I have, for the better part of two and a half years, been studying on and off to become fully certified in Kubernetes. As of this writing, I have completed all of the Kubernetes-related certificates that the Linux Foundation has to offer. I figured I’d take some time to talk about what each test covers briefly, why I decided to go for Kubestronaut, talk about my experience learning the material and applying it to my day job, things that I found great and not so great about the process, and what I want to focus on next in my own research around Kubernetes.

The tests

In order to become a Kubestronaut you need to pass five separate exams- in order of approximate difficulty they are…

  • KCNA - Kubernetes and Cloud Native Associate
  • KCSA - Kubernetes and Cloud Security Associate
  • CKA - Certified Kubernetes Administrator
  • CKAD - Certified Kubernetes Application Developer
  • CKS - Certified Kubernetes Security Specialist

These tests generally build on each other - material you learn when preparing for the KCNA will overlap slightly with the KCSA, and will have significant overlap with the CKA and CKAD. The KCSA likewise overlaps with all of the other certs. Unless you’re a real goofball, you probably shouldn’t skip the KCNA and KCSA.

It turns out, dear readers, that I am a real goofball. Pic related.

Me on my noble steed.

My path on taking the exams

I started with the CKA. From there, I did the CKS. I went back to the CKAD, then the KCSA, then the KCNA. It should be noted that the KCSA did not exist when I started, but I was also fairly cavalier on entering the subject matter thinking that I could just power through.

This was not a great idea.

I spent a bit of time when preparing for the CKA going back other things because I was totally fresh to the subject matter, and it probably took me longer to study for it than it should have. To compound my sins, I then took the straightest path possible to the CKS (Which I’m going to offer is the hardest of the three certs) instead of spending time getting more comfortable with the subject matter through, say, the CKAD.

I actually failed my first go at the CKS, precisely because I was trying to move too fast. At this point I should bring up something that is huge to understand with this set of exams- you get a retest. You may be thinking to yourself “Why would I want to take the exam a second time intentionally?”, and that’s not at all what I’m getting at here- what I’m saying is that no one single course you’re going to take will absolutely prepare you for every question that may be asked on the exams, or even the style of questions they ask may not be clear across the ways you use to study. While the exam questions will likely be different the second time, you can come back to it knowing what your weaknesses were, how the test is largely structured, and what you need to do to succeed.

When I came back to the KCSA and KCNA, I found them both extremely easy- I want to say I spent about a month preparing for the KCSA, and then about a week preparing for the KCNA.

What I studied

Initially, I tried a self-paced training course from the Linux Foundation. While I learned a decent amount, I felt more confused by what I learned (How all of the pieces fit together) than anything. Given this was nearly three years ago at this point, I would not doubt the training has gotten better.

I ended up finding better luck in training resources outside of the Linux Foundation. There are a number of them, and anyone listed here should be a decent place to look for training (Assuming they offer external training). Just be wary of any place that says you’ll ace the exams just by taking the courses- in my experience each course has its strengths and weaknesses and if you rely just on one you may be frustrated by your results.

How long did it take to study for all of this?

Some websites put the total time spent on all of this at around 560 hours worth of effort- I want to say I spent more like 600-650 hours worth of effort on this in my spare time. My path, however, wasn’t super streamlined and I would go back constantly to take notes or go back over items that I heard but wasn’t sure I understood. If I hit something I didn’t quite get, I’d go research and figure out what it was.

I also did not keep consistent with my self-directed education. I’d take time to do other things, or I’d take mental breaks from learning when life got too spicy. And that’s okay! But it did mean some of the finer details needed to be gone back over. That, too, is fine- we learn best through spaced out lessons, pushing us to recall old topics as well as build on them to accrete new mastery. Do I wish I would have been able to get it done sooner? Sure, but I also was able to take some beautiful detours into other things.

Certificate lifespan

The certificates now last for two years- previously they were for three, which is why I didn’t have to retake the CKA to get my Kubestronaut. I assume they changed this as they feel Kubernetes is rapidly changing as a technology and want practitioners to have meaningful and timely knowledge of current Kubernetes capabilities- given Kubernetes has a new minor version about every four months and the deprecation policy for Kubernetes ensures at least a year of support for items going into deprecation, this means what you learn should have a useful life of at least the end of the certification lifespan.

Why did you do all of the Kubestronaut certs?

I did it for the jacket. I mean, look at it (On this dude’s blog)! It’s pretty slick.

But no for real, the company I work for was moving towards making our product available in containerized manner. The next step from containerization, of course, is deciding when and where those containers should run in a distributed system, and what resources they should have. My concern (And everyone in this space should have this concern!) was that if I didn’t understand the security ramifications of what was being provided that I would be not doing right by my clients. So I dug in.

I am still of the opinion that Kubernetes, if you use all of the bells and whistles that have been developed around it (Turnkey Kubernetes providers such as AKS/EKS, Helm, various gitops providers such as ArgoCD or Flux, etc.) can be extremely easy to get started with. The trap is ensuring that these beautiful things you’re building can’t be pwned (Or at least pwned easily, given a sufficiently motivated attacker will, on a long enough timeline, find a way). There are a range of things you can do there, things as simple as just making your containers not run as a privileged user right in the Dockerfile. These things should be well understood by anyone taking this technology on- these systems are complex, the trust relationships are many.

How learning Kubernetes has helped me!

Starting to understand containerization and container orchestration immediately helped me in my day job, given the company I work for was moving towards the usage of the technology. I could probably write a few paragraphs here on how valuable even just the CKA was for me as far as getting dangerous with the technology, but I will relent. Instead, I will offer this- as participants in increasingly distributed systems, we need to seek to understand them as best we can. We may understand the product we support at an application level extremely well, but if we don’t understand at a bare minimum what our application runs on then we’re failing ourselves. For instance, what if a client has an outage while using a product you support? Do you know enough to be able to say “This isn’t our product”?

Upsides and Downsides

Like I mentioned above, I was immediately able to start applying what I learned to my day job. Which was great!

The biggest issues I had in learning Kubernetes wasn’t actually with learning- it was with the exam proctoring process. PSI has very few friends among those who take exams for the purpose of certification. While this is not an exhaustive list, I will air some of my largest grievances:

  • Every check-in process for a given proctor was frustratingly different.
    • Some proctors would be fine with me having a coaster under the water I had on my desk. Some would make me put it out of arms reach.
    • Some proctors would be fine with my headphone amp sitting on my desk with nothing plugged into it. Some demanded it be removed from the desk. The same thing with the cat bed I keep on my desk (Because cats).
    • One proctor demanded I unplug the speakers from my wife’s computer, a computer that had no one at it and was off.
  • Some proctors asked for incredibly impractical (Or weird!) things and effectively had to be talked into a sensible solution.
    • I took one exam in a hotel room, and was told that I had to physically move the refrigerator in the room because it had items in it that could be seen through the glass window. Not “Hey can you move those items with labels out of the testing area”, legitimately they wanted me to move the refrigerator.
    • One proctor demanded they see specifically around the bottom of my chair including my feet. Especially my feet.
  • Check-ins failed in various ways.
    • I once fully checked in, the proctor was to release the test, and then they disconnected and I had to check in all over again. See above for why this was an issue. I could barely focus on the test after that.
  • Check-ins were sometimes real delayed.
    • During one of my exams I want to say I waited 20 minutes to take the exam. The energy and focus I had was obliterated by the time I got through check-in.
  • Their software is… Not great.
    • Their software has pretty weird and consistent issues on my laptop, but runs fine on my workstation. I’ve had it crash a few times randomly, but thankfully not while in an exam.

If I had a choice to go to a physical location not managed by PSI and take the exams I would take this option ten times out of ten if it meant not dealing with PSI. I would bet there are a number of individuals who would agree with me.

My next steps

I’m still considering whether or not I want to keep my good standing as a Kubestronaut. I agree that the certificates have value, I just don’t know if I have it in me to keep doing the same tests every other year- especially with all of the agita that comes with PSI. Honestly, dealing with PSI is part of what is keeping me from going for the Golden Kubestronaut designation as well.

That said, there is a ton you can do outside of certifications to learn. When I get time I intend to work through the various Kubernetes security resources out there such as the https://github.com/alevsk/dvka among other things. I’d like to learn more about breaking Kubernetes, so that I can guide folks on how to mitigate risks associated with its use.