From 0 to CKS in ~4 months
Apr 18, 2025 • 2525 words • 13 min read

Logo of the certified kubernetes administrator certification Logo of the certified kubernetes security specialist certification

A few weeks ago I passed the CKS (Certified Kubernetes Security Specialist) exam, and in this post I will describe the process; how I studied and what resources I used, and I will provide some tips that will help you save time and effort.

Table of contents

CKA: Certified Kubernetes Administrator

The first step for CKS, is to get the CKA. It used to be that it was necessary to hold an active CKA certificate, but this changed recently and you just need to have passed CKA at some point.

CKA is all about managing a k8s cluster. You will learn to use the kubeadm tool to install and upgrade a cluster, configure the various components, troubleshoot a range of failure scenarios both on the controlplane and on the worker nodes, configure networking etc. You need to be familiar with the locations of the various configuration files and how these are mounted into the containers that form your cluster.

Resources and preparation

To prepare for this exam I used an excellent Udemy course by Mumshad Mannambeth, "Certified Kubernetes Administrator (CKA) with Practice Tests". The entire course is more than 25 hours of videos and if you add the practice tests then you're looking at approximately 30 hours of content. This is a lot of time, so I tried to quickly identify which bits I found difficult so that I could focus there.

I watched the entire course once (at 1.5x) but I skipped the labs and their solutions. Once I had an understanding of all the topics, I then went back and completed all the labs, keeping notes of the most difficult ones, which left me with ~20 topics that I had to revisit. I watched again only the relevant lectures and went through the corresponding labs one more time, and then I bid goodbye to Mumshad.

The simulator

Next step was the killer.sh CKA simulator which provides a practice environment and conditions that are very close to the real thing. When you purchase your exam you automatically get 2 sessions with the simulator.

For the CKA, the simulator had more questions than the real exam (25 vs 17) and they were of higher difficulty, making it a great way to test your knowledge and prepare. The great thing about the simulator is that you have access to that environment for 36 hours. The first 2 hours are the "exam" and after that you get your score and the solutions.

In my first attempt I managed to answer only 15 of the 25 questions on time, which resulted in a measly 78 out of the 125 subtasks. This highlighted different weaknesses, so after a bit more studying and playing around with the solutions, the second time I got a much more respectable 113/125.

CKS: Certified Kubernetes Security Specialist

Once CKA was out of the way, I started looking for resources that I could use to study for CKS.

CKS is all about securing your cluster on multiple levels: Securing the controlplane components, securing the hosts, securing the container runtime, securing the images, securing the containers, monitoring container syscalls and their behaviour, handling secrets, encrypting etcd, etc.

Resources and preparation

For CKS I mainly used Killer Shell's course which is free on youtube. It is a bit outdated and it doesn't cover some topics that were added to the exam more recently, such as SBOM, Cilium, PodSecurityStandards and a few others, but most of these are covered in the free Killercoda playground scenarios.

By definition, there is some overlap with the things you learned for the CKA, for example you get to revisit NetworkPolicies, RBAC, and Secrets, but this time you'll get in a bit more detail. Later on you get to new and more interesting topics like securing your supply chain, container runtime sandboxes, etc.

Once that was done, I visited the playground and did all the scenarios, following a similar approach as I did with CKA and taking notes of the trickier scenarios. It's worth pointing out here that the killercoda scenarios are not as many and as thorough as the labs for the CKA course, so some extra attention is warranted.

The simulator

As with CKA, when you purchase your CKS exam you also get 2 sessions in the killer.sh CKS simulator and, as with CKA, this too has more questions than the real exam (23 vs 16). Unlike CKA though, here the simulator difficulty was similar to the real exam.

My first attempt here was abysmal, I only managed to answer 14 out of 23 questions and got 33 out of the 85 subtasks. Again the deal with the simulator is the same, so I had access to the simulation environment, the questions, and the answers for 36 hours. I got back to studying and 3 days later, in the second attempt, I doubled my score and got to 63/85 subtasks.

CKA vs CKS: which one is harder?

If you're new to the world of k8s, the CKA is going to throw a lot of information on you, but on a "single" system. Sure, it has a lot of moving parts, you need to learn new terminology, you need to be able to install and configure all the different components, differentiate between controllers, schedulers, kubelet, kubectl, kube-proxy but they're all part of a single system.

The tasks that you have to complete in the exam are relatively straightforward: Create a deployment, create a cluster with kubeadm, debug the replicationset, configure pv and pvc for a pod, etc.

CKS expands the scope. You get to treat k8s as a production service that you need to maintain. The amount of new information you learn on k8s is relatively small, but you get to work with a lot of external tools in order to secure your cluster.

If you are an infrastructure person, chances are that you have had to deal with a lot of these already. You will have learned not to put secrets in your dockerfiles, to inspect your images for CVEs, to handle secrets properly, to create TLS certificates and CSR requests. You will have heard of Trivy, you will have used strace, and you will know what's "encryption at rest".

In the CKS exam the tasks are longer than the ones in CKA. You will be asked to do something which has 3 other steps that need to happen before that. You will be asked to use a third party tool to analyse the behaviour of your cluster or to identify images with known CVEs.

Deciding which one is harder depends on your experience with k8s and with other tools.

For me, it took ~2.5 months to prepare for CKA and ~1.5 month for CKS.

Exam tips

There are 3 things you need to optimise for: Speed, peace of mind, and time management.

Generate yaml faster

This is k8s, so almost everything is done and managed by yaml.

kubectl can show you the corresponding yaml for the interactive command it just ran by passing -o yaml to it.

However most of the time you will want to edit the file before running it, so you need to include a --dry-run=client alongside with it and redirect the output to a file:

k run my-pod --image=nginx --dry-run=client -o yaml > mypod.yaml

That's a long thing to type every time (24 characters!), so you can save it in a variable and use that instead:

export d="--dry-run=client -o yaml"
k run my-pod --image=nginx $d > mypod.yaml
# make your changes in mypod.yaml
k apply -f mypod.yaml

This is especially useful for CKA where you will need to create a lot of resources.

For resources like network policies that cannot be created interactively, copy a sample yaml from the docs (see below).

Last but not least, prefix your resource files with the question number to avoid mixing things up between questions.

Know your shell

Knowing your shell and its shortcuts can make editing much faster. The default shell in the exam is bash and everything mentioned below is for this shell.

In a lot of questions you'll have to run commands that are 90% similar to things you've already typed.

Using the up arrow will take you to the previous command, and the ctrl+r will allow you to search your command history for a specific string.

ctrl+a will you take you to the start of your command
ctrl+e will take you to the end
meta+f* will take you one word forward
meta+b* will take you one word back

For even more flexibility you can use ctrl+x ctrl+e to open the command in your $EDITOR (which is set to vim in the exam), make your changes and then save and exit to run that command.

*meta is probably alt if you're on Windows and option if you're on a Mac

Know your editor

This is fairly obvious but I think it's worth mentioning, especially since the default editor in the exam is vim, which has a reputation of being hard to use.

If vim isn't your cup of tea, and you prefer nano or something else, you should update the $EDITOR environment variable either by running export EDITOR=nano or by configuring the ~/.bashrc or ~/.bash_profile, whatever is available.

Learn and use the docs

In both exams you have access to kubernetes docs as well as several other resources for CKA and CKS.

You should always keep an eye on them while studying, because that will make it easier to use them during the exam. You don't want to waste time wondering if the securityContext is only available inside the pod.spec or also in pod.spec.containers[*], you want to know how to access the reference.

Also, use the examples liberally.

Copy yaml structure, copy examples and adjust them, copy flags, copy anything you can find useful.

Your goal is to answer the questions, you don't get any points for typing.

Copy, don't type

In the same line as above, both in the simulator and in the exam, all the code blocks and commands in a question have a "click to copy" when you hover.

Use it to avoid typos and save time.

Backup, backup, backup

In a lot of questions you will be asked to change the configuration of a cluster, either for one of the controlplane components or, in CKS, for tools like Falco.

Make it a habit to take a backup copy of the file before making any changes, because you will make a mistake and you will get stressed.

That way, when something goes wrong you just copy the file back and try again.

Ensure you're on the correct cluster

Both in the simulation and in the real exam you will have access to multiple k8s clusters and you will need to answer each question against a specific cluster.

At the beginning of each question you will be told which cluster to use and there will be a command that takes you to that cluster.

Note that this is one of the differences between the simulator and the real exam: In the simulator you start from your "main" instance and you're asked to ssh into instances that belong to a specific cluster, whereas in the real exam all the clusters are configured as different kubectl contexts that you can switch to, by using k config use-context <context-name>.

In both cases, always run the command you're given, even if you think you're already working on the right cluster.

Take your time and start easy

When the exam starts it's tempting to dive straight into solving the first question you see.

I strongly recommend to resist this temptation and instead take 5 minutes to go through all the questions, flagging them all.

Then start solving the easiest questions first and work your way towards the more difficult ones, unflagging questions as you answer them.

The goal here is to maximise the number of questions you can answer in the 2h exam period. Looking back at the 17 questions for my CKA, that is 120mins/17questions ~= 7 minutes per question. Subtracting 5 minutes to go over all the questions, it barely takes us below the 7 minutes per question mark, but it's a worthwile investment because we can make an informed decision regarding the order that we'll tackle the questions.

Following this approach I managed to answer 15 of the 17 questions of the CKA exam in 1h40m, which left me 20 minutes to decide what to do with the remaining 2 questions.

For CKS this is even more pertinent as each question has many more subtasks so you should really focus on playing to your strengths.

Final thoughts: Was it worth it?

For me? Yes. I had no experience with k8s and in ~4 months I managed to pass both the CKA and the CKS exams on the first attempt. I'm now running my own k8s cluster hosted on Hetzner where I host my various tools and projects, and I feel more comfortable applying to jobs that ask experience with k8s.

For someone who already has experience with k8s... probably not, unless your company is paying for it.

The reason is that nothing beats actual hands-on experience with a certain technology in a work environment. It's one thing to play with something on your own with your side project that receives 100 requests per day and a completely different thing to operate a service that needs to serve thousands of requests per second.

However, if you don't have this kind of exposure, I think a certification is the next best thing because it demonstrates in a verifiable and measurable way that you have a certain degree of knowledge with this technology.

(Also depending on the industry and/or country there may be an increased fixation on requirement for degrees and certifications, ymmv)

/kubernetes/ /certification/