As a Site Reliability Engineer, you need to keep your skills sharp. It’s a journey into continuos learning, one of the things I enjoy the most of in my job. There’s no question that different people learn in different ways, a well-structured hands-on certification guides you through the most relevant subjects while keeping the process very practical.
One year after passing the CKA I decided to take the CKS certification. I admit I was skeptical since I always thought, security is someone else business… but quite far from the truth.
When comparing CKS with the CKA, I found it straightforward even though the topics were completely new to me, yet more interesting and engaging to deep dive through the content.
The key difference between CKS and CKA it’s not only about security but interacting with the different Kubernetes components. For instance, understanding how a request to the API server works end to end.
Admission controllers
One of the topics I got more interested in was admission controllers. The Kubernetes API server already has a few built-in that we use daily. Thus, the admission controller AlwaysPullImages takes care of always pulling the image for every new Pod. There are well-known admission controllers such as LimitRange to enforce constraints on any given namespace.
To mention some of the most common use cases:
-
Enforcing that only images from a certain registry are allowed.
-
Limit certain capabilities.
-
Limit commands to run as the root user.
[kubectl] -> [authentication] -> [authorization] -> [{admission controllers} - DefaultStorageClass] -> Create PVC
Validating and Mutating webhooks
mutatingcan change the request, this goes first.validateallows or denies the request.
The order evaluated is important. It’s possible to have admission controllers that do both.
Overall, I enjoyed the challenge and hopefully this year I’ll find the time to get done the CKAD.