How to ace the Kubernetes and Cloud Native Security Associate (KCSA) exam

Posted on October 14, 2024 by Giorgi Keratishvili

CNCF projects highlighted in this post

Community post originally published on Medium by Giorgi Keratishvili

Introduction

Over the last five years, security has emerged as one of the most demanding skills in IT. When combined with the equally sought-after skill of containers, we get a prestigious certification known as the CKS. But what if someone is interested in all of the above yet seeks an entry-level certification or is just starting out? Suppose this person has a basic understanding of container operations and architecture, is passionate about vendor-neutral solutions and might even hold a KCNA certification? Ah, then my dear friend, you are in the right place. In this blog, we will explore who might find this certification appealing, how to prepare for it and the knowledge one is expected to acquire upon completion…

Who should take this exam?

When people hear the word “security” in a certification title their first thought is often that it must be very challenging and require great expertise to study for and pass the examination. However don’t let such thoughts deter you as diving into the details might reveal that the concepts we imagined were difficult are not so hard in reality. The goal of this certification is to provide individuals with basic knowledge of implementing container security best practices in a vendor-neutral way.

Compared to other certifications I wouldn’t say it’s the easiest, but it still falls under the pre-professional level of difficulty and is a great way to test your knowledge before tackling the CKS. For me, the order of difficulty felt like this: KCNA/CGOA/CKAD/PCA/KCSA/CKA/CKS. One thing to keep in mind is that I had already passed the CKS before taking the KCSA and when I was preparing for the exam, there were no tutorials or blogs to refer, only some suspiciously scam-like dumps, so don’t fall for them. Below I will mention all the new courses and materials that should help in preparation.

Regarding persons who would benefit SysAdmins/Dev/Ops/SRE/Managers/Platform engineers or any one who is doing anything on production should consider it as knowing basic security is always good thing or somebody whom wants to becombe kubestronaut 😉 more about it in next blog…

Exam Format and PSI Proctored Exam Tips

So we are ready to patch every security whole in our cluster, kick out hackers from our production system and make hard them to compromise your cluster? Then, we have a long path ahead until we reach this point. First, we need to understand what kind of exam it is compared to CKAD, CKA and CKS. This is exam where the CNCF has adopted multiple-choice questions and compared to other multiple-choice exams, this one, I would say is not an easy-peasy. However it is still qualified as pre-professional, on par with the KCNA/PCA/CGOA.

This exam is conducted online, proctored similarly to other Kubernetes certifications and is facilitated by PSI. As someone who has taken more than 15 exams with PSI, I can say that every time it’s a new journey. I HIGHLY ADVISE joining the exam 30 minutes before taking the test because there are pre-checks of ID and the room in which you are taking it needs to be checked for exam criteria. Please check these two links for the exam rules and PSI portal guide

You’ll have 90 minutes to answer 60 questions, which is generally considered sufficient time, passing score is >75%. Be prepared for some questions that can be quite tricky. I marked a couple of them for review and would advise doing the same because sometimes you could find a hint or partial answers in the next question. By this way, you could refer back to those questions. Regarding pricing, the exam costs $250, but you can often find it at a discount, such as during Black Friday promotions or near dates for CNCF events like KubeCon, Open Source Summit, etc.

The Path of Learning

At this point, we understand what we have signed up for and are ready to dedicate time to training, but where should we start? Before taking this exam, I had a good experience with Kubernetes and its ecosystem and had experience with CKS exam, but yet I still learned a lot from this exam preparation.

At first glance, this list might seem too simple and easy but however, we need to learn the fundamentals of security first in order to understand higher-level concepts such as RBAC, Shared Responsibility Model, 4C’s and many more

Let break down Domains & Competencies

**Overview of Cloud Native Security 14%**
    The 4Cs of Cloud Native Security
    Cloud Provider and Infrastructure Security
    Controls and Frameworks
    Isolation Techniques
    Artifact Repository and Image Security
    Workload and Application Code Security

**Kubernetes Cluster Component Security 22%**
    API Server
    Controller Manager
    Scheduler
    Kubelet
    Container Runtime
    KubeProxy
    Pod
    Etcd
    Container Networking
    Client Security
    Storage

**Kubernetes Security Fundamentals 22%**
    Pod Security Standards
    Pod Security Admissions
    Authentication
    Authorization
    Secrets
    Isolation and Segmentation
    Audit Logging
    Network Policy

**Kubernetes Threat Model 16%**
    Kubernetes Trust Boundaries and Data Flow
    Persistence
    Denial of Service
    Malicious Code Execution and Compromised Applications in Containers
    Attacker on the Network
    Access to Sensitive Data
    Privilege Escalation

**Platform Security 16%**
    Supply Chain Security
    Image Repository
    Observability
    Service Mesh
    PKI
    Connectivity
    Admission Control

**Compliance and Security Frameworks 10%**
    Compliance Frameworks
    Threat Modelling Frameworks
    Supply Chain Compliance
    Automation and Tooling

Security

Kubernetes is based on a cloud-native architecture and draws on advice from the CNCF about good practice for cloud native information security. Read Cloud Native Security and Kubernetes for the broader context about how to secure your cluster and the applications that you’re running on it.

The Key Concepts

• Kubernetes security mechanism: Kubernetes includes several APIs and security controls, as well as ways to define policies that can form part of how you manage information security.
• Control plane protection: A key security mechanism for any Kubernetes cluster is to control access to the Kubernetes API. Kubernetes expects you to configure and use TLS to provide data encryption in transit within the control plane and between the control plane and its clients. You can also enable encryption at rest for the data stored within Kubernetes control plane, this is separate from using encryption at rest for your own workloads’ data, which might also be a good idea.
• Secrets: The Secret API provides basic protection for configuration values that require confidentiality.
• Workload protection: Enforce Pod security standards to ensure that Pods and their containers are isolated appropriately. You can also use RuntimeClasses to define custom isolation if you need it.
  Network policies let you control network traffic between Pods, or between Pods and the network outside your cluster.
• Auditing: Kubernetes audit logging provides a security-relevant, chronological set of records documenting the sequence of actions in a cluster. The cluster audits the activities generated by users, by applications that use the Kubernetes API and by the control plane itself.
• Policies: You can define security policies using Kubernetes-native mechanisms, such as NetworkPolicy (declarative control over network packet filtering) or ValidatingAdmisisonPolicy (declarative restrictions on what changes someone can make using the Kubernetes API). However, you can also rely on policy implementations from the wider ecosystem around Kubernetes. Kubernetes provides extension mechanisms to let those ecosystem projects implement their own policy controls on source code review, container image approval, API access controls, networking for more information about policy mechanisms and Kubernetes, read Policies.

Key Learning Materials:

You can explore and learn about KCSA Certification and related topics freely through the following GitHub repositories which I have used and of course kubernetes documentation is our best friend

• https://github.com/iamaliyousefi/kcsa/blob/main/README.mdedgarpf/prometheus-certified-associate
• https://github.com/AdminTurnedDevOps/PearsonCourses/tree/main/KCSA-Crash-Course
• https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/
• https://www.aquasec.com/cloud-native-academy/kubernetes-101/kubernetes-complete-guide/
• https://kubernetes.io/docs/concepts/security/
• https://github.com/riquetta/KCSA/wiki#important-note

For structured and comprehensive KCSA exam preparation, consider investing in these paid course Linkedin and Oreilly from Michael Levan I have been paying attention for his content, indeed it is very useful and I recomend it but I would higly advise not to click on every course which will pop up from google search as it is new exam there are plenty scams.

• Cert Prep: Kubernetes and Cloud Native Security Associate (KCSA)
• Kubernetes and Cloud Security Associate (KCSA) Crash Course Oreilly

hope in near future we will see more courses from bigger platforms such as kodekloud or killersh

Conclusion

The exam is not easy amon other certs I would rank it in this order KCNA/CGOA/CKAD/PCA/KCSA/CKA/CKS after conducting exam in 24 hours you will recive grading and after passing exam it feel prety satisfying overall hope it was informative and useful 🚀