I’m Mark Ross, Lead Cloud Architect at Atos, specialising in AWS and an AWS Ambassador. I’ve been in the industry for 22 years now, starting out as a field service engineer fixing laptops and desktops as the ‘filling’ in the sandwich of my Computer Science degree, moving on to server management, on-premise infrastructure architecture, private cloud and then made the leap into AWS at the start of 2017.
During that time I’ve learn heaps of technical and non-technical things, either via formal training and industry qualification, on-line training and on the job training and experience. My highlight is achieving all the of AWS Certifications achieving ‘all 12’ and then maintaining it with the release of the SAP on AWS Cert, where I wrote up my findings to help others whilst we await training courses aimed at helping to pass the cert.
I’m always looking to widen my knowledge, regardless of whether I’m using something day to day. Even though I know the specific details may be forgotten over time (that’s what Google’s for right?) I think I retain enough knowledge to recall where I need to go to look, techniques etc. to make it worthwhile. As more customers move to containerised applications and services I felt that I would benefit from increasing my knowledge in containers and Kubernetes, and I always like to validate my knowledge with a certification, so I set about targeting the Linux Foundation CKAD, CKA and CKS certifications.
I used ACloudGuru’s certification preparation courses, which I found were very good at explaining the topics the certification would cover, and included some useful hands on labs.
All of the CKA, CKAD and CKS exams are lab based exams, no multiple choice questions here. This is quite a diversion from most exams I’ve taken, although I’ve got to say I quite enjoyed them, well on the ‘old’ testing platform at least (more of that later!). Multiple choice based exams test your ability to learn and retain knowledge / facts, they don’t demonstrate that you can practically use the knowledge and be productive on a project. They can also, to an extend, be ‘gamed’ by discounting obviously incorrect answers to often get to a 50/50 chance of the correct answer. Lab based exams on the other hand test skills, you’ve got to be able to type in the commands, use the allowed documentation to find what you need etc. and are therefore more representative of a hands-on role. The downside in 100% lab environment exams though is you can train yourself to get to the right answer by running commands, updating / creating resources, without necessarily needing to understand and retain the ‘why’, this is particularly true of questions that say ‘create x, then use it with resource y’. Perhaps the best of both worlds is a combination of the two, like how AWS are moving with some of their exams now including exam labs.
I took and passed the CKA and CKAD exams under the ‘old’ Linux Foundation testing platform, this is no longer available for examination from late June 2022 onwards. Preparation for the exams was assisted by 2 x 36 hour exam simulator sessions and their Training Simulator sessions from Killer.sh, which were provided for no additional charge when I purchased the certification through Linux Foundation. The practice exams were very representative of not just the exam content, but also the testing environment itself.
At the time you were allowed 2 hours for the exam, 2 monitors and your own Chrome session with pre-bookmarked items for code snippets you might need, like building a pod, deployment, upgrading the Kubernetes version etc. I found the experience weirdly enjoyable and I easily surpassed the passing score requirements of 67/100, with 95/100 on CKAD and 80/100 on CKA, despite not working with Kubernetes on a day to day basis.
My problems started on the CKS exam. Having had a little spare time at work to get the CKAD and CKA certs done my workload significantly ramped up and I was struggling to find sufficient time to study. Given you have a free retake at the exam and I felt I was borderline ready I thought I’d give it a go, I then had multiple delays due to issues with the exam platform being unavailable and I had multiple exams cancelled at short notice. When I eventually took the exam it turns out my self assessed ‘borderline’ was right on the money and I failed with a score of 64/100, when I needed 67/100.
I set about increasing my knowledge in the areas I was deficient, but this coincided with a change to the new ‘PSI bridge’ platform. Despite being better prepared knowledge wise than before I failed miserably with a score of 52/100 and wasn’t even able to answer all the questions, something I’d achieved without problem on the old platform. This is because the new testing conditions are significantly harder than before. You’re now only allowed a single monitor, which puts screen real estate at a premium. This was something I’d not realised going into the exam and I was forced to remove my second monitor and work solely on my laptop screen (my complaint afterwards that I wasn’t advised I could use my external monitor resulted in Linux Foundation updating their guidance here), but if you’re going to take an exam with them I strongly disagree with their statement that a screen of 15'’ or more is sufficient — I wouldn’t even bother trying with less than 24'’, I’m now using 28'’ myself. In addition the entire exam is now done inside a PSI provided VM, so you have no access to your own Chrome bookmarks (there are some topics above each question that might take you to the right info) and there’s some lag into the VM too. My personal assessment is this has made the exam take about 25% longer than the previous exam conditions, but the time limit is still 2 hours. Despite raising these concerns with Linux Foundation on the grounds of a) unfairness to new candidates having a significantly harder exam than those passing pre end of June 2022 and b) it unfairly disadvantages people who can’t afford a large monitor to take the exam on these have fell on deaf ears. I cheekily asked for information about passing rates on the old platform versus the new platform but they didn’t even acknowledge my request.
To add insult to injury my third attempt at the CKS exam wasn’t much more of a pleasant experience. Despite being more prepared for the exam environment with a large 2nd monitor in place, my laptop screen not in use per my manufacturers guidelines, passing the system checks on the way in, I had to argue with the PSI proctor for around 45 minutes to even be allowed to take the exam. The proctor was adamant I wasn’t allowed a 2nd monitor and insisted I remove it, which I refused to do and kept telling them I was compliant with the guidelines and I’d passed the system checks on the way in. They then asked me to shut my laptop screen, and despite me tell them my webcam was integrated to the laptop they seemed surprised when they could no longer see me when I complied with their request! Eventually i found a way of completely disabling the laptop screen so it wasn’t visible in Windows settings, which satisfied the proctor but after 45 minutes of frustration and furious typing I wasn’t in the best frame of mind for the exam, and I failed by one mark!
Forth time’s a charm! Having only failed one exam previously needing to take an exam 4 times was a new, somewhat chastising experience for me, even with what I’d regard to be extenuating circumstances. The only saving grace being that by complaining about my experience on attempt 2 and 3 I was given free retakes, so my employer only ever paid for the 1 exam (which came with a free retake).
Top tips to help pass the exams: -
Use ACloudGurus CKA, CKAD and CKS courses. Use the hands on labs at the end of each course under sections call ‘Practice Exam’ to hone your skills using the allowed exam documentation and the list of things to be done. You need to be at the level where you can do these tasks without a) watching the videos or b) reading the guides. Only watch / read these afterwards to self mark your efforts / understand where you’ve gone wrong.
Make use of your killer.sh resources provided with your exam. I recommend doing the CKA / CKAD / CKS Training Scenarios, as well as use your 2 x 36 hour practice exam environments as much as you can (note — you can reset the environment at any time in the 36 hours sop you can do multiple practice exams per 36 hour session). The great thing about killer.sh is it’ll mark your work, so there’s no ambiguity about whether you’ve done it correctly, and there are tips and answers available to help you if you’re unsure why you’ve got something wrong. Note — the killer.sh exam simulator doesn’t look and feel the same as the real exam at the time of writing (July 2022), but the exam questions are representative.
Both ACloudGuru and Killer.sh had all the topics that came up on my exams, so understand them thoroughly and be able to do the tasks in the labs with only the officially allowed documentation.
When you come to sit your exam make sure you have a large enough monitor to be able to have 3 things on the same screen — a pane with the questions (roughly 25% of the screen) and then a VM taking up the other 75% of the screen with a Terminal Window and a Web Browser. If you can’t comfortable do this your screen is too small. I’ve only used 28'’ on the new platform, 24'’ would probably be ok, I don’t know what Linux Foundation are thinking saying 15'’ is enough. Make sure you disable your monitor fully using these instructions if using a laptop with external screen, shouldn’t be an issue if using a PC with Monitor. If the proctor tries to tell you you can’t use an external monitor argue your case and prove using your webcam that Windows only has 1 monitor in the Settings area. Not sure what the config would need to be if you’re a Mac user or Linux user but you get the idea.
Know your Linux Terminal shortcuts: -
To paste in the terminal use CTRL + SHIFT + V
To copy in the terminal use CTRL + SHIFT + C
To insert when using VIM you must use the I key, INSERT is not supported
You need to use :set paste when copying multiple lines into the terminal, otherwise formatting is all over the place
Be comfortable using Firefox as that’s the browser in the VM
What did I learn?
Well firstly a lot more than just Kubernetes. Being from a more of a Windows background originally studying for and taking these three certifications really upped my knowledge of hands on Linux commands to manipulate outputs, encode, encrypt and where all the configuration files, logs etc are kept. It also improved my knowledge of Docker and best practice around writing Docker files. My knowledge of Kubernetes and some of the cloud native ecosystem like Trivy, Kube-Bench, Falco and Calico and others has increased exponentially.
I also realised during my training just how complicated you can make a Kubernetes deployment, adding a myriad of these components from the cloud native ecosystem, and can configure a multitude of things within the Kubernetes cluster impacting things like security.
Setting up and managing Kubernetes yourself is of course doable, but I hear countless stories of people saying that whilst they set off on a journey of maximum flexibility, they’ve ended up creating a support requirement and team around managing and keeping up to date that platform. You can of course offload that overhead to a partner such as Atos, but I think you need to have a genuine reason why you need a self managed cluster and are willing to make that additional investment.
If you compare a self managed cluster with a managed service like AWS’ EKS service, you avoid a significant amount of overhead. The control plane is managed for you, has a good security posture, is highly available etc. It’s also managed in an ongoing manner, although you get enough control to manage the Kubernetes version. As an experience I ran a quick build and then deployed a Kube-bench pod to check the default out of the box compliance to CIS Kubernetes benchmarks and there were no fails, so you know you’re good to go from the off.
Some people may cry ‘lock-in’ but Azure (AKS) and GCP (GKE) both have equivalent services and given you can deploy to the clusters with native techniques lock-in can be avoided if that’s your primary concern, i.e. you can deploy with Helm, your specification files in yaml if using kubectl etc. can all be identical. Personally I just look at ‘lock-in’ as ‘what’s the cost of change’, and I’ve heard others refer to ‘portability time objective’ (PTO) to drive a meaningful discussion on how long you’re willing to take to be able to move an application somewhere else, to take the emotion out of the conversation, in a similar way to how people talk about recovery time objective and recovery point objective when discussing business continuity. One thing that is worth nothing though regarding lock-in is you really need to think about what the code inside your containers is ultimately doing and how you create your architecture if your ultimate aim is to minimise the cost of change. It’s no good thinking your not locked in at all because you’ve used EKS if you’ve also used a load of native services for queuing, secrets management etc. within the containers. You probably want to look for options on the CNCF to achieve that if your aim is to minimise your ‘PTO’. If you’re less concerned about your ‘PTO’ and want to maximise availability, elasticity and all that other goodness you may well want to venture further up the stack than even a managed Kubernetes service like AWS EKS. Then it’s worth considering AWS Fargate for serverless container compute (so there’s no underlying cluster to worry about) or AWS Lambda so there’s not even a container to worry yourself with! Many born in the cloud business are going from zero to hero without a server or potentially even a container in sight!