How to become a Kubestronaut
0 Premise
1 Kubestronaut? What the heck is that?
It’s a recognition from the CNCF for those who successfully obtain all Kubernetes-related certifications (CKA, CKAD, CKS, KCNA, KCSA).
In my case, I achieved it on July 16th. My face is even on the CNCF website now
2 Benefits
Below are the benefits for Kubestronauts:
An exclusive Kubestronaut hoodie (it’s really cool, check it out at this link)
The Kubestronaut Credly badge
Access to a private Slack channel and mailing list
A coupon for 50% off Linux Foundation certifications every year
A 25% discount for three CNCF events per year. (This might seem like a small discount, but tickets for KubeCon Paris in 2024 cost around 500 euros, so you could save about 125 euros with this discount)
3 My starting point
When the Kubestronaut program was announced at KubeCon Paris in 2024, the only certification I had was the CKA, which I obtained in April 2023. So, I needed four more certifications to complete them all.
I have about 3 years of experience with Kubernetes, so I wasn’t starting from scratch.
4 Study Material
Preparation for becoming a Kubestronaut can vary based on your experience with Kubernetes. In my case, I already had substantial experience using Kubernetes, so I focused on studying the topics I hadn’t encountered before to prepare for the CKS and completed the relevant sessions on killer.sh for each exam.
Whenever you purchase a Kubernetes certification from the Linux Foundation website, you gain access to two free labs on killer.sh, which allow you to practice before the exam. I find these practice sessions essential, especially for familiarizing yourself with the environment you’ll use during the certification.
Additionally, for each certification purchased, you are entitled to a free retake.
4.1 Courses and simulations I recommend
I haven’t personally completed these courses in their entirety. I only looked at some topics I wasn’t familiar with while preparing for the CKS. However, they seemed very valuable:
The courses by Mumshad Mannambeth. You can find them on both KodeKloud and Udemy.
Complete the practice exams on killer.sh that are provided with the purchase of the certification
Complete the scenarios on KillerCoda. There are about 200 scenarios you can use to practice before the certification.
4 My experience with PSI Secure Browser and environment checks
When you schedule your certification, you’ll have the option to choose a time slot. There must be at least 24 hours between scheduling the exam and taking it, you cannot book an exam in the evening for the following morning.
On the day of the exam, you’ll go to your Linux Portal and click on “Take Exam,” which will initiate the download of the PSI Secure Browser. In the following minutes, you’ll upload your identification documents onto the platform and wait for the proctor to supervise your exam.
The rules regarding the environment in which you’ll take the exam are very strict, and during this phase, the proctor will ask you to show everything in the room (floors, chairs, desks, anything).
You obviously cannot wear smartwatches or headphones. Any device beyond the computer from which you’ll take the exam is prohibited, as are external monitors.
My experience with PSI Secure Browser is quite disheartening:
In all the certifications, I experienced high latency in the terminal of the desktop environment where I was working. The latency made consulting the documentation a real nightmare.
Keyboard shortcuts for copy and paste didn’t work. Every time, I had to select the text I wanted to copy using the mouse, right-click, select copy, right-click again, and choose paste. What a nightmare.
I took all the certifications on a 13" Mac, and just to give you an idea, this is what I saw during the exam (I was forced to reduce the browser font to at least 60% or else it was impossible for me to scroll through the documentation). The screenshot was taken during one of the simulations on killer.sh, this isn’t the PSI screen, but the layout was the same.
5 My experience with each individual certification
In the following lines, I will share my experience with each individual certification. I’ll also provide the materials that I wished I had found online and for free while preparing for the certifications. Let’s get started!
5.1 Certified Kubernetes Administrator (CKA)
This is certainly one of the most well-known Kubernetes certifications. It is designed for those who will be managing the Kubernetes cluster (etcd, kube-apiserver, kubelet, controller manager, scheduler).
Here are the questions that a colleague who recently took the exam received. It’s been over a year since my CKA exam, so I don’t remember them anymore Thanks to Marco Ferraioli
- Write to a file which pod with label X consumed the most CPU
- Create an ingress to expose an already existing service
- Modify a deployment to expose port 80 and create a NodePort service
- Backup etcd and restore from an existing backup
- Scale a deployment
- Create a sidecar container with a custom volume
- Upgrade only the control plane from 1.30.0 to 1.31.1
- Create a multi-container pod
- Create a PersistentVolume (PV)
- Create a pod with a PersistentVolumeClaim (PVC) and then scale the PVC from 10Mi to 70Mi
- Fix a not ready node
- Create a NetworkPolicy to allow outbound traffic only to another namespace on a specific port and allow inbound traffic from another namespace on a different specific port
- Create a ClusterRole and grant the privileges of that ClusterRole to a ServiceAccount
- Save the ERROR logs of pod X to a file
- Write to a file the number of nodes that do not have the NoSchedule taint
- Drain a node: Evict workloads from a node and ensure that no new pods can be scheduled on it.
I’m sharing my experience with the CKA here.
5.2 Certified Kubernetes Application Developer (CKAD)
By far, the easiest certification among those in lab mode. Below are the topics covered:
I don’t have specific advice for this certification. These are the questions I received in the simulation on killer.sh.
5.3 Kubernetes and Cloud Native Associate (KCNA)
In this case, I don’t have any simulations to recommend. Among the two quiz-based certifications, this one is definitely the easier. If you’ve passed the CKAD, this will be a breeze!
5.4 Kubernetes and Cloud Native Security Associate (KCSA)
For this certification, I had limited study material. I took it in June 2024, and there were no online courses available since the certification had been launched just a few months prior.
Checking the securiy section of the official documentation can be helpful. Make sure to delve into all the topics on that list, and if you find references to external sources, be sure to read them.
I don’t have any simulations to share for this certification.
5.5 Certified Kubernetes Security Specialist (CKS)
Among all the certifications I completed, this one was the most “nerve-wracking” for me. Many people find it difficult, but for me, the right description is “nerve-wracking.”
This was the certification where I had to navigate the Kubernetes documentation the most, and from my 13” screen, navigating the documentation was a nightmare.
To give you an idea of the questions you might encounter, here’s my simulation on killer.sh:
Here are the questions I received during the actual exam:
- Export the username and password of an existing secret into two files. Create and mount the secret as a volume inside a pod.
- Create an AppArmor profile on a node and create a pod that uses that profile
- Network policy that blocks all traffic
- Network policy to allow inbound traffic within a namespace only from pods in namespace A and from all pods with a certain label
- Improve the security of an API server by removing anonymous login and adding the NodeSelector plugin
- CIS benchmark for contrlplane and ETCD node
- Launch a pod as user 30000 and with a read-only file system, deny privilege escalation
- Create a role and role binding + add permissions to a certain existing role
- Create a service account that does not automount a token
- Sandbox Gvisor
- Improve the security of a Docker image and a Deployment
- Change the encryption protocol versions for etcd and the control plane
- Audit policy
- Image Webhook Policy
- Create a new policy with Falco
- Scan vulnerabilities with TRIVY for images that had HIGH and CRITICAL severity
6 Tips & Tricks
Here’s a roundup of tips for the certifications:
- Learn to use vi, at least the basic commands.
- If the question asks you to create a pod, don’t navigate the documentation. Just use
k run [pod_name] --image=[image_name] --dry-run=client -o yaml > pod.yml
- In the terminal, you have the option to use kubectl autocomplete—make. Use it
- Aliases for kubectl are already set. Time is short, don’t type
kubectl
butk
- There will be questions where you’ll need to work on static pods. Make sure to create a backup copy of those files before modifying them. Also, ensure that you remove them from the directory.
/etc/kubernetes/manifest
, You will put them back once the modifications are complete. This way, you ensure that the static pod comes up with the correct configuration. - Make sure to switch the context you’re working on between questions. If you perform a task in the wrong context, you risk not only losing points for that question but also affecting subsequent questions that rely on the context now having an extra resource.
- If you need to create a deployment, don’t navigate the documentation. Use
k create deployment [deployment_name] --image=[image_name] --replicas=[replicas_number] --dry-run=client -o yaml > deployment.yml
- If you don’t remember which flags to pass to a certain command, use the kubectl helper with:
kubectl <command> --help
- If you absolutely must use the documentation, try not to read it in its entirety. Use “find” to search for keywords instead.
- If you’re testing the permissions of a service account or a role, use ]kubectl auth can-i](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_auth/kubectl_auth_can-i/)
7 Here’s the path I recommend for the certifications:
First, we need to distinguish between two categories:
CKA, CKAD, and CKS are lab-based exams with 16 questions to complete in 120 minutes.
KCNA and KCSA are quiz-based exams with 60 questions to complete in 90 minutes.
Here are the certifications listed in increasing order of difficulty among those with lab-based exams:
CKAD
CKA
CKS
Here’s the order of difficulty for the quiz-based certifications:
KCNA
KCSA
8 Costs
The cost of each certification at the time of writing this article is as follows:
CKAD: 395$
CKA: 395$
CKS: 395$
KCNA: 250$
KCSA: 250$
For a total cost of $1,685
Pursuing these certifications can be quite expensive if your company does not cover the costs.
However, you might find online coupons that can save you between 20% and 40% on the total cost of the certifications.
Additionally, there are bundles available that allow you to save further if you purchase more than one certification.
For example, if you want to become a Kubestronaut and don’t have any of the certifications, you can take the courses with this bundle
For finding coupons, I recommend this GitHub project which tracks the latest active coupons.
By applying the coupon found on that site today, you can save this amount
To recap:
Total Cost of Individual Certifications: 1685$
Total Cost for the Bundle with All Certifications: 1495$
Cost for All Certifications After Applying the Coupon: 1196$
Want to save money? The way to go is bundles + coupons!
9 Conclusions
In this article, we’ve taken a tour of the Kubernetes certification landscape. I hope this material will be helpful if you decide to pursue these certifications.
If you still have any questions, don’t hesitate to reach out to me. I’m always available on LinkedIn or via email at ettoreciarcia.tech@gmail.com.
Happy studying!