Skip to main content

CKS Exam Tips

These are some tips that can help a lot during the exam.

Completion

Auto-complete for commands, if not working, is good to set up.

sudo apt-get install bash-completion # This is already installed, but if you're setting up a study environment you'll need it.
source <(kubectl completion bash) # set up autocomplete in bash in the current shell, bash-completion package must be installed first.
echo "source <(kubectl completion bash)" >> ~/.bashrc # to add autocomplete permanently to your bash shell.
echo "source <(kubectl completion bash)" >> ~/.zshrc # to add autocomplete permanently to your zsh shell
echo "source <(etcdctl completion bash)" >> ~/.bashrc # to add autocomplete permanently to your bash shell.
echo "source <(etcdctl completion bash)" >> ~/.zshrc  # to add autocomplete permanently to your bash shell.

Inside the nodes you can also use the commands below, as these completions don't come pre-configured.

source <(crictl completion bash)
source <(kube-bench completion bash)

CKA Exercises

It's a prerequisite, but to be better familiarized and faster with kubectl commands in case you've forgotten some, it's good to redo the CKA exercises. Use killerCoda CKA.

CKS Exercises

It's a prerequisite, but to be better familiarized and faster with kubectl commands in case you've forgotten some, it's good to redo the CKA exercises. Use killerCoda CKS.

Knowledge

  • Read the Sysdig Kubernetes Security Guide.
  • Another good read is the Kubernetes Security book by Liz Rice.
  • Check out the Cloud Native Security Whitepaper.
  • Also check out the walidshaari repository

Aliases

These aliases come pre-configured, but it's good to know.

echo "alias k=kubectl" >> ~/.bashrc
echo "alias k=kubectl" >> ~/.zshrc

Exports

We can export some values that help save time.

echo "export dr='--dry-run=client -o yaml'"  >> ~/.bashrc
echo "export dr='--dry-run=client -o yaml'"  >> ~/.zshrc
echo "export now='--grace-period=0 --force'" >> ~/.bashrc
echo "export dr='--dry-run=client -o yaml'"  >> ~/.zshrc

For example, the command kubectl run mypod --image nginx --dry-run=client -o yaml becomes kubectl run mypod --image nginx $dr and can be further reduced with k run mypod --image nginx $dr.

Use Resource Name Abbreviations

  • k get ns = kubectl get namespaces
  • k get sa = kubectl get serviceaccounts
  • k get svc = kubectl get services
  • k get pv,pvc = kubectl get persistentvolumes,persistentvolumeclaim

What to Do When Starting the Exam?

Open Firefox and go to https://kubernetes.io/docs/home/. Bookmark it so you don't have to type it again.

Open the terminal and type all the commands above to ensure that if you close the terminal again, it comes back with everything you need already configured.

Keep more than one terminal tab open. In the second tab, use it for ssh commands that you'll probably have during the exam.

The answers to questions 1, 2, 3... are in /opt/course/1, /opt/course/2, /opt/course/3...

So start by putting the terminal in the right place before even reading the question.

cd /opt/course/1/

Avoid Silly Mistakes

  • In the header of all questions, there will be a command to switch to the correct cluster. Even if it's the same as the previous cluster, copy, paste, and execute to ensure
  • Whenever a resource name is given, be it namespace, pod, deploy, image, commands, or anything else that can be copied and pasted, do the copy/paste to avoid typos
  • Always observe the namespace being requested. In each command think, is it in the correct namespace? Another way is to always switch to the specific namespace for the question using kubectl config set-context --current --namespace NAMESPACE-NAME
  • Check the results of what you applied to the cluster before moving to another question

Monitor Time

If the exam has between 15 and 20 questions in 120 minutes, the average time per question is between 6 and 9 minutes. Try to study keeping track of this average time per question.

In low-weight questions, you should be able to save time for higher-weight questions. Think about it.

Linux Commands

  • wc -l: to count lines. Remember to remove the header from Kubernetes output.

    kubectl get pods -n kube-system --no-headers | wc -l
        12
    • ps -aux

  • awk '{print $1}': where $1 is the column you'll print from the output usually coming from a grep you did.

    kubectl get pods --no-headers
    mydeployment-569bfcf767-ssxl6   1/1   Running   0     11m

    kubectl get pods --no-headers | awk '{print $1}'
    mydeployment-569bfcf767-ssxl6

  • tr " " "\n": replacing spaces with a new line.

  • curl -s ip:port: in this example, we're trying to connect using ip:port through curl. It's good to have this command at your fingertips to test communication between pods if necessary.

    echo "this is a test" | tr " " "\n"
    this
    is
    a
    test

  • ssh: Execute a command using ssh on a machine without having to be inside it to get the output. ssh.

  • openssl to create certificates.

    ssh <your-user>@<ip-address> "<command>" &> output.txt

  • apt-cache show package to see package versions

  • strace -p processID to verify syscalls of a process, can use -cw to count as well

  • lsof -i :22 to check which process is using the port

  • journalctl to verify running processes

  • dmesg to check kernel loading

  • systemctl to start, disable, and stop services

  • netstat -plnt to see all ports in use

Save Time by Finding Things Quickly in the Documentation

Keywords:

  • ingress
  • certificate
  • admission controller
  • opa gatekeeper
  • fieldRef
  • Upgrading kubeadm clusters
  • kubelet
  • network-policies
  • etcd encrypt
  • configmap
  • security context
  • secrets
  • service account
  • runtime class
  • apparmor
  • seccomp
  • Kubernetes API from a Pod
  • Generate Certificates
  • Certificate Request

Commands That Should Be Memorized

kubectl config get-contexts -o name
kubectl config use-context kind-kind-cluster-ia
kubectl config set-context --current --namespace kube-system
kubectl config current-context
cat ~/.kube/config | grep current-context | awk '{print $2}' # Another method

# --dry-run=client -o yaml > manifest.yaml This could be used to redirect output from commands below as a simulation

kubectl run mypod --image nginx --labels=id=1234,env=prod
kubectl create deploy --image nginx --replicas 2

kubectl get pods --sort-by metadata.name
kubectl get pods --sort-by metadata.name -o custom-columns=NAME:.metadata.name
kubectl get pods --sort-by metadata.name -o custom-columns=NAME:.metadata.name,NODE:.spec.nodeName

# Filter pods in all namespaces that have the label passed and the field as well
kubectl get pods --all-namespaces --selector k8s-app=kube-dns --field-selector=spec.nodeName=kind-cluster-ia-control-plane -o wide
NAMESPACE     NAME                       READY   STATUS    RESTARTS   AGE   IP           NODE                            NOMINATED NODE   READINESS GATES
kube-system   coredns-76f75df574-82xg7   1/1     Running   0          23h   10.244.0.3   kind-cluster-ia-control-plane   <none>           <none>
kube-system   coredns-76f75df574-p5jzh   1/1     Running   0          23h   10.244.0.2   kind-cluster-ia-control-plane   <none>           <none>

kubectl auth can-i

Logs

Know where all possible container logs are located.

APIs

kubectl api-resources --namespaced=true -o name

If you get a cluster update question, leave it for last.

Vim Setup

Create a ~/.vimrc and add the following

set expandtab # use spaces for tab
set tabstop=2 # set tab to 2 instead of 4
set shiftwidth=2 # amount of spaces used during indentation