DEV Community

loading...

Quick walkthrough in CKAD, CKA and CKS

Ryan, Siu Long Wa
An idiot from Hong Kong.
・6 min read

Certified Kubernetes Application Developer and Certified Kubernetes Administrator are the two certifications for most of the Kubernetes users to showcase their understanding in the Kubernetes ecosystem.

Certified Kubernetes Security Specialist is the certification released last year to train and showcase the candidates on Kubernetes system hardening. It is definitely a new step for the community getting DevSecOps.

In the past few months, I have finished all the examinations. Here is my review and analysis for these examinations for not only examinees but also the recruiter.

Certified Kubernetes Application Developer (CKAD)

Certified Kubernetes Application Developer is my first examination among the series. For the actual examination details, please refer to the actual documentation from CNCF.

CKAD, as its name, aims to train and examine the basic Kubernetes operation. The examinee will need to demonstrate their understanding in application deployment under Kubernetes.

Most of the questions inside CKAD can be generalized into the concepts or best practice under Kubernetes ecosystem. Therefore, if you understand how to architect the apps inside Kubernetes, this exam will be easy for you.

Example - Sidecar pattern

If you need to deploy an application which will write the logs to file instead of the stdout, how could you stream the logs to stdout without changing the actual configuration? This will require the sidecar pattern under Kubernetes. Here is the example from the Kubernetes doc.

apiVersion: v1
kind: Pod
metadata:
  name: counter
spec:
  containers:
  - name: count
    image: busybox
    args:
    - /bin/sh
    - -c
    - >
      i=0;
      while true;
      do
        echo "$i: $(date)" >> /var/log/1.log;
        echo "$(date) INFO $i" >> /var/log/2.log;
        i=$((i+1));
        sleep 1;
      done      
    volumeMounts:
    - name: varlog
      mountPath: /var/log
  - name: count-log-1
    image: busybox
    args: [/bin/sh, -c, 'tail -n+1 -f /var/log/1.log']
    volumeMounts:
    - name: varlog
      mountPath: /var/log
  volumes:
  - name: varlog
    emptyDir: {}
Enter fullscreen mode Exit fullscreen mode

Under this example, a couple of concepts can be extracted.

The first concept, of course, is the sidecar pattern. The sidecar pattern will be important when the software engineers architect their application under Kubernetes. It is very important that the software engineers make use of the sidecar pattern to achieve the best practice, single process per container.

The second concept here is the temporarily storage. It is common that an empty directory is created within a pod and shares the files across different containers.

Example - Usage in the Deployment, DaemonSet and StatefulSet

CKAD examinees in general are required to demonstrate their understanding between Deployment, DaemonSet and StatefulSet. Although they can be used for deploying your applications, they are served for different purpose based on the different usage.

If you are asked to deploy FluentD, a log aggregator, to stream all the logs to your own logging system, what type of ReplicaSet you will use? You can simply inject the sidecar to each pod but that is hard to manage. The better way on this will be the DaemonSet. Deploying the containers interact with each node can help you to a cluster-wide log streaming in this case.

Who should take this examination?

CKAD is quite different from the CKA and CKS. It aims to test the users on the basic architecture and design pattern under Kubernetes. If you are the following group of engineers, I suggests that you can give a try on this certification.

  • Beginner in Kubernetes
  • Software engineers who use Kubernetes for your production environment
  • DevOps/Site Reliability Engineers
  • System Engineers
  • etc...

After the examination, you can expect that you are able to use Kubernetes to architect and design your application.

Certified Kubernetes Administrator (CKA)

If CKAD is a beginner under Kubernetes certification series, CKA will be the next level. It will cover parts of the CKAD knowledge, for example, the application development. At the same time, CKA examinees will start to interact with the actual Kubernetes implementation.

You need to understand how the Kubernetes is built behind the scene. Unlike CKAD, you need to configure not only the highest level of objects inside Kubernetes, like Pod, Deployment but also the actual key components inside the cluster.

In the community, there are a couple of ways to bootstrap the cluster. In the examination, it only focuses on the kubeadm method. The operation, like node joining, upgrading, etc, will be asked. It is quite similar to the system administrator but it focuses on the maintenance under Kubernetes.

Example - kubelet, kube-apiserver and etcd configuration

Under kubeadm implementation, you can easily configure the args parsing into the kubelet, kube-apiserver and etcd. But unlike configuring the Kubernetes objects, you cannot use kubectl to interact with these components directly. You will need to understand how the kubeadm bootstraps a node. In general, kubeadm generates a set of configuration files under a particular path.

Example - CNI and CRI

Container Network Interface (CNI) and Container Runtime Interface (CRI) are two important interfaces under Kubernetes. This allows us to change the implementation of the container networking and runtime easily.

But, you may ask why you will need to change them. Different CNIs' and CRIs' implementation actually provides different features. According to your business need, you may need to choose the best CNI and CRI. Beyond choosing the correct one, you will need to understand how to configure them within the clusters.

Who should take this examination?

CKA starts to interact with kubelet, kube-apiserver and etcd directly. You will need to understand how the Kubernetes works behind the scene and how to maintain it. Here are the candidates that may benefit from passing the examination in my mind.

  • Advanced Kubernetes users, like operator maintainer
  • DevOps/Site Reliability Engineers
  • System Engineers
  • Security Engineers

For Advanced users, they want to interact with the kube-apiserver and etcd to develop their own controllers or operators, the knowledge from CKA is quite helpful to you.

For the last one, it is important for the security engineers to understand how the Kubernetes is bootstrapped. Kubernetes is more and more prevalent in recent years. When you works for a company with Kubernetes orchestration, you definitely need to explore Kubernetes from the system level instead of simply the usage level.

Certified Kubernetes Security Specialist (CKS)

CKS is the last certification. You need to pass the CKA in order to get this certified. Therefore, you can know that the difficulty of CKS will not be lower than CKA.

CKS aims to examine the candidates from more advanced usage. Under CKAD and CKS, you only focuses on the built-in APIs from Kubernetes. You can open the API cookbook under Kubernetes.io to finish most of the tasks in the examination. But, for CKS, you start to integrate your cluster and applications with the community-driven application.

Example - Annotation-based API

The most important part here is how to extend the Kubernetes features with annotation. Security is simply the smokescreen. In Kubernetes ecosystem, if there are some features not coming with the official APIs, it is pretty common that the APIs are placed in the annotation.

For example, one important third party application under Kubernetes ecosystem is cert manager. When you configure an ingress with cert manager, you can put the annotation like the following example from official doc to tell the cert manager to generate TLS cert for you.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    # add an annotation indicating the issuer to use.
    cert-manager.io/cluster-issuer: nameOfClusterIssuer
  name: myIngress
  namespace: myIngress
spec:
  rules:
  - host: example.com
    http:
      paths:
      - backend:
          serviceName: myservice
          servicePort: 80
        path: /
  tls: # < placing a host in the TLS config will indicate a certificate should be created
  - hosts:
    - example.com
    secretName: myingress-cert # < cert-manager will store the created certificate in this secret.
Enter fullscreen mode Exit fullscreen mode

Example - API server and Kubelet Hardening

In CKA, you need to configure the API server and kubelet with the basic function. No matter what configuration you have in the API server and kubelet, it is more than enough for that evaluation.

In CKS, you will need to configure the cluster with the best practice. Kubernetes is designed to fit in a lot of different situations. Therefore, some of the settings may contain the attack surface if you enable them. If you put the Kubernetes into production, you need to fine tune your configuration in order to prevent the cluster from hacking.

Who should take this examination?

CKS is the latest certification released by CNCF. It actually brings the Kubernetes certification series into more production level. In CKAD and CKA, you can assume the certified can use the Kubernetes. But that is the best for the production usage.

Under the production usage, you definitely need to consider the security no matter which industry you are in. CKS provides a way to teach the candidates how to harden the Kubernetes system. Here are the groups I recommend them to take this.

  • DevOps/Site Reliability Engineers
  • System Engineers
  • Security Engineers

A side track message - Please be reminded that security is not just the responsibility of security engineers.

Conclusion

To be honest, as a Kubernetes engineer, CNCF has tried their best in the design of these three certification. Unlike other certifications, you will need to have the hands-on operations during the examination.

One more suggestion from me is that you will need to be super super familiar in living in shell. If you used the dashboard or UI for your Kubernetes journey, it is time to change your habit!

Disclaimer

I have tried my best not to disclose any kind of examination questions within my sharing. Please leave the comments or email me at findme@ryansiulw.com if there are any improper contents. I will remove that part or simply delete this sharing directly.

Discussion (0)