KubeQuest

Appearance

Exam Day Checklist

A comprehensive checklist for before, during, and after the CKS exam. Print this page or review it the night before your exam.

Pre-Exam Checklist (Day Before)

The Night Before

Complete these items 12-24 hours before your exam:

  • [ ] System check: Verify your computer meets PSI Bridge requirements
  • [ ] Webcam and microphone: Test both are working
  • [ ] Stable internet connection: Wired connection preferred over Wi-Fi
  • [ ] Government-issued ID: Have it ready for identity verification
  • [ ] Clean desk: Remove all items except your computer, ID, water bottle (in a clear container)
  • [ ] Close all applications: No other browser tabs, no messaging apps, no IDEs
  • [ ] Bookmarks prepared: Set up key documentation bookmarks (see below)
  • [ ] Review cheatsheets: Final pass through all cheatsheets in this section
  • [ ] Good night's sleep: Do NOT cram the night before

Bookmark Strategy

Prepare these bookmarks in your browser before the exam:

Recommended Bookmarks
Bookmark NameURL
kubectl Cheatsheethttps://kubernetes.io/docs/reference/kubectl/cheatsheet/
Network Policieshttps://kubernetes.io/docs/concepts/services-networking/network-policies/
Security Contexthttps://kubernetes.io/docs/tasks/configure-pod-container/security-context/
RBAChttps://kubernetes.io/docs/reference/access-authn-authz/rbac/
Pod Security Standardshttps://kubernetes.io/docs/concepts/security/pod-security-standards/
Pod Security Admissionhttps://kubernetes.io/docs/concepts/security/pod-security-admission/
Audit Policyhttps://kubernetes.io/docs/tasks/debug/debug-cluster/audit/
Encryption at Resthttps://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
AppArmorhttps://kubernetes.io/docs/tutorials/security/apparmor/
Seccomphttps://kubernetes.io/docs/tutorials/security/seccomp/
RuntimeClasshttps://kubernetes.io/docs/concepts/containers/runtime-class/
Admission Controllershttps://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
Secretshttps://kubernetes.io/docs/concepts/configuration/secret/
Falco Docshttps://falco.org/docs/
Trivy Docshttps://aquasecurity.github.io/trivy/

First 2-3 Minutes -- Environment Setup

DO THIS FIRST

The moment the exam starts, before reading any questions, set up your environment. This is muscle memory -- practice it until you can do it in under 2 minutes.

Setup Script (Type or Paste)

bash
# 1. Aliases
alias k=kubectl
alias kn='kubectl config set-context --current --namespace'
alias kcc='kubectl config current-context'

# 2. Autocompletion
source <(kubectl completion bash)
complete -o default -F __start_kubectl k

# 3. Export shortcuts
export do="--dry-run=client -o yaml"
export now="--force --grace-period=0"

# 4. Vim configuration for YAML
cat >> ~/.vimrc << 'VIMRC'
set tabstop=2
set shiftwidth=2
set expandtab
set number
set autoindent
set cursorline
set paste
VIMRC

# 5. Verify cluster access
k get nodes

Vim YAML Settings Explained

SettingPurpose
set tabstop=2Tab displays as 2 spaces
set shiftwidth=2Indent/unindent by 2 spaces
set expandtabConvert tabs to spaces (critical for YAML)
set numberShow line numbers
set autoindentAuto-indent new lines
set cursorlineHighlight current line
set pastePrevent auto-indent issues when pasting

tmux Configuration (If Available)

bash
# Start tmux session
tmux

# Useful tmux shortcuts:
# Ctrl+b "    - Split pane horizontally
# Ctrl+b %    - Split pane vertically
# Ctrl+b o    - Switch between panes
# Ctrl+b z    - Toggle zoom on current pane
# Ctrl+b d    - Detach from session
# tmux attach - Reattach to session

WARNING

Not all exam environments support tmux. If it is not available, do not waste time trying to install it. Work in a single terminal.

kubectl Autocompletion Verification

bash
# Test that autocompletion works
k get <TAB><TAB>
# Should show: pods, deployments, services, etc.

# Test alias completion
k get po<TAB>
# Should complete to: pods

During the Exam -- Decision Flowchart

During the Exam -- Tactical Checklist

Before Every Question

  • [ ] Check context: Run kubectl config current-context or check the question header
  • [ ] Switch context: kubectl config use-context <cluster-name>
  • [ ] Check namespace: Note which namespace the question specifies
  • [ ] Estimate time: How many points? Allocate time accordingly

Common Patterns by Domain

Cluster Setup Questions
  1. Check what the question asks you to modify
  2. SSH to the node if it involves static pods or node-level config
  3. Edit /etc/kubernetes/manifests/kube-apiserver.yaml for API server changes
  4. Wait for the API server to restart (30-60 seconds)
  5. Verify with kubectl get nodes or crictl ps
RBAC Questions
  1. Use imperative commands when possible: kubectl create role, kubectl create rolebinding
  2. For complex roles, generate YAML: kubectl create role --dry-run=client -o yaml
  3. Always verify with kubectl auth can-i
  4. Remember: apiGroups: [""] for core resources
NetworkPolicy Questions
  1. Always start with the podSelector (which pods does this apply to?)
  2. Specify policyTypes explicitly
  3. Remember DNS egress if using deny-all egress
  4. Test with kubectl exec -- wget or curl if possible
Security Context Questions
  1. Pod-level vs container-level security context
  2. For restricted PSS: runAsNonRoot, drop ALL caps, readOnlyRootFilesystem, seccomp RuntimeDefault
  3. Add emptyDir volumes for /tmp, /var/cache when using readOnlyRootFilesystem
  4. Check if the app needs NET_BIND_SERVICE capability
Supply Chain Questions
  1. trivy image --severity CRITICAL <image> for scanning
  2. kubectl set image for quick image updates
  3. For Dockerfile fixes: specific tags, non-root user, multi-stage builds, COPY instead of ADD
Runtime Security Questions
  1. Check Falco logs: journalctl -u falco or /var/log/falco/falco.log
  2. Custom rules go in /etc/falco/rules.d/custom-rules.yaml
  3. Always restart Falco after rule changes
  4. For audit logs: use jq to filter /var/log/kubernetes/audit/audit.log

Critical Commands to Memorize

The 10 Commands You Will Use Most

bash
# 1. Switch cluster context
kubectl config use-context <CONTEXT>

# 2. Check current context
kubectl config current-context

# 3. Generate YAML quickly
kubectl run test --image=nginx --dry-run=client -o yaml > pod.yaml

# 4. Check permissions
kubectl auth can-i <verb> <resource> --as=system:serviceaccount:<ns>:<sa> -n <ns>

# 5. Apply manifest
kubectl apply -f manifest.yaml

# 6. Quick edit
kubectl edit <resource> <name> -n <ns>

# 7. Get resource as YAML
kubectl get <resource> <name> -n <ns> -o yaml > output.yaml

# 8. Label a namespace
kubectl label namespace <ns> <key>=<value>

# 9. Check pod status and events
kubectl describe pod <name> -n <ns> | tail -30

# 10. Monitor API server on control plane
watch crictl ps | grep kube-apiserver

Common Failure Modes and Fixes

API Server Won't Start After Edit

bash
# Check what went wrong
crictl ps -a | grep kube-apiserver
crictl logs <CONTAINER-ID> 2>&1 | tail -30

# Common causes:
# 1. YAML syntax error in manifest
# 2. Missing volume mount for a new file path
# 3. Referenced file does not exist
# 4. Wrong file permissions

# Fix and wait
sudo vi /etc/kubernetes/manifests/kube-apiserver.yaml
# The kubelet will automatically try to restart it

Pod Won't Start

bash
# Check events
k describe pod <name> -n <ns> | grep -A10 Events

# Common causes:
# 1. Image pull error (wrong image name)
# 2. SecurityContext violation (PSA enforcement)
# 3. AppArmor profile not loaded
# 4. Seccomp profile not found
# 5. runAsNonRoot but image defaults to root

NetworkPolicy Not Working

bash
# Verify policy is in correct namespace
k get netpol -n <ns>

# Describe policy to check selectors
k describe netpol <name> -n <ns>

# Common causes:
# 1. Wrong namespace
# 2. Pod labels don't match podSelector
# 3. Missing DNS egress rule
# 4. AND vs OR logic confusion in from/to selectors

Time Remaining Checkpoints

Use these checkpoints to gauge your progress:

Time RemainingExpected ProgressAction if Behind
90 minutesAll easy questions doneSpeed up, skip medium questions that are slow
60 minutes50% of questions donePrioritize high-weight questions only
30 minutes75% of questions doneFocus on partially completed answers
10 minutesAll attemptedReview flagged questions, verify applied resources
5 minutesReview onlyDouble-check contexts, namespaces

Final 5 Minutes

In the last 5 minutes:

  1. Do NOT start any new question
  2. Verify all resources are applied (not just saved as YAML)
  3. Check that you are in the right context for each answer
  4. Ensure all files are saved to the correct paths

Post-Exam

After the Exam

  • Results are typically available within 24 hours
  • You will receive an email when your score is ready
  • The passing score is 67%
  • If you do not pass, you have 1 free retake
  • Your certificate is valid for 2 years

If You Pass

  • Download your certificate from the CNCF portal
  • Add the certification to LinkedIn
  • The digital badge can be shared on social media

If You Need to Retake

  • Review which domains you struggled with
  • Focus study on weak areas
  • You can retake after 24 hours
  • Your free retake must be used within the exam purchase validity period

Released under the MIT License.

Copyright © 2026 OpsAlchemy