About SRGTechnical ArticlesRecruitment Information
About SRGTechnical ArticlesRecruitment Information
HOME/Technical Articles/Qualification strategy to pass Kubestronaut

Qualification strategy to pass Kubestronaut

Ishikawa Kumo (Service Reliability Group (SRG) of the Media Headquarters)@ishikawa_kumo)is.
#SRG(Service Reliability Group) is a group that mainly provides cross-sectional support for the infrastructure of our media services, improving existing services, launching new ones, and contributing to OSS.
In this article, I will analyze the content and question trends of the five exams I took before becoming a Kubestronaut. All information is from six months ago (September 2024 to June 2025), so please check the latest information before using.

Introduction

Kubestronaut is a title given to individuals who pass all five Kubernetes-related certifications offered by the Cloud Native Computing Foundation (CNCF).
Specifically, you must simultaneously hold five valid certifications: CKA (Certified Kubernetes Administrator), CKAD (Certified Kubernetes Application Developer), CKS (Certified Kubernetes Security Specialist), KCNA (Kubernetes and Cloud Native Associate), and KCSA (Kubernetes and Cloud Security Associate).
The CNCF recognizes community members who reach this status as "Kubestronauts," complete with a special jacket.
Since the CKS exam content was updated in 2024, I felt that there were still not enough specific strategies in Japanese, so I decided to write this article.
In this article, we will introduce how to prepare for each qualification, exam trends, and specific strategies for obtaining a high score for those aiming to become a Kubestronaut.
In particular, I will provide a more detailed explanation of the CKS, which I have retaken.

Preparation common to all exams

All exams must be taken using a dedicated application called "PSI Secure Browser."
Of these, CKA, CKAD, and CKS are practical exams that require command operations, while KCNA and KCSA are multiple choice exams.

PSI Secure Browser and latency countermeasures

The most noticeable thing about this application is the delay in operation.
The perceived delay is about 80ms to 150ms, and even a slight decrease in response speed makes it difficult to complete all the questions within the time limit.
The only solution to this problem is thorough practice.
Specifically, we aim to achieve the following:
  • As soon as you see the title and text of the problem, you can immediately imagine what the problem is, the commands you should use, the manifest you should create, and examples from official documentation you should refer to.
  • Most manifests can be generated quickly using the (kubectl alias) command.
  • Avoid mistakes when copying and pasting between the terminal and the browser.In particular, on Mac, operations differ depending on the OS and browser, such as not being able to use Command+C/V, so it is important to practice sufficiently in the Killer.sh mock exam environment provided when purchasing the exam.

Preparing the exam environment

It is also important to create a stable exam environment. I have had two difficult experiences like this.
  • Even if you have taken the exam before, we recommend uninstalling the PSI Secure Browser and reinstalling it. For added security, restart your PC after installation. I once had a problem where the application wouldn't start.
  • We strongly recommend that you prepare a backup PC in case of any PC problems.
  • The use of earphones or headphones is not permitted during the exam. I had a problem with the microphone on my personal computer, so I tried to take the exam with headphones, but the proctor told me to remove them. I quickly switched to my company computer and was fine, but it's important to check that your microphone is working beforehand.

About difficulty

Taking into account the variety of study materials and the difficulty of the exam questions, my personal ranking is as follows:
CKS > KCSA > CKAD > CKA > KCNA

CKA (Certified Kubernetes Administrator) Strategy

Of the five qualifications, the CKA exam has the most study materials and information on past exam questions. If you do a little research, you will find a lot of information.

Preparation and practice

As with all practical exams, the key to passing the CKA is the amount of practice you put in. Practice so that you cover the test topics comprehensively.
The number of questions will vary, but as of 2024, it appears that there will likely be around 16 to 21 questions on the exam.
Use the following resources to practice:
  • Killer.sh practice exams (2 exams) included with exam purchase
The recommended order of practice is as follows:
  1. First, complete all the community-created practice problems at least twice.
  1. Next, take one Killer.sh test and analyze your results and answers in detail. Summarize the key points for each question. The session is valid for 36 hours, so you can try again as many times as you like within the time limit. We recommend taking the test three times.
  1. Finally, you'll take a second attempt at Killer.sh. If you can score 90 or above, you'll be fully prepared for the real exam. This session is also limited to 36 hours, so it's best to launch it just before the real exam.
The mock exam is set to be slightly more difficult than the actual exam.
etcd
If you practice repeatedly, you can get almost perfect scores. (Author's score)

CKAD (Certified Kubernetes Application Developer) Strategy

The author took the CKAD exam after the CKA, so some points may not be of any use to him, but he will explain based on his experience.

Preparation and practice

CKAD is characterized by the large number of questions (2024 information: 25 questions).
Much of the content overlaps with CKA, but there were no questions about ClusterUpgrade, and there were several questions about Docker Image/Deployment Manifest.
Practice with the following materials:
  • Killer.sh practice exams (2 exams) included with exam purchase
The practice procedure is the same as CKA.
If you have passed the CKA, you may be able to pass the CKAD without any special preparation, but since it is a race against time, it is wise to practice to improve your answering speed.
I took the test with very little practice, but the time was very tight and my score was not satisfactory.

CKS (Certified Kubernetes Security Specialist) Strategy

CKS was the most challenging qualification and the only one I had to retake.

CKS characteristics and study guidelines

The biggest feature of CKS is that there are very few past exam questions to refer to (as they were updated at the end of 2024).
Not a single question was asked that was exactly the same as in the Killer.sh mock exam.
However, the knowledge tested is in line with the exam scope.
Rather than memorizing the questions themselves, use mock exams to familiarize yourself with the exam environment and gain a systematic understanding of related knowledge.
The number of questions is around 16 to 18, and if there are more than this it will be difficult to complete them all within the time limit.
I got 66% on the first try, but I was 1% short.
 
Below are the results of the re-examination.

Reference materials and how to use them

  • Killer.sh practice exam (2 times)
    • Ideal for practicing operating the exam environment.
    • The difficulty level is the same as the real test, but most of the questions will not be asked exactly as they were.
    • The questions on the following themes are similar in concept to the questions on the actual exam, so it will be helpful to have a solid understanding of how to solve them.
      • Apiserver Security
      • Pod Security Standard
      • CIS Benchmark
      • CiliumNetworkPolicy
      • AppArmor Profile
      • Secrets in ETCD
      • Configure TLS on Ingress
      • Audit Log Policy
      • ImagePolicyWebhook

Detailed exam scope and strategies

From here, we will explain in detail the specific question trends and countermeasures for CKS.

CIS Benchmark related

You will be asked to modify the authentication and authorization settings of components such as Kubelet, Etcd, Scheduler, and Api Server.
  • --enable-admission-plugins=NodeRestriction
  • The process for determining whether a response was successful can be guided by Killer.sh's scoring system.

TLS related

  • Killer.sh and other programs start by generating the secret, but in production testing, the TLS secret is often already created, and in most cases it is sufficient to just reference it from the manifest.
  • nginx.ingress.kubernetes.io/ssl-redirect: "true"

Dockerfile/Manifest Security

  • USER nobody
  • securityContext
  • automountServiceAccountToken

Falco related

If you don't use Falco regularly, this is an area where you can easily make mistakes.
The questions will mainly focus on creating and modifying Falco rules and operating the Falco command line.
  • Falco Rules allows you to directly modify existing rules.
      • In most cases, there is no need to override.
  • A typical example is a problem like "identifying which Pods are accessing a specific file path."
      • crictl ps
  • r
      • falco -M 30 -r /path/to/rule >> log
Here is an example that may be helpful
If you're interested in Falco, check out my series.

Audit Log Related

The Audit Log can be configured by changing the API Server startup options.
  • Please note that the AuditPolicy file mount may already be configured. If you add the file mount configuration as if it were Killer.sh, the API Server may not start, which can waste time.

Network Policy

In addition to the knowledge of Network Policy tested in CKA and CKAD, the exam also covers Cilium Network Policy.

others

  • Cluster Upgrade:Like CKA, CKS also includes questions on upgrading clusters.
  • SBOM related:I remember there was a question about detecting vulnerable alpine images. The command line usage in the Killer.sh SBOM question is helpful.

KCNA (Kubernetes and Cloud Native Associate) Guide

KCNA is a qualification for beginners.
I was able to get a perfect score without any special study.
If you have some basic knowledge of Kubernetes, you should be able to pass without any problems.
There is no official simulator, but if you are not confident, it is a good idea to use mock test question collections provided by sites such as Udemy.

KCSA (Kubernetes and Cloud Security Associate) Strategy

Personally, I feel that this is the second most difficult exam after CKS. Also, the test language is currently only available in English.
All the questions were multiple choice, but I was in a cold sweat during the exam because I was required to accurately memorize the names of specific security standards and organizations.
I studied using the mock exam site below, but I feel I should have spent a little more time studying.

What happens after Kubestronaut certification?

Once you pass all five qualifications, you will be issued with your Kubestronaut digital badge immediately.
You will then receive an email from a CNCF representative within about a week, inviting you to a dedicated Slack group, signing up for a mailing list, and confirming the size of your commemorative jacket.
Regarding the commemorative jacket, there is a possibility that CNCJ will distribute it on behalf of the CNCF in Japan, but the details are unknown. I received my jacket at the CNCF 10th anniversary event.
I hope this article will be helpful to all engineers who are aiming to become Kubestronauts.
 
If you are interested in SRG, please contact us here.