2021?

  • The binary sysdig
  • Pod Security Standards (PSS)

What was not part of my exam?

The following topics are not part of my exam, but they still relevant!

  • Kubeadm update (but it was part of my exam from 30.10.2021)
  • sha512sum (but it was part of my exam from 30.10.2021)
  • OPA Gatekeeper Constraints (Image, Labels on NS, etc.)
  • Hardening Kubernetes-Dashboard
  • Secure Ingress (TLS) (but it was part of my exam from 30.10.2021)
  • Seccomp (but it was part of my exam from 30.10.2021)

Conclusion

Navigating the certification landscape post-2021 comes with its own set of challenges and nuances. It’s imperative to meticulously go through the Exam Technical Instructions to grasp what’s permissible within the virtual environment and what’s not. Embracing the LINUX keyboard shortcuts from the VM for basic operations like copy or paste is no longer an option but a necessity 🖥️.

Furthermore, familiarize yourself with the guidelines outlined in the Adjusting Font and Windows in the ExamUI section to adeptly zoom in or zoom out on the PSI Secure Browser Toolbar or on Firefox within the VM. Such knowledge is not just about enhancing visibility; it’s about economizing your time and reducing the stress that inherently accompanies the ticking exam clock ⏳.

The recent shift to the PSI Secure Browser and the Ubuntu VM environment significantly alters the exam-taking experience, making the pre-exam technical setup almost as crucial as the exam content itself. Every minute saved in fumbling around with the unfamiliar setup is a minute earned to meticulously solve the exam questions 🕰️.

If your work for clients already entails a similar setup, navigating through this altered exam landscape might feel like second nature. However, for those who are unacquainted, the preparation should extend beyond the exam syllabus to include a thorough understanding and practice of the new exam environment.

Contact Information

If you have some Questions, would like to have a friendly chat or just network to not miss any topics, then don’t use the comment function at medium, just feel free to add me to your LinkedIn network!

References

Kubernetes
Certification
DevOps
Experience
Cloud Computing

--

--

Artem Lajko

Written by Artem Lajko

1.8K Followers

Do something with cloud, kubernetes, gitops and all the fancy stuff https://www.linkedin.com/in/lajko

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams