Kubernetes CKS Example Exam Question Series

Image for post
Image for post

CKS Exam Series | CKA Exam Series | CKAD Exam Series

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

→ Check out the FULL CKS COURSE on Udemy ←

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Content

  1. Pods, Secrets and ServiceAccounts
  2. Immutable Pods
  3. Crash that Apiserver & check logs
  4. ImagePolicyWebhook / AdmissionController
  5. (coming next week)

Rules!

  1. Use only kubernetes.io/docs for help.
  2. Check our solution after you did yours. You probably have a better one!

Todays Task: Create a CKS Cluster for studying and check Security Best Practices

This is the first task of this series, hence it’ll be a bit about preparation rather than solving scenarios yourself. …


Kubernetes CKS Example Exam Question Series

Image for post
Image for post

CKS Exam Series | CKA Exam Series | CKAD Exam Series

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

→ Check out the FULL CKS COURSE on Udemy ←

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Content

  1. Pods, Secrets and ServiceAccounts
  2. Immutable Pods
  3. Crash that Apiserver & check logs
  4. ImagePolicyWebhook / AdmissionController
  5. (coming next week)

Rules!

  1. Use only kubernetes.io/docs for help.
  2. Check our solution after you did yours. You probably have a better one!

Todays Task: Create an ImagePolicyWebhook (without the external service)

The idea is to create an ImagePolicyWebhook Admission-Controller-Plugin which prevents all Pod creation, because the external service which should allow/deny is not reachable. …


Kubernetes CKS Example Exam Question Series

Image for post
Image for post

CKS Exam Series | CKA Exam Series | CKAD Exam Series

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

→ Check out the FULL CKS COURSE on Udemy ←

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Content

  1. Pods, Secrets and ServiceAccounts
  2. Immutable Pods
  3. Crash that Apiserver & check logs
  4. ImagePolicyWebhook / AdmissionController
  5. (coming next week)

Rules!

  1. Use only kubernetes.io/docs for help.
  2. Check our solution after you did yours. You probably have a better one!

Todays Task: Crash the Apiserver and check logs

You should be very comfortable changing the Apiserver config. …


Kubernetes CKS Example Exam Question Series

Image for post
Image for post

CKS Exam Series | CKA Exam Series | CKAD Exam Series

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

→ Check out the FULL CKS COURSE on Udemy ←

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Content

  1. Pods, Secrets and ServiceAccounts
  2. Immutable Pods
  3. Crash that Apiserver & check logs
  4. ImagePolicyWebhook / AdmissionController
  5. (coming next week)

Rules!

  1. Use only kubernetes.io/docs for help.
  2. Check our solution after you did yours. You probably have a better one!

Todays Task: Make Pods immutable

  1. Create Deployment snow of image nginx:1.19.6 with 3 replicas
  2. Force container c2 of Pod holiday to run immutable: no files can be changed during…


Kubernetes CKS Example Exam Question Series

Image for post
Image for post

CKS Exam Series | CKA Exam Series | CKAD Exam Series

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

→ Check out the FULL CKS COURSE on Udemy ←

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Content

  1. Pods, Secrets and ServiceAccounts
  2. Immutable Pods
  3. Crash that Apiserver & check logs
  4. ImagePolicyWebhook / AdmissionController
  5. (coming next week)

Rules!

  1. Use only kubernetes.io/docs for help.
  2. Check our solution after you did yours. You probably have a better one!

Todays Task: Pod with ServiceAccount uses Secrets

  1. Create ServiceAccount secret-manager
  2. Create Secret sec-a1 with any literal content of your choice
  3. Create Secret sec-a2 with any file content of your choice (like…


Certified Kubernetes Security Specialist Exam Preparation

Image for post
Image for post

Hello fellow Kubernetes enthusiasts!

This is just an announcement that we released our CKS Full Course in combination with the CKS Simulator on Killer Shell. Use the discount code CKS-KILLER-SHELL.

The CKS (Certified Kubernetes Security Specialist) extends the CKA and combines various areas of Kubernetes security. Read more here about what it contains.

Course Structure


Is this certification for you, what will be asked, and how to prepare?

Image for post
Image for post
source

This article will give you an overview of the CKS, how the real exam is structured, and some tips and tricks on how to prepare.

Kubernetes Certifications

  • In the CKA you also have to do some deeper CKAD tasks with additionally fix broken and perform maintenance on clusters.
  • The CKS extends the CKA, which is a pre-requirement to have. It considers various security configurations and best practices when it comes to cluster and application level.

Why is the CKS interesting?

The CKS is a very important certification and the knowledge it brings is requested by many companies. The current time, where Kubernetes is the platform to run container based workloads and where the importance of secure infrastructure became top priority, led to the development of the CKS. …


Requests, Limits, Overcommitment, Slack/Waste, Throttling

Image for post
Image for post
https://unsplash.com/photos/QwoNAhbmLLo

Before we go into production with a Kubernetes application we should understand K8s resource management. The core is to understand how the Kubernetes scheduler handles resource requests and limits, then everything else makes sense. So let’s dive into it!

After reading this you will:

  • know how the k8s Scheduler works with resources
  • have ideas on how to improve cluster usage and stability

TL;DR

  • set no CPU limits or disable CPU limit enforcing in kubelet
  • usage should be below requests
  • use scaling with HPA / VPA
  • monitor/alert on pod resource usage

Pod Resources

In k8s a pod can have one or multiple containers which are usually run by Docker. …


Image for post
Image for post

CKS Exam Series | CKA Exam Series | CKAD Exam Series

Content

Overview and Tips

  1. Multi Container Issue
  2. Scheduler Playground
  3. Advanced Scheduling
  4. Node Management
  5. Manage Certificates
  6. Pod Priority
  7. RBAC
  8. coming up…

Rules!

  1. use only kubernetes.io/docs for help.
  2. check my solution after you did yours. You might even have a better one ;)

Notices

Pre info

Checking permission is possible with this:

kubectl auth can-i get podskubectl auth can-i get pods --as one@test.com # fails, unknown…


Shown step-by-step on a simple example application

Image for post
Image for post

TL;DR

  1. raise the volume size of the PVC
  2. restart all StatefulSet pods gracefully
  3. delete StatefulSet but keep pods running
  4. create StatefulSet again with updated volumeClaimTemplate size

Create a test cluster

To test we create a sample k8s cluster, here using GCP:

gcloud container clusters create test --num-nodes 3 --zone europe-west3-b --machine-type n1-standard-2 --node-version=1.16 --cluster-version=1.16

Raise PVC in Pod

Before we move onto raising a PVC in a StatefulSet it might be nice to test this on a simple single pod first.

Setup

This will result in:

About

Kim Wuestkamp

wuestkamp.com | killer.sh (CKS CKA CKAD Simulator) | Software Engineer, Infrastructure Architect, Certified Kubernetes, Certified Symfony

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store