是一项专业前认证,专为有兴趣通过展示对 kubernetes 基础知识和技能的理解而晋升到专业水平的候选人而设计。
此认证非常适合学习或使用云原生技术的学生或有兴趣使用云原生技术的学生。
经过认证的KCNA将确认整个云原生生态系统的概念知识,特别是专注于Kubernetes。
KCNA 考试旨在为考生准备使用云原生技术并进一步获得 CNCF 证书,包括 CKA、CKAD 和 CKS。
KCNA将展示候选人对Kubernetes和云原生技术的基本知识,包括如何使用基本的kubectl命令部署应用程序,Kubernetes的架构(容器,pod,节点,集群),了解云原生环境和项目(存储,网络,GitOps,服务网格),以及了解云原生安全的原则。
适用于管理 Kubernetes 实例的 Kubernetes 管理员、云管理员和其他 IT 专业人员适用于管理 Kubernetes 实例的 Kubernetes 管理员、云管理员和其他 IT 专业人员。
CKA 由 Linux 基金会和云原生计算基金会 (CNCF) 创建,作为他们帮助开发 Kubernetes 生态系统的持续努力的一部分。
该考试是一项在线、监考、基于性能的测试,需要从运行 Kubernetes 的命令行解决多个任务。
经过认证的 K8s 管理员已经展示了执行基本安装以及配置和管理生产级 Kubernetes 集群的能力。
他们将了解关键概念,例如 Kubernetes 网络、存储、安全性、维护、日志记录和监控、应用程序生命周期、故障排除、API 对象原语以及为最终用户建立基本用例的能力。
适用于负责使用 Kubernetes 构建、部署和配置云原生应用程序的 Kubernetes 工程师、云工程师和其他 IT 专业人员。
CKAD 由 Linux 基金会和云原生计算基金会 (CNCF) 开发,旨在通过标准化培训和认证帮助扩展 Kubernetes 生态系统。
本考试是一项在线、监考、基于性能的考试,由一组要在命令行中解决的基于性能的任务(问题)组成。
CKAD 可以为 Kubernetes 设计、构建和部署云原生应用程序,
可以定义应用程序资源并使用 Kubernetes 核心原语来创建/迁移、配置、公开和观察可扩展的应用程序。
需要具备容器运行时和微服务架构的知识,需要熟悉:
使用容器映像、应用云原生应用程序概念和架构、使用和验证 Kubernetes 资源定义。
认证 Kubernetes 安全专家 (CKS) 是一位成功的 Kubernetes 从业者(必须通过 CKA 认证),能够展示在构建、部署和运行时保护基于容器的应用程序和 Kubernetes 平台的广泛最佳实践方面的能力。
CKS 是一项基于实际操作能力的认证考试,旨在测试考生在模拟的真实环境中对 Kubernetes 和云安全的了解。
考生必须参加并通过认证 Kubernetes 管理员 (CKA) 考试,然后才能参加 CKS 考试。可以购买 CKS,但在获得 CKA 认证之前不安排。
CKA认证必须在安排CKS考试(包括重考)之日有效(未过期)。
获得 CKS 表明候选人具备在构建、部署和运行时保护基于容器的应用程序和 Kubernetes 平台的必要能力,并且有资格在专业环境中执行这些任务。
Kubernetes Fundamentals 46%
Container Orchestration 22%
Cloud Native Architecture 16%
Cloud Native Observability 8%
Cloud Native Application Delivery 8%
Kubernetes Resources
Kubernetes Architecture
Kubernetes API
Containers
Scheduling
Container Orchestration Fundamentals
Runtime
Security
Networking
Service Mesh
Storage
Autoscaling
Serverless
Community and Governance
Roles and Personas
Open Standards
Telemetry & Observability
Prometheus
Cost Management
Application Delivery Fundamentals
GitOps
CI/CD
Storage 10%
Troubleshooting 30%
Workloads & Scheduling 15%
Cluster Architecture, Installation & Configuration 25%
Services & Networking 20%
Understand storage classes, persistent volumes
Understand volume mode, access modes and reclaim policies for volumes
Understand persistent volume claims primitive
Know how to configure applications with persistent storage
Evaluate cluster and node logging
Understand how to monitor applications
Manage container stdout & stderr logs
Troubleshoot application failure
Troubleshoot cluster component failure
Troubleshoot networking
Understand deployments and how to perform rolling update and rollbacks
Use ConfigMaps and Secrets to configure applications
Know how to scale applications
Understand the primitives used to create robust, self-healing, application deployments
Understand how resource limits can affect Pod scheduling
Awareness of manifest management and common templating tools
Manage role based access control (RBAC)
Use Kubeadm to install a basic cluster
Manage a highly-available Kubernetes cluster
Provision underlying infrastructure to deploy a Kubernetes cluster
Perform a version upgrade on a Kubernetes cluster using Kubeadm
Implement etcd backup and restore
Understand host networking configuration on the cluster nodes
Understand connectivity between Pods
Understand ClusterIP, NodePort, LoadBalancer service types and endpoints
Know how to use Ingress controllers and Ingress resources
Know how to configure and use CoreDNS
Choose an appropriate container network interface plugin
Application Design and Build 20%
Application Deployment 20%
Application Observability and Maintenance 15%
Application Environment, Configuration and Security 25%
Services and Networking 20%
Define, build and modify container images
Understand Jobs and CronJobs
Understand multi-container Pod design patterns (e.g. sidecar, init and others)
Utilize persistent and ephemeral volumes
Use Kubernetes primitives to implement common deployment strategies (e.g. blue/green or canary)
Understand Deployments and how to perform rolling updates
Use the Helm package manager to deploy existing packages
Understand API deprecations
Implement probes and health checks
Use provided tools to monitor Kubernetes applications
Utilize container logs
Debugging in Kubernetes
Discover and use resources that extend Kubernetes (CRD)
Understand authentication, authorization and admission control
Understanding and defining resource requirements, limits and quotas
Understand ConfigMaps
Create & consume Secrets
Understand ServiceAccounts
Understand SecurityContexts
Demonstrate basic understanding of NetworkPolicies
Provide and troubleshoot access to applications via services
Use Ingress rules to expose applications
Cluster Setup 10%
Cluster Hardening 15%
System Hardening 15%
Minimize Microservice Vulnerabilities 20%
Supply Chain Security 20%
Monitoring, Logging and Runtime Security 20%
Use Network security policies to restrict cluster level access
Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)
Properly set up Ingress objects with security control
Protect node metadata and endpoints
Minimize use of, and access to, GUI elements
Verify platform binaries before deploying
Restrict access to Kubernetes API
Use Role Based Access Controls to minimize exposure
Exercise caution in using service accounts e.g. disable defaults, minimize permissions on newly created ones
Update Kubernetes frequently
Minimize host OS footprint (reduce attack surface)
Minimize IAM roles
Minimize external access to the network
Appropriately use kernel hardening tools such as AppArmor, seccomp
Setup appropriate OS level security domains
Manage Kubernetes secrets
Use container runtime sandboxes in multi-tenant environments (e.g. gvisor, kata containers)
Implement pod to pod encryption by use of mTLS
Minimize base image footprint
Secure your supply chain: whitelist allowed registries, sign and validate images
Use static analysis of user workloads (e.g.Kubernetes resources, Docker files)
Scan images for known vulnerabilities
Perform behavioral analytics of syscall process and file activities at the host and container level to detect malicious activities
Detect threats within physical infrastructure, apps, networks, data, users and workloads
Detect all phases of attack regardless where it occurs and how it spreads
Perform deep analytical investigation and identification of bad actors within environment
Ensure immutability of containers at runtime
Use Audit Logs to monitor access