VMware’s Master Certified Cloud Native Badge – Test Prep

This is a really weird blog for me to write. I am not great at this test. I really don’t think that I’m the best person to write this information. Let me be straight, I took this test 3 times. That’s 750$. If you just passed the CKA and you think you can do this test with no studying. You’re wrong.

The CKA is a “How-To” test only focused on kubernetes specific solutions. You dont have to know Helm, Valero, Sonorboy, Prometheus, etc. for the CKA. This test(Cloud Native), on the other hand, was written by the heptio team. These folks have been in kubernetes since day 1. They have been there with developers working through issues. They were there setting up logging, and policies to segment things. If the CKA is a “How-To” test that only cares about if you can perform actions, this test is about if you know how to operationalize it. The exam is 67 questions, and you need a score of 300 to pass the test.

How did you setup prometheus in your kubernetes cluster? How did you segment a development cluster from a production cluster? You need to know best practices about these things in order to pass the test. This is also where the test becomes extremely hard. Have you ever deployed kubernetes into AWS? Have you used Flannel? Do you know when to use Flannel and when to use a different CNI? Do you know the major differences between the CNI’s? Have you deployed Helm? Have you packaged things with Helm? Knowing these products, best practices, and how to implement them is good for the exam.

Yes I passed, but I’m still not sure what questions I answered were actually correct. This is the 2nd hurdle.

The Questions.

OK, I have not taken a ton of professional, or master certifications. This is my first. The questions are written to mess with your brain. They throw in a bunch of random information to take away from the tech of the question. Most of the time melt down the question to what I understand and answer the questions the way I know. Expose an app with replicas publicly? Service with type LoadBalancer. Want to ensure pods are on a specific node? NodeSelector. These are how I answered my questions, but were they correct?

The problem for me is every question reads as if a the test makers actually dealt with that situation. Now if you haven’t been there then you wont feel like you know the answer. That’s the challenge.

If I would point to things more specifically to understand. Here is what I would say. (TLDR Start here)

Resources

So the resources are a bit out of date because the CKA was re-done since they created this test, so some things are lost in translation. Here is what I would do:

Know how to enable and use Prometheus and Fluentd. Know when to use Service meshs. Know when to use cluster-role, or role, and correct binding. What deployment type would you want to deploy in different situation? When to use pod-affinity?

https://kube.academy/ – Watch everything. Pay close attention on the developer videos as Dockerfiles and knowing how to make Dockerfiles better is about 3-5 questions. Here is Docker’s own link: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ 

Helm, Prometheus, fluentd/fluentbit. I suggest you get hands on experience. Know how to deploy these solutions, and know the “best practices” of each. Especially helm.

Seg-Men-Tation. How do you make sure to secure pods to escalate rights(PSP) how do you make sure pods arn’t running as root?(PSP) how do you make sure to segment one cluster from the other?(Network policy). A hard and fast rule: PSP’s are for the initiation of the pod. NetworkPolicies make sure that they don’t talk to each other. Keep that in mind.

When do you use a configmap, and a secret?

When do you use a readiness probe? Liveness probe?

https://12factor.net – I have seen many different questions on this. On my pass there was only 1 question, but that was on that test. I’ve seen as many as 4 on a test.

https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/ – mutating and validating. Know when to use either, and the difference.

https://cloud.google.com/kubernetes-engine/docs/concepts/audit-policy

Know Heptio’s products – Sonobuoy, Valero, and Contour. Know their function, especially ingress, and when to use it and why. Know when to use Valero, and why. Know what the function of Sonobuoy is, and why you would use it in different environments.

Know OIDC and Dex.

Outdated stuff to keep in mind: How to secure Tiller with Helm. – Helm 2.0 is still out there so not really outdated, but Helm 3.0 got rid of tiller so interesting question.

Again, know the differences between CNI’s especially flannel.

I know this is a different blog, cause most of my other “How-to-pass” blogs were focused on the content of others, where this is focused on source material. The reason is because no one has created the training material for this. Maybe its because its a “master” level badge? Regardless, this isn’t an easy test. If you are attempting this test, I would suggest preparing to take the test at least 2 times. If needed, feel absolutely free to contact me on twitter. I’d be happy to help you prepare for this test.