top of page
Writer's pictureRafael Natali

Kubernetes Certification Learning Path



Kubernetes is a widely adopted technology, with 84% of organisations actively using or evaluating it, according to the 2023 Cloud Native Computing Foundation (CNCF) Annual Survey. Throughout the years, CNCF has launched industry-recognised training and certification programs to help developers and organisations upskill their knowledge in Kubernetes and take advantage of all its potential. At the moment (September/2024), CNCF has five Kubernetes-related certifications:


In this article, I'll present at a high-level, the contents, objectives, and target audience for each of these certifications. Visit the CNCF Certifications page for more details.


Kubernetes and Cloud Native Associate (KCNA)


The KCNA certification is considered an entry-level certification. Released in 2021, it's aimed at students and young professionals looking to gain familiarity with the basics of Kubernetes and cloud native concepts to advance to the next level. KCNA curriculum has five domains as follows:

  • 46% - Kubernetes Fundamentals

  • 22% - Container Orchestration

  • 16% - Cloud Native Architecture

  • 8% - Cloud Native Observability

  • 8% - Cloud Native Application Delivery


The first domain, “Kubernetes Fundamentals”, discusses Kubernetes resources, architecture, Application Program Interface (API) server, containers, and scheduling. Kubernetes resources consist of Pod management, ReplicaSets, Deployments, and other primary resources within a Kubernetes cluster. The second domain, “Container Orchestration”, focuses on the activities related to automation and how this improves the management of containerised workloads. The third domain, “Cloud Native Architecture”, introduces the goals of a cloud native architecture, for example, software agility, automation, and reliable systems. The fourth domain, “Cloud Native Observability”, builds on Kubernetes and third-party tools that enable developers to comprehend the state of their applications and environment. The fifth and last domain, “Cloud Native Application Delivery”, comprises the essential principles of deploying cloud native applications.


Kubernetes and Cloud Security Associate (KCSA)


The KCSA certification is an entry-level certification focused on security. Released in 2023, it targets professionals interested in proving their knowledge of the baseline security configuration of a Kubernetes cluster and the cloud native ecosystem. KCSA curriculum has six domains as follows:


  • 14% - Overview of Cloud Native Security

  • 22% - Kubernetes Cluster Component Security

  • 22% - Kubernetes Security Fundamentals

  • 16% - Kubernetes Threat Model

  • 16% - Platform Security

  • 10% - Compliance and Security Frameworks


The domain "Overview of Cloud Native Security" discusses security in the cloud native environment. The main competencies examined in this domain are the 4Cs of cloud native security, the security responsibility model for cloud providers, and Kubernetes security best practices. The domain "Kubernetes Cluster Component Security" introduces the skills to secure control planes, worker nodes, and Pods. The domain "Kubernetes Security Fundamentals" comprises security concepts around Pod Security Standards and Admissions, Authentication and Authorisation, Secrets, Isolation and Segmentation, Audit Logging, and Network Policy. The domain "Kubernetes Threat Model" consists of best practices and recommendations to prepare your environment for several threats, including Denial of Service (DoS) attacks, malicious code execution, and privilege escalation. The domain "Platform Security" encompasses various topics for securing a software supply chain, observability, and service mesh. The domain "Compliance and Security Frameworks" builds on numerous frameworks like the Center for Internet Security (CIS) Kubernetes benchmarks for Kubernetes to outline security patterns for compliance, automation, threat modeling, and supply chain.


Certified Kubernetes Application Developer (CKAD)


The CKAD certification is an intermediate-level certification released in 2018 and directed to engineers and developers who build, deploy, and configure cloud native applications in Kubernetes. CKAD curriculum has five domains as follows:

  • 20% - Application Design and Build

  • 20% - Application Deployment

  • 15% - Application Observability and Maintenance

  • 25% - Application Environment, Configuration and Security

  • 20% - Services and Networking


The first domain, "Application Design and Build", encompasses configuration aspects of container and application management such as container images, workload types, and multi-container Pod. The second domain, "Application Deployment", discusses what is a Deployment, how rolling updates work, and deployment strategies. The third domain, "Application Observability and Maintenance", introduces the depreciation policy of Kubernetes APIs, implementation of probes and health checks for containers, and monitoring and troubleshooting applications using Kubernetes built-in command-line interface (CLI) tools. The fourth domain, "Application Environment, Configuration, and Security," focuses on improving applications by using CustomResourceDefinitions (CRDs), authentication, resource limits, Secrets, and ConfigMaps. The fifth domain, "Services and Networking," comprises the knowledge of troubleshooting access to applications via Services, benefits of Network Policy, and creating an Ingress object to expose applications outside the Kubernetes cluster.


Certified Kubernetes Administrator (CKA)


The CKA is an intermediate-level certification introduced in 2017 focusing on the administration of production-graded Kubernetes clusters. Candidates must demonstrate proficiency in installing and configuring Kubernetes, including networking, storage, and application lifecycle management. CKA curriculum has five domains as follows:


  • 10% - Storage

  • 30% - Troubleshooting

  • 15% - Workloads & Scheduling

  • 25% - Cluster Architecture, Installation & Configuration

  • 20% - Services & Networking


The domain "Storage" encompasses concepts and actions around managing and persisting data. It includes understanding storage classes, persistent volumes, and volume claims. The domain "Troubleshooting" discusses commands and techniques to identify and solve problems with your Kubernetes nodes, applications, and network. The domain "Workloads & Scheduling" introduces the practices to upgrade and rollback Deployments, data management, resource quotas, and self-healing applications. The domain "Cluster Architecture, Installation & Configuration" consists mainly of the tasks to install, upgrade, and backup the Kubernetes clusters. The domain "Services & Networking" encloses topics such as host networking, connectivity between Pods, service types and endpoints, and CoreDNS.


Certified Kubernetes Security Specialist (CKS)

 

The CKS is an intermediate-level certification introduced in 2020 centering on the best practices to secure container-based applications and a Kubernetes platform. CKS is the only Kubernetes-related certification that has a prerequisite. A candidate must have passed the CKA exam before scheduling the CKS exam. The CKS curriculum has six domains as follows:


  • 10% - Cluster Setup

  • 15% - Cluster Hardening

  • 15% - System Hardening

  • 20% - Minimize Microservice Vulnerabilities

  • 20% - Supply Chain Security

  • 20% - Monitoring, Logging and Runtime Security


The first domain, "Cluster Setup", discusses the security aspects around the setup and installation of a Kubernetes Cluster. It includes Network Policies, security benchmark tests, and TLS configuration. The second domain, "Cluster Hardening", addresses topics related to controlling access to the Kubernetes cluster and the importance of keeping Kubernetes up to date. The third domain, "System Hardening", builds on the previous domain, focusing on securing the host operating system running Kubernetes. It examines hardening techniques to deter containers from accessing the OS directly and how to restrict access to AWS IAM credentials. The fourth domain, "Minimize Microservice Vulnerabilities", covers the actions to enhance the protection of the applications running on a Kubernetes cluster using Pod Security Context, SELinux for OS isolation, and Secrets. The fifth domain, "Supply Chain Security", consists of actions to strengthen the security of container images. Minimize base image footprint by creating images with the minimal packages necessary, avoiding storing any data in the image, and building from official or verified images. The sixth domain, "Monitoring, Logging and Runtime Security", encompasses tools and processes to audit, log, and detect suspicious activities in a Kubernetes cluster.







12 views0 comments

Comments


bottom of page