Rogue One: A Certified Kubernetes Administrator (CKA) Exam Story

Posted by
Riyaz Walikar
on
March 3, 2021
· 11 min read

Why CKA?

As part of my role at Kloudle, I need to work with Kubernetes clusters every day. Aspects like - how the different parts of a cluster connect, work together, how is authorization implemented, how are apps able to expose themselves to the world, what regulates all of this, how do people upgrade clusters, what logs go where, etc. are some of the questions that I have to answer. While my hands-on experience was building up, we figured that having a Certified Kubernetes Administrator certification would add to my credibility.

Certified Kubernetes Administrator

I took up the CKA exam, failed the first attempt, and immediately took the free re-take to get certified. This blogpost describes the journey, my mental struggle, my fear of failure, how I overcame both, and many tips very likely you may not have read before.

A long time ago in a galaxy far far away ....

Exams can be stressful, especially if it has been some time that you have answered a proctored time-bound test. My last exam was my OSCP several years ago; the OSCP exam was a breeze as my primary career for the last decade has been as a pentester, breaking things across the web, mobile, networks, and the cloud.

Picking up Kubernetes, when we started Kloudle, was a mental challenge that I had to overcome since I was learning a completely new technology and knew that I was playing a catch-up game. People were/are doing some fantastic things with Kubernetes and other CNCF projects that made me feel like a complete outsider.

There would be meetings in the office where I would listen to Akash, Madhu and Abhishek while they spoke about Kubernetes and containers, with glossy eyes not knowing how I was going to contribute, even though my container-fu was catching up fast and I had already performed security assessments and penetration tests of apps running on Kubernetes clusters. I felt incomplete, shy, embarrassed about the stuff that I did not know even though I was already breaking workloads (I did not understand this word back then) for clients.

Imposter Syndrome

The first change occurred when my Co-Founder and dear friend Akash had a chat with me and asked me to write down what I was exactly afraid of. I wrote down the following things

  • My fear of failing in public
  • My fear of getting left behind in the tech space when everyone and everything is moving at warp speed
  • My fear that I may not have anything to contribute and would become redundant at some point in time

We then brainstormed with these thoughts and realized that

  • I was looking at new tech from a point of failure instead of seeing them as opportunities
  • none of what I was doing was life threatening or could result in physical injury
  • there are millions of other folk throughout the world who feel they will become redundant, so I was not a snowflake

Akash added that I will always be an attacker due to the way I think. My ability to disregard rules and boundaries makes me a good attacker but a lousy defender, which is why I will need to approach learning Kubernetes, containers, and other cloud-native tech by thinking about them using first principles. Clusters are computers with a networking stack, storage, RAM, CPU, and an OS that ties all of these things together conditioned by access control. These are things that I'm already well versed in.

Well, that flipped the switch in me and looking back to that day, I'm glad I had the conversation.

Certified Kubernetes Administrator - The Prep

I registered for CKA in November 2020 during KubeCon NA but did not start preparing until the end of January. Like most folks who appear for the exam, I Googled and read "experience" blogs, setup a local cluster for practice, followed the instructions to doing kubernetes-the-hard-way that Kelsey Hightower's created, signed up for Mumshad's classes on KodeKloud and picked up exercises on Katacoda as well. Gobbled up every piece of advice that folks who have passed the exam gave me - on the Internet, in my office, folks within my tech communities, the random guy I met at a KFC near my house.

I even made a Twitter post about it - https://twitter.com/riyazwalikar/status/1356118741499604992

Failure was not an option.

You shall not fail

Well, my prep did not account for what I would do if I failed. I started sensing that I was going down the rabbit hole of picking up an arbitrary date in the future, just to tell myself that I will be prepared by then. There was no data that supported this hypothesis, but I was sure for some reason. We all do this often in our lives.

Coincidentally or not, Akash had an internal discussion with us about trying out things using a technique that I had never heard before as the reference framework. The technique, called "Genchi Genbutsu" (https://conversion-rate-experts.com/genchi-genbutsu/), which simply put, asks you to "Go to the real place and see for yourself".

When I applied "Genchi Genbutsu" to the way I was learning for CKA, I simply had to go see the exam. I knew enough Kubernetes by now to ace the exam, but the fear of failing was coming in the way. There were too many "what ifs..". Well, I wouldn't know unless I "go and see the exam" myself.

The essential distinctions that I made at this point (I had help with this too :)) were that

  • ? failure is a way to evaluate what I could do differently for my next attempt
  • ? I had a free re-take
  • ? the exam was non-life threatening
  • ? I will be able to experience first hand what the exam looks like and what I will experience (physically and mentally) during the test itself
  • ? the exam (just like all exams in the world) certifies you based on a set of pre-created questions. This will not alter the way I look at and use Kubernetes in the real world

With these distinctions, I appeared for the exam on a Friday evening.

Certified Kubernetes Administrator - The Exam

Well, I failed the first attempt. Not because I did not know enough Kubernetes, but because of other reasons which I would not have found out if I had not jumped in.

Here are some things to remember before we move forward

  • The exam has clear instructions that are shared with the student. So make sure you follow these. Things like having an empty desk with no papers etc. You can find them here - https://docs.linuxfoundation.org/tc-docs/certification/tips-cka-and-ckad
  • You are allowed access to man pages and command help as long as they came installed on your operating system
  • You are allowed one additional tab to open and access the Kubernetes documentation site
  • The exam will be delivered by a terminal inside your browser (this will be relevant in a bit)

The exam itself is easy if you have done the following at least a couple of times (more the better)

  1. You have worked with browser based terminals (AWS, GCP, AKS cloud shells or the KodeKloud / Katacoda lab exercises)
  2. You have setup your own kubeadm cluster, upgraded it, torn it down and re-created it at least 2-3 times
  3. You are familiar with the Kubernetes documentation portal and know how to search and what to search (this is allowed during the exam)
  4. You are familiar with concepts (and can read yaml files) of pods, deployments, services, network policies, services (Ingress, ClusterIP, LoadBalancer) and RBAC concepts. All of these are described in the Kubernetes documentation
  5. You have practiced creating these resources on your cluster
  6. You are familiar with commands like ps, vi, grep, systemctl etc.

So what went wrong during my first attempt? In my experience, I mostly panicked during the exam. Here I was sitting alone in my room, sharing my screen with an unknown human, conscious that I am being watched, my screen being shared, my typos and fumbling being broadcast to unknown forces. It had been quite a while since my last video stream to an unknown audience.

If I have to make a list, here's where I think I goofed up

  1. I didn't get enough rest the previous night. I was anxious, afraid also perhaps, but it kept me awake
  2. I skipped lunch wanting to avoid stomach discomfort. I have a history of having stomach discomfort before I do public speaking engagements. Lack of breakfast and lunch before the exam did things to my mid 30s body that I had not anticipated
  3. I did not complete some tasks in the they were supposed to be. For example, as the final output, if the name of a node was expected, I saved the output of kubectl get nodes -o wide to the file
  4. The 2 hour window can be very stressful and play tricks with your mind
  5. My system rebooted 15 minutes into the exam. Although I was able to reboot and connect back to the exam in less than 3 minute, the experience left me drained due to anxiety
  6. I realized I had not practiced enough searching through the Kubernetes documentation
  7. I kept pressing Ctrl+Shift+C in the browser to copy text and instead ended up opening the developer tools followed by me shaking my head like an angry bull with flies on its nose.

I made the assumption that I was going to fail and made a list of things to do for my re-take.

The results came out on Sunday morning letting me know that I had failed and that I was eligible for a re-take. I quickly booked my re-take for Wednesday and let my team know.

I'll Be Back

I made another Twitter post about my results and what I was planning to do different this time - https://twitter.com/riyazwalikar/status/1358317919638147075

Certified Kubernetes Administrator - The Re-Prep and Re-Take

Based on my experience and memory, I made the following list of things to do before the re-take. I have expanded some of them to add some more clarity on what I was thinking when I made this list.

  1. I noted that if I lose power or Internet connectivity during the exam, it resumes from where I left without any delays. So there is no use worrying about this as I know exactly what needs to be done.
  2. During the exam, there is a notepad within the browser that I can use to copy, edit and paste stuff, like yamls, etc. I did not use this as much as I should have as I relied on copying and pasting into vi with funny results.
  3. Practice searching and bookmark some important key concepts from the Kubernetes documentation. I can solve all tasks within the exam if I know what to search for and practiced creating (or patching/deleting) the resource.
  4. During the exam, make sure to use the correct #k8s context. This is provided per task. Tasks completed in the wrong cluster are not counted.
  5. Right click copy (instead of Ctrl+Shift+C) & Ctrl+Shift+V works in the browser although the instructions say these don't work.
  6. Add alias k='kubectl', enable autocomplete and export do='-o yaml --dry-run=client' to the terminal before you begin. These are enough to work with all the tasks and can be found in the kubectl cheat sheet in the documentation.
  7. Spend the first 5 minutes to read through all tasks and flag every single task. Once you have solved a task, you can unflag it.
  8. Drink water, pause and breath if you are getting stressed. You are allowed to have water in a clear transparent bottle or a see through glass.
  9. Read every task carefully. The tasks are very well written and are self explanatory. The entire task needs to be completed as some tasks may have subtasks.
  10. For some tasks you will not know if you got them right, solve them to the best of your ability and revisit later when you have time.
  11. Solve what is familiar first. The certification is not a memory test, so use the docs judiciously to search, reuse yamls and configurations.
  12. Practice kubectl output formatting with -o jsonpath={}
  13. Learn to update and change configuration on running resources
  14. Practice concepts that I had not practiced before, like Network Policies, Ingress, scaling and rolling back of deployments etc.
  15. Practice at least 1 test on http://killer.sh to time box. The folks here provide a mock exam environment. Recommended if you generally perform badly in time boxed assignments (optional)
  16. Do some tasks with Katacoda or GKE/AKS cloudshell to mentally align with browser-based terminals
  17. Prevent a system reboot by ensuring my laptop would be connected to the mains at all times
  18. Change the backrest for my chair as sitting two hours stiffly in front of my screen, did stretch my back a little. Physical discomfort trumps mental discipline (at least with me)
  19. Sleep well the previous night or catch a power nap sometime during the day before the exam
  20. Practice browser tab switching and reading, while a command completes in the exam window.

I had about 2 days to implement the things that I had made a note of. Wednesday arrived in shameless haste and there I was in my room again with the moderator on chat.

Certified Kubernetes Administrator - The Result

Well, "Genchi Genbutsu" FTW, I passed the exam in my second attempt. I used every single thing that I experienced in my first attempt as learning. I still ran out of time and did not complete a task, but because I had already eliminated a host of other mental and physical blockers, it did not matter in the grand scheme of things.

CKA Cert

Overall, the exam was a fun experience and thanks to the free re-take should not be seen as a hard or impossible thing to achieve. I would recommend going ahead and giving the exam with whatever preparation you have so far and experience it firsthand. Evaluate what went wrong (if it does!) and re-use that knowledge for the re-take. Eliminate the taboo associated with failure or having taken two attempts to pass, the exam will be a much simpler lion to tackle.

Thank you for reading, and feel free to reach out to me if you need any help or guidance with the exam!

Certified Kubernetes Application Developer (CKAD) Update

So! I cleared the Certified Kubernetes Application Developer (CKAD) exam as well :)

Once I had cleared the CKA, my next goal was to clear the CKAD. I had about 2 weeks between both the exams, mostly because I was travelling and was working on other things at Kloudle.

As most of my day to day work now involves setting up workloads on Kubernetes, my hands on experience has been accelerating. I used this confidence of working with Kubernetes, the success of me clearing the CKA exam and well wanting to see how the CKAD looks like using the same principles I used earlier.

I booked the CKAD and answered the exam recently. Here are some things that stood out and tips and tricks for the CKAD exam if you are planning on answering it.

  1. The CKAD is an exam targeted at developers who are getting started with using Kubernetes. Hence the questions also are around RBAC, services like Ingress, NodePort etc., Deployments, Volumes and Storage, liveness and readiness probes, and multi-container pods.
  2. In my attempt, I spent the first 5 minutes reading through all the questions, flagging all of them and planning to unflag as I solve them. I did this with my second attempt at CKA as well. This was really useful in mentally setting up my expectations from the exam.
  3. I only solved the questions that I knew the answers to or knew how to reach to the answers. I did not attempt any question that I did not understand. The exam has some very scenario specific questions that have a very low score, so I just ignored them. Focussing on what I knew allowed me to not be stressed and focus on getting the required score to pass.
  4. In my opinion, if you answer the CKAD immediately after CKA, a lot of concepts are still fresh in your head and that is immensely useful.
  5. I explicitly practiced setting up multi-container pods, the example PHP Guestbook application and working with NetworkPolicies. I had not done these before and the practice helped.

That's all folks. As usual thank you for reading, and feel free to reach out to me if you need any help or guidance with the exam!

More Articles

An Attacker's Approach to Pentesting IBM Cloud - fwd:cloudsec 2021
Posted by
Riyaz Walikar
on
September 14, 2021

Slides of the talk presented at fwd:cloudsec 2021, titled - "An Attacker's Approach to Pentesting IBM Cloud". The talk contains examples of attack vectors, interesting things in IBM Cloud and future work to improve documentation.

Read More
Kloudle is a BlackHat USA 2021 Sponsor
Posted by
Akash Mahajan
on
August 4, 2021

From being trainers at BlackHat to sponsoring at the conference. A bit about our journey in brief.

Read More
You do not want to miss these talks at Black Hat USA!
Posted by
Riyaz Walikar
on
August 3, 2021

A list of talks in the Cloud Security and Platform domain that we have added to our must watch list of talks as the sheer number of sessions at the Black Hat briefings can be overwhelming!

Read More

Ready to give Kloudle a try?

We help you monitor and prevent any data breaches.

Let's Talk