/kubestronaut-roadmap

CNCF Kubestronaut Program Roadmap

Kubestronaut Roadmap

This is a step-by-step guide on how to become a Kubestronaut, with links to relevant learning resources.

If you want to watch a video version (in Portuguese) of this roadmap, you can find it here. Presented at 4º Online Meetup of CNCF-SC Community Group

The program

The Kubestronaut program recognises community leaders who have consistently invested in their ongoing education and grown their skill level with Kubernetes. Individuals who have successfully passed every CNCF’s Kubernetes certifications – CKA, CKAD, CKS, KCNA, KCSA – will receive the title of “Kubestronaut”, as well as these additional benefits:

  • An exclusive Kubestronaut jacket to show off your elite status
  • A Credly badge to showcase your expertise
  • Access to the dedicated/private Kubestronaut Slack channel and mailing list
  • Coupons for 50% off five certifications each year – for yourself or to share
  • 25% off three CNCF events a year

Certifications

  • CKA, CKS, CKAD:
    • Duration: 2h
    • Questions: 15-20 performance-based
  • KCNA, KCSA:
    • Duration: 1h30
    • Questions: 60 multiple-choice

My recommended order to take the certifications:

  • If you have some experience and knowledge of Kubernetes, containers and cloud-native ecosystems:

    • KCNA -> CKA -> CKAD -> CKS -> KCSA
    • Rationale: Starting with KCNA provides a solid foundation in Kubernetes and the cloud-native ecosystem and also gains some experience in the check-in process. The CKA certification will deepen your understanding of cluster administration. Next, CKAD will help you to understand how to build, deploy and manage workloads on Kubernetes. Studying for CKS will enhance your knowledge of Kubernetes security fundamentals, which will make it easier to grasp the theoretical concepts covered in KCSA.

  • If you have some theoretical knowledge of cloud-native ecosystems, but don't have too much experience with Kubernetes:

    • KCNA -> CKAD -> CKA -> KCSA -> CKS
    • Rationale: Begin with KCNA to establish a fundamental understanding of Kubernetes and cloud-native principles. Move on to CKAD to learn how to develop and deploy applications in Kubernetes. Then, study for CKA to gain advanced skills in Kubernetes administration. KCSA will give you insights into the theoretical content of cloud-native security, and finally, CKS will focus on Kubernetes security hands-on, leveraging the knowledge earned from the previous certifications.

CKA is a pre-req for CKS.

In my opinion, if we order by exam difficulty, we have:

CKS (hard one) -> CKA -> KCSA -> CKAD -> KCNA (easy one)

General tips

For all exams:

  • Always be present 30min before the exam start to do the check-in

  • Reliable internet connection and a good webcam (if the proctor can't read your ID during the check-in you won't be able to do the exam)

  • If you can't answer a question quickly, mark it as flagged and move on. Try solving the easier questions first to gain more confidence, and then work on solving the other questions.

For CKA, CKAD, CKS:

  • Be fast with kubectl

  • Do not memorize YAML manifest syntax. Use imperative commands (you can do 80% of the exam with imperative commands). Ex = create pods, deploys, daemonsets, serviceaccounts, role, rolebinding, service; If you need to, check the documentation and copy and paste the yaml manifests.

  • Always check the context in which you are running kubectl commands, as there are many clusters.

  • Spent 1min on env setup. The exam environment already have the alias for "k=kubectl". Also .vimrc is configured with shiftwidth=2; expandtab=true; tabstop=2. If you want you can configure just:

export do="--dry-run=client -o yaml"
# k create deploy nginx --image=nginx $do

export now="--force --grace-period 0"
# k delete pod abc $now

  • Copy/paste won't work as usual:

    • You can use the menu from right click
    • ctrl+shift+c / ctrl+shift+v
    • Click-copy from the instructions

  • You should be familiar with Kubernetes documentation as well, so spent some time reading and searching through k8s docs. Try to remember pages with examples of manifests (e.g., pv, pv, network policy, ingress) so you can copy/paste faster.

Kubernetes and Cloud Native Associate (KCNA)

KCNA will test your knowledge and skills in Kubernetes and the wider cloud native ecosystem. In my opinion, is the easiest one. Pass score is 75%.

Study but not limited to the following:

  • Overview of container orchestration
  • Kubernetes fundamentals
  • Cloud Native Architectures
  • Concepts of CI/CD, GitOps
  • Some knowledge of the CNCF projects
  • Concepts of observability

Recommended Labs and resources:

Kubernetes and Cloud Native Security Associate (KCSA)

KCSA will test your understanding of the baseline security configuration of Kubernetes clusters to meet compliance objectives, including the ability to harden security controls, test and monitor the security, and participate in assessing security threats and vulnerabilities.

In my opinion, this certification is very hard if you don't have knowledge of security fundamentals. Pass score is 75%.

Study but not limited to the following:

  • 4Cs of Cloud Native Security
  • control-plane protection
  • admission Controllers
  • auditing
  • network Policies
  • read the Cloud Native Security whitepaper

Recommended Labs and resources:

Certified Kubernetes Administrator (CKA)

CKA will test your skills, knowledge, and competency to perform the responsibilities of Kubernetes administrators.

In my opinion, it's the most important certification. A score of 66% or above must be earned to pass.

Study and practice but not limited to the following:

  • how to perform etcd backup/restore
  • how to cluster setup/upgrade with kubeadm
  • creating pv, pvc and mounting volumes into pods
  • multi-containers in a pod
  • study about how configure nodeSelector, pod affinity
  • concepts of taints, tolerations
  • be comfortable on creating network policies
  • be fast on create services with kubectl and ingresses
  • be fast on creating pods and deployments
  • practice kubelet troubleshooting
  • practice control-plane components troubleshooting

Recommended Labs and resources:

Certified Kubernetes Application Developer (CKAD)

CKAD will test your ability to design, build, and deploy cloud-native applications using Kubernetes.

In my opinion, it is the easiest one. To pass, you must earn a score of 66% or above.

Study and practice but not limited to the following:

  • build container images with Docker/Podman
  • create pods, deployments, daemonsets, cronjobs
  • blue/green deployments
  • helm to deploy packages
  • probes and healthchecks
  • create ingress, service
  • create secrets, configmaps

Recommended Labs and resources:

Kubernetes Security Specialist (CKS)

CKS will test your skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.

In my opinion, it is the most difficult one. To pass, you must earn a score of 67% or above.

Study and practice but not limited to the following:

  • Be comfortable with changing control-plane components
  • CIS benchmarks
  • Know how to use tools like Falco, Sysdig, Tracee, Trivy
  • Be comfortable with creating and using ImagePolicyWebhook
  • Study and practice how to set audit policy
  • Create Network policies
  • Configure Security context for pod or container
  • Create ServiceAccounts
  • RBAC authorization

Recommended Labs and resources: