Skip to main content

CKA Exam; May 2024: My take on it and cheat sheet

So, I finally got the little green tick of having CKA certification in my certification list. I put off this exam for so long that it seriously became not funny anymore. The internet has quite literally way more than 1000 posts on this topic. But what harm would one more post cause? So here's mine. I will write it from my perspective.

I am writing this post just in case if anyone benefits from it, as I predict there could be many on the same boat as me.



Background:

Kubernetes, modern application architecture, DevSecOps etc are not new territory for me. In fact, I think I am fairly versed in K8s and related tech stack. But due my own imposter syndrome I have been putting off sitting the CKA exam. However, last week I thought about the CKA as "just another approval for my skills" and got the nudge to sit the exam. 

Here's what I did till the day I sat for the exam. (Everybody is different but the below worked for me the best)


The preparation:

As I have been working with K8s for sometime and I did not need to learn it from scratch. So I went ahead and bought it from CNCF and booked the exam 5 days out. Now that I have a target date I commenced working towards it. Here're the strategy I followed:


Hands on:

I think one of reasons why my imposter syndrome was preventing me from taking the exam was that the format is hands on (as opposed to multiple choices). But the good news was that it was also open book (meaning I have access to the documentation). So the strategy needed to be slightly different.

I practiced a lot:

I did not buy any course but I practiced a lot (I think) for 4 days (approx 2-3 hours a day, early mornings and late evenings).  There are 1000s of free good practice materials (they are almost the same) on the internet. I will drop a few here for starter that I used:

Important: With the purchase of the CKA exam it gives 2 sessions of killer.sh mock sessions (both containing the same questions). They are assumed to be much harder than the exam itself. I attempted the first mock session on my prep day 2 and quickly realised that I failed because of my poor time management. So I practiced with the other ones (mentioned above) using google timer and attempted the 2nd mock session twice (each mock session is valid for 36hours and can be restarted unlimited times). This time I completed it just in time. This gave me confident that I would do ok in the exam with time.

I memorised some basic commands:

Since the exam is for a fixed time (120mins; meaning, 120mins ÷ 17questions = 7 mins per question) and there are some questions I anticipated to get stuck on, the strategy was to complete the ones I would be confident about super fast. That meant memorising (through practice ofcouse) few Kubectl imperative commands:

k run <pod name> --image=<image name> --labels="key1=value1,key2=value2" [--oyaml --dry-run=client > pod.yaml] [--command -- sh -c "sleep 1d"]

k exec -i <podname> -- sh -c "cat /var/logs/log.txt"

#Note: I predict that in the exam it will most likely be multi-container and through this command 
there's no way to create multi-container deployment. 
That means saving the yaml with 1 container and adding the adding the additional containers.
k create deploy <deploy name> --image=<image name> --replicas=<count> [--oyaml --dry-run=client > pod.yaml]

k expose deploy/pod <object name> --name=<name of the svc> --port=80 [--target-port=8080] [--type=NodePort/ClusterIP]

k create role or clusterrole <name> --verb=<create,delete,list etc> --resource=<pod,deploy,secret etc>

k create rolebinding or clusterrolebinding <name> --role/clusterrole=<role or clusterrole name> --serviceaccount=<namespace>:<SA name>
# to verify the above:
k auth can-i create deploy --as=system:serviceaccount:<namespace>:<sa name>

k scale deploy/replicaset/statefulset <name of object> --replicas=<desired count>

k rollout history/restart/undo deploy/pod <object name> # rollback a deployment etc

k set image deploy/pod <object name> <existing container name>=<new image name> --record


#sortby ASC order
k get pods -A --sort-by=.metadata.creationTimestamp --no-headers| tac

### Check certificate validity
openssl x509  -noout -text -in /etc/kubernetes/pki/etcd/server.crt

### Check etcd snapshot status
ETCDCTL_API=3 etcdctl snapshot status /etc/etcd-snapshot.db


### Check kubeproxy running
crictl ps | grep kube-proxy
crictl logs 27b6a18c0f89c

### Check kube-proxy is creating iptables rules for a given svc
ssh cluster1-controlplane1 iptables-save | grep p2-service


### Change the Service CIDR to 11.96.0.0/12 for the cluster.
vim /etc/kubernetes/manifests/kube-apiserver.yaml
check for restart --- kubectl -n kube-system get pod | grep api


### CNI conf location
/etc/cni/net.d


### kill container running on kube-proxy on node01
ssh node01
crictl ps | grep kube-proxy
crictl stop 28of363745
crictl rm 28of363745


### write the names of all namespaces resources
k api-resources namespaced=true -o name


### count line numbers
k get roles -n project-c14 | wc -l

### troubleshoot kubelet
journalctl -u kubelet



### get version info to install (eg: kubeadm, kubelet, etc)
apt show kubectl -a | grep 1.29



### join node with cluster

- get into controlplane --- ssh cluster3-controlplane1
- then print join command: kubeadm token create --print-join-command # no need to memorise this command find it in doco.



Important: Practice to validate the completed task. 

The vim editor:

Everybody has used some level of vim editor. I am sure we all have some sort of love and hate relationship with it. But in CKA there're no good alternative (now a days comes with nano but it is basic nano). You get what they give you. So I familiarised myself with few basic vim stuffs like:
  • 'i' to start editing
  • 'i' + right click paste to paste from clipboard
  • 'v' to mark texts (that I need to do something with)
  • 'x' to cut the marked text (i mainly used this method to delete stuff quickly from the copied yaml from doco).
  • 'y' to copy the marked text
  • 'shift + p' to paste the text (copied via the above).
  • 'shift + >' to indent left
  • 'shift + <' to indent right

The documentation:

Now, this is super critical. This is why I practiced a lot. The strategy is not to memorise everything but to know how to find it and copy paste in https://kubernetes.io/docs/home/. I practiced a lot to search in the documentation using the search field during my practice sessions and familiarised my self with what search term brings what documentation page and what section/yaml to copy paste (and modify) from the documentation to answer to tasks. It is a big part of the time management during exam and hence the importance of faimiliarising with searching, finding (from the K8s doco) and modifying as fast as possible. 
Some objects I frequently visited during my prep time (and proven to be also similar during exam) are:
  • PV, PVC and using then in Pod (search term: Pod PersistentVolume)
  • NetworkPolicy
  • EtcdCTL (search term: etcdctl snapshot and find a sample command in the middle of the page)
  • Taint and Tolerations (search term: pod toleration)
  • Pod Resource utilisation
  • Sidecar (search term: Sidecar container)
You see, not many. 
Important: Sometimes the needed page is not ranked as the 1st one. That's the type of insight I got from practicing searching in the k8s documentation. 

Getting familiarity with few uncommon things:

So, even though I claimed that I am versed in K8s there are few things that I needed to know (re-learn) for the exam specifically, as I do not come across these topics everyday. They are:
  • NetworkPolicy
  • Taint (how to taint and untaint, schedule a pod/deploy on a tainted node/controlplane etc)
  • EtcdCTL (taking backup and restore, validate a backup) ## This is very important.
  • Kubeadm (upgrading a kubeadm cluster) ## this is very important
However, I did not do any course for it. I just learned it through practice.
Important: Practice to validate the completed task. 

The 120 mins of the exam:

  • Launch the exam 15 mins before the time. It is online proctored and needs few validation/checks etc such as taking a photo with id/diver's license, the proctor person with ask to pan the camera/latptop webcam to check the desk, exam area etc. I cleaned my desk completely and I only had my laptop and powerchord on the desk. No mobile phones, no paper etc are allowed. I also used my personal laptop to avoid any potential firewall/remote session block from work laptop. 
  • There's no weights mentioned against questions anymore. But I still felt there were some questions (such as multi-faceted questions, questions related to etcd, kubeadm, network policy, role/sa etc) carried more weights.
  • I got 17 questions in the exam. The guide suggested 15 - 20 questions.
  • I did not revise or do anything before the exam (my exam was in the morning). I willed that I am confident. I had breakfast and coffee. Coffee is super important because the exam is for 120 mins (OMG!! what??!!).
  • Because of my above mentioned strategies I completed most of the questions very fast (in about 80 mins). I flagged few for further validation which I did after that 80mins.
  • I flagged and skipped the hard ones/or the ones I wasnt confident about just by reading at a glance (I flagged about 3 questions) which I attempted after that 80 mins. This was so that I avoid wasting time behind one question by getting stuck on it. 
  • It is also important to mention that since the exam is hands on and task based it is very easy (at least for my personality) to get bogged down into 1 specific things and waste time on it. But that 1 specific thing in that multi-faceted question may only carry 1 insignificant point or no points at all. That's why I skipped whenever I felt like I needed to validate more deeply or I am not super confident. And tackled them after I completed majority of the questions. This took off a lot of pressure during the 120 mins. 


Final words:

I felt, the exam was easy (I probably practiced a much harder questions the days (4) before). 
I also felt that many youtubers (not to discourage them; but purely my bias opinion), in the internet, presented the CKA to be a lot harder than the difficulty level it actually is (which probably contributed to my imposter syndrome).

That's it. 

Comments

Post a Comment

Popular posts from this blog

The story of a Hack Job

"So, you have hacked it" -- Few days ago one of the guys at work passed me this comment on a random discussion about something I built. I paused for a moment and pondered: Do I reply defending how that's not a hack. OR Do I just not bother I picked the second option for 2 reasons: It was late. It probably isn't worth defending the "hack vs" topic as the comment passed was out of context. So I chose the next best action and replied "Yep, sure did and it is working great.". I felt like Batman in the moment. In this post I will rant about the knowledge gap around hacking and then describe about one of the components of my home automation project (really, this is the main reason for this post) and use that as an example how hacking is cool and does not always mean bad. But first lets align on my definition of hacking: People use this term in good and bad, both ways. For example: "He/she did a hack job" -- Yeah, that probably
Post a Comment
Read more

Kubectl using SSH tunnel for TKG K8s Clusters

We know SSH'ing and probably many knows about SSH tunnel. The way, in my opinion, these 2 (SSH and SSH tunnel) are different to me (and I am in favor of SSH Tunnel) is how I use it. From tooling perspective I would almost always do tunnel instead of direct ssh.  In this post I will describe how to do SSH tunnel for kubectl to interact with remote kubernetes cluster (Specifically Tanzu Kubernetes Grid aka TKG cluster). Get the project ready to go from my github:  https://github.com/alinahid477/vsphere-with-tanzu-wizard Topics Backstory SSH tunnel for TKG Clusters using Docker container Technical stuff: Tunnel through Bastion for TKG K8s cluster Technical stuff: SSH Tunnel for Kubectl for remote K8s Clusters (same with or without docker) Technical stuff: Explain me this A famous quote from Darth Vader himself: "Feel the power of SSH Tunnel" Backstory Why ssh or ssh tunnel? The below diagram shows in what scenario a SSH or SSH Tunnel almost becomes a necessity. Let's st
Post a Comment
Read more

Understanding The Ingress and The Mesh components of Service Mesh

I wrote about the key concepts about service mesh and how to evaluate the requirements for a service mesh in my previous post here:  Deciphering the hype of Service Mesh . This post is a follow up from there covering the technical aspects. Part 1:   Deciphering the hype of Service Mesh Part 2:   Understanding The Ingress and The Mesh components of Service Mesh. Part 3: Uderstanding the observability component of Service Mesh (TBD in another post).  Almost all popular service mesh technologies/tools (eg: Istio, LinkerD) have both ingress and mesh capabilities. Conceptually, I see them as 2 mutually exclusive domain (integrated nicely by the underlying tool). Understanding  the ingress  and  the mesh  components individually, such as what they offer, what I can do with them etc, was the basic building block to my understanding of service mesh technology as a whole. This is arguably the most mis-represented topic in the internet. So, I thought, I will share my point of view. Note: The ob
Read more