About SRGTechnical articleRecruitment Information
About SRGTechnical articleRecruitment Information
HOME/Technical article/How to succeed in the Kubestronaut exam

How to succeed in the Kubestronaut exam

Ishikawa Kumo, Service Reliability Group (SRG), Media Management Division@ishikawa_kumo)is.
#SRGThe Service Reliability Group primarily provides comprehensive support for the infrastructure surrounding our media services, focusing on improving existing services, launching new ones, and contributing to open-source software (OSS).
This article analyzes the content and question trends of the five exams I took before becoming a Kubetronaut. Please note that all of this information is from six months ago (September 2024 to June 2025), so please check for the latest information before using it.

Introduction

Kubestronaut is a title awarded to individuals who have passed all five Kubernetes-related certifications offered by the Cloud Native Computing Foundation (CNCF).
Specifically, you must simultaneously hold five valid certifications: CKA (Certified Kubernetes Administrator), CKAD (Certified Kubernetes Application Developer), CKS (Certified Kubernetes Security Specialist), KCNA (Kubernetes and Cloud Native Associate), and KCSA (Kubernetes and Cloud Security Associate).
The CNCF recognizes community members who reach this status as "Kubestronauts" and presents them with a special jacket.
Since the CKS exam content was updated in 2024, I felt there were still few detailed articles in Japanese on how to prepare for the exam, so I decided to write this article.
This article is for those aiming to become a Kubetronaut, and will introduce preparation methods for each qualification, exam trends, and specific strategies for achieving a high score.
In particular, I will provide a more detailed explanation of CKS, which I have had to retake.

Preparation common to all exams

All exams must be taken using a dedicated application called "PSI Secure Browser".
Of these, CKA, CKAD, and CKS are practical exams requiring command operation, while KCNA and KCSA are multiple-choice exams.

PSI Secure Browser and Latency Reduction

The most important thing to be aware of with this application is the delay in operation.
There is a noticeable delay of approximately 80ms to 150ms, and even a slight decrease in response speed makes it difficult to complete all the problems within the time limit.
The only solution to this problem is thorough practice.
Specifically, aim for the following state:
  • The moment I see the title and body of the problem, I can instantly recall the intent of the problem, the commands to use, the manifest to create, and examples of official documentation to refer to.
  • (Using kubectl aliases) commands, you can quickly generate most manifests.
  • Avoid making mistakes when copying and pasting between the terminal and browser.Especially on Macs, the operation differs depending on the OS and browser (for example, Command+C/V may not be available), so it is important to practice thoroughly using the Killer.sh practice test environment provided when you purchase the exam.

Preparing for the Examination

Creating a stable environment for taking exams is also important. I myself had a couple of difficult experiences with this.
  • Even if you have taken the exam before, it is recommended that you uninstall and reinstall PSI Secure Browser. Restarting your PC after installation will provide extra peace of mind. I personally experienced a problem where the application wouldn't launch.
  • We strongly recommend preparing a backup PC in case of any unexpected PC problems.
  • The use of earphones or headphones is not permitted during the exam. I tried to take the exam with headphones because there was a problem with the microphone on my personal PC, but the examiner instructed me to remove them. I quickly switched to my company PC and avoided any problems, but it is essential to check that the microphone is working beforehand.

Regarding difficulty level

Based on an overall evaluation of the abundance of learning materials and the difficulty level of the exam questions, my personal ranking is as follows:
CKS > KCSA > CKAD > CKA > KCNA

CKA (Certified Kubernetes Administrator) Guide

The CKA exam has the most abundant learning materials and past exam questions among the five certifications. You can find plenty of information with a little research.

Preparation and practice methods

As with all practical exams, the key to passing the CKA is simply practice. Practice to comprehensively cover the entire exam syllabus.
The number of questions varies, but as of 2024, it seems that there are usually between 16 and 21 questions.
Let's use the following materials to proceed with the practice.
  • Two practice exams using Killer.sh are included with the purchase of the exam.
The recommended order of practice is as follows:
  1. First, solve all the community-created practice problems at least twice.
  1. Next, take one Killer.sh test and analyze the scoring results and answers in detail. Summarize the key points for each question in your own words. The session is valid for 36 hours, so you can try it multiple times within that time. We recommend solving it repeatedly about three times.
  1. Finally, we'll attempt Killer.sh for the second time. If you can score 90 points or higher here, you can be confident that you're fully prepared for the actual exam. This session is also limited to 36 hours, so it's most effective to start it right before the actual exam.
The practice exams are set to be slightly more difficult than the actual exam.
etcd
With repeated practice, you can almost get a perfect score. (Author's score)

CKAD (Certified Kubernetes Application Developer) Strategy

Since I took the CKAD exam after the CKA exam, some points may not be relevant to your situation, but I will explain based on that experience.

Preparation and practice methods

A distinctive feature of the CKAD is the large number of questions (25 questions as of 2024).
Much of the exam content overlapped with the CKA, but there were no questions on Cluster Upgrade, and several questions related to Docker Image/Deployment Manifest were included.
Let's practice using the following materials.
  • Two practice exams using Killer.sh are included with the purchase of the exam.
The practice method is the same as for CKA.
If you have passed the CKA, you may be able to pass the CKAD without any special preparation, but since it will be a race against time, it is wise to improve your answering speed through practice.
I attempted the challenge with almost no practice, and the time limit was extremely tight, resulting in a score that I was not satisfied with.

CKS (Certified Kubernetes Security Specialist) Strategy

The CKS was the most challenging certification I've ever had, and the only one I had to retake.

Features and Learning Guidelines for CKS

The most distinctive feature of CKS is the extremely limited number of past exam questions available for reference. (As they were updated at the end of 2024)
None of the questions were exactly the same as those in the Killer.sh practice test.
However, the knowledge tested is consistent with the exam syllabus.
Use practice exams not to memorize the questions themselves, but to become familiar with the exam environment and to systematically understand the related knowledge.
The number of questions is around 16 to 18; any more than that and it will be difficult to complete within the time limit.
I got 66% on my first try, but I was just 1% short.
 
The following are the results of the retest.

Reference materials and how to use them

  • Killer.sh practice test (2 sets)
    • It's ideal for practicing operating a test environment.
    • In terms of difficulty, it's equivalent to the actual exam, but most of the questions won't be exactly the same.
    • The following problems are similar in concept to the actual exam questions, so it will be helpful to thoroughly understand how to solve them.
      • Apiserver Security
      • Pod Security Standard
      • CIS Benchmark
      • CiliumNetworkPolicy
      • AppArmor Profile
      • Secrets in ETCD
      • Configure TLS on Ingress
      • Audit Log Policy
      • ImagePolicyWebhook

Detailed scope of the exam and preparation strategies

From here, we will explain in detail the specific question trends and strategies for the CKS exam.

CIS Benchmark related

The exam will include questions that require you to modify the authentication and authorization settings of components such as Kubelet, Etcd, Scheduler, and API Server.
  • --enable-admission-plugins=NodeRestriction
  • The scoring method used in Killer.sh can be used as a reference for the process of verifying whether the response was successful.

TLS related

  • While scripts like Killer.sh generate the secret from scratch, in production tests, the TLS secret is often already created, and in most cases, it's sufficient to simply reference it from the manifest.
  • nginx.ingress.kubernetes.io/ssl-redirect: "true"

Security of Dockerfile and Manifest

  • USER nobody
  • securityContext
  • automountServiceAccountToken

Falco related

If you don't regularly use Falco, this is an area where you're likely to concede goals.
The exam primarily covers creating and modifying Falco rules, as well as operating the Falco command line.
  • Falco Rules can be used to directly modify existing rules.
      • In many cases, overriding is not necessary.
  • A typical example is the problem of "identifying which Pods are accessing a specific file path."
      • crictl ps
  • r
      • falco -M 30 -r /path/to/rule >> log
Here's an example that might be helpful.
If you're interested in Falco, please check out my series of articles.

Related to Audit Log

Audit Log settings are configured by changing the API Server startup options.
  • Please note that AuditPolicy may already have file mounts configured. If you add file mount settings as you would with Killer.sh, the API Server may fail to start, resulting in wasted time.

Network Policy

In addition to the knowledge of Network Policy tested in CKA and CKAD, Cilium Network Policy is also included in the scope of the exam.

others

  • Cluster Upgrade:Similar to the CKA, the CKS also includes cluster upgrade problems.
  • SBOM related:I recall a question about detecting vulnerable Alpine images. The command line usage for Killer.sh regarding the SBOM issue is helpful.

KCNA (Kubernetes and Cloud Native Associate) Strategy Guide

KCNA is a certification for beginners.
I was able to get a perfect score without any special studying.
If you have a basic understanding of Kubernetes, you should be able to pass without any problems.
There is no official simulator, but if you are not confident, you can use practice exam question sets provided on platforms like Udemy.

KCSA (Kubernetes and Cloud Security Associate) Strategy

Personally, I found this exam to be the second most difficult after the CKS. Also, currently, the only language of study for the exam is English.
Although all the questions were multiple-choice, they required precise memorization of specific security standard names and organization names, which made me break out in a cold sweat during the exam.
I used the following practice test website to study, but I feel I should have spent more time studying.

Process after Kubestronaut certification

Upon passing all five certifications, you will immediately receive a Kubetronaut digital badge.
After about a week, you will receive an email from a CNCF representative inviting you to a dedicated Slack channel, registering you for a mailing list, and confirming the size of your commemorative jacket.
Regarding the commemorative jackets, CNCJ may distribute them in Japan, but the details are unknown. I received my jacket at the CNCF 10th anniversary event.
I hope this article will be helpful to all engineers aiming to develop Kubetronaut.
 
If you are interested in SRG, please contact us here.