Certified Kubernetes Security Specialist (CKS) Exam: Free study resources and tips
Piotr Stróż
A few weeks ago, I checked my CKS exam results and saw that I passed. I realised I could have prepared for the exam more quickly if I had known about the resources and tips I discovered along the way, so I’ve decided to share them with you.
Essential Resources and Practice Platforms
These are the key platforms where you can practice for the exam using real-life scenarios. I've also looked through Udemy courses, acloudguru tutorials, and I can say with confidence, that those three free resources are all you need to prepare.
- Killercoda: Think of this as your training ground, where you can safely experiment with Kubernetes without the pressure of the exam clock ticking away. They have a full scope of the tasks that will be present on the exam, highly highly recommend. (Yes you have to solve them all in order to pass CKS, no exceptions).
- Killer.sh: This is where the real test begins. When you register for the CKS exam, you get two free practice attempts on Killer.sh, and you'd be wise to use them. The scenarios here are tougher than the actual exam, but that's exactly what makes them so valuable. It's like running with ankle weights so that when the day of the exam comes, you can sprint with ease.
- 11-Hour Kubernetes Security Marathon by KillerShell: Still, don't skip the theory! While the CKS exam is all about practical skills, the theory is your foundation. If you're looking for a comprehensive resource that's as engaging as it is informative, check out this 11-hour course by KillerShell on YouTube. It's packed with everything you need to know and will keep you entertained as you absorb all the necessary concepts. Yes, it's a marathon, but if I can survive it, so can you!
General Tips: The Battle is 100% Practical
Let me start by saying that the CKS exam is not your typical multiple-choice exam. If you're looking for an easy way out, you won't find it. This exam is all about getting your hands dirty in live Kubernetes clusters, dealing with real-world tasks that a Platform Engineer faces every day.
Key Advice: Practice, practice, and then practice some more. The command line must become your best friend, and muscle memory will be your secret weapon. The more you get used to the tools and environments, the more you'll feel like you're speed-running a video game, where every second counts and precision is key.
Leverage `kubectl` for Fast Resource Creation
I recommend mastering the use of kubectl commands to generate YAML files on the fly, instead of reading through the documentation to find the manifests.
Here are 10 kubectl commands that I found essential:
# 1. Create a Service Account
kubectl create serviceaccount my-serviceaccount -o yaml
# 2. Create a Role with specific permissions on pods
kubectl create role my-role --verb=get,list,watch --resource=pods -o yaml
# 3. Create a RoleBinding to bind the Role to the ServiceAccount in the default namespace
kubectl create rolebinding my-rolebinding --role=my-role --serviceaccount=default:my-serviceaccount --dry-run=client -o yaml
# 4. Create a ClusterRole with permissions on nodes
kubectl create clusterrole my-clusterrole --verb=get,list,watch --resource=nodes -o yaml
# 5. Create a ClusterRoleBinding to bind the ClusterRole to the ServiceAccount across all namespaces
kubectl create clusterrolebinding my-clusterrolebinding --clusterrole=my-clusterrole --serviceaccount=default:my-serviceaccount -o yaml
# 6. Create a Pod using an nginx image without restarting
kubectl run my-pod --image=nginx --restart=Never --dry-run=client -o yaml
# 7. Create a Deployment using the nginx image
kubectl create deployment my-deployment --image=nginx -o yaml
# 8. Create a Secret from a literal key-value pair
kubectl create secret generic my-secret --from-literal=key1=value1 -o yaml
# 9. Create a TLS Secret from certificate and key files
kubectl create secret tls my-tls-secret --cert=path/to/tls.crt --key=path/to/tls.key -o yaml
# 10. Create a Secret from a file
kubectl create secret generic my-secret-from-file --from-file=path/to/secret.txt -o yaml
Use yq for YAML Processing
During the exam, you'll often need to manipulate YAML files. That's where yq comes in—a tool that's nothing short of magical when it comes to handling YAML directly from the command line.
Example: Finding Pods with a Specific Container Name
Here’s a little trick that saved me a ton of time:
kubectl get pods -o yaml | yq '.items[] | select(.spec.containers[].name == "nginx") | .metadata.name'
This command filters out pods that contain a container named nginx and returns their names. This command is actually a solution to one of the tasks in the CKS.
Get Comfortable with securityContext
Understanding the securityContext in Kubernetes is crucial for success in the CKS exam. This key component allows you to define security settings for your pods and containers, such as user IDs, group IDs, and privilege levels.
- https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#securitycontext-v1-core
- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
It will pop up very often; a classic question is to delete insecure pods. If you see:
securityContext:
privileged: true
You know that is the one you should delete.
Final Recommendation
How would I structure my learning for CKS the second time? I would:
1. Watch the 11-Hour Kubernetes Security Marathon by KillerShell.
2. After finishing it, I would go through all exercises on Killercoda.
At least twice—first time to familiarize myself with them, and the second time to make sure I'm efficient in solving them.
3. At the end, I would take 2 practice exams on Killer.sh within a week's span.
The first attempt, to see the questions, benchmark myself, and get depressed that I wasn't fast enough.
The second attempt, the real one, after a week of studying the answers and explanations of how to solve the tasks.
P.S.: Pay extra attention to memorizing the kubectl create and kubectl run commands, basic yq YAML manipulations, and details related to securityContext!
## Good Luck!