As promised I will try to share my experience with the Vmware Certified Master Specialist – 5V0-71.19. This is the first VMware exam that I do that don’t have an associated curriculum, and as this is also a new exam so I didn’t find any guide on how to get prepared. My hope is this helps somebody getting prepared for the exam.
This is a Master Specialist exam, is not entry level so be ready for a challenging test. It has the prerequisite to hold a valid Certified Kubernetes Administrator (CKA) credential by The Linux Foundation so you need to upload your certificate in the VMware CertMetrics site at least 24 hours before the exam.
The exam is multiple choice like other VMware exams, but is based in scenarios, are not the traditional questions. The exam guide have a lot of references for the different objectives. Some of the references are good enough but to be honest some are misleading.
The exam expect you to be able to identify the best approach for the given situations:
Section 1 – Application Deployment to a Cluster
Objective 1.1 Identify the situation that would require a secret.
Objective 1.2 Identify the situation that would require a config map.
Objective 1.3 Given a scenario, identify proper logging for the application.
Objective 1.4 Given a scenario, identify proper metrics for the application.
Objective 1.5 Given a scenario, identify proper probes for the application.
Objective 1.6 Given a scenario, identify the proper way to expose an application to outside users.
Objective 1.7 Given a scenario, identify the proper way to expose a container.
Objective 1.8 Given a scenario, identify helm best practice.
Objective 1.9 Given a common complex error, identify appropriate next steps or identify what the error implies.
Objective 1.10 Given a scenario, identify how to influence scheduling in a cluster.
Objective 1.11 Given an application architecture scenario, identify the changes that should be made to the application to make it suitable for Cloud Native platforms.
Objective 1.12 Given a Dockerfile, identify changes that best suit container best practices.
Section 2 – Cluster Security
Objective 2.1 Given a scenario, identify proper RBAC to implement.
Objective 2.2 Given a scenario, identify proper audit capabilities to implement.
Objective 2.3 Given a scenario, identify the Proper Pod Security Policy to implement.
Objective 2.4 Given a scenario, identify appropriate admission control options to implement on a cluster.
Objective 2.5 Given a scenario, identify appropriate open policy agent configuration to implement.
Objective 2.6 Given a scenario, identify appropriate network policy to implement.
Section 3 – Cluster Operations
Objective 3.1 Given a scenario, identify an appropriate option for configuring backup on a cluster.
Objective 3.2 Given a scenario, identify appropriate options for cluster.
Objective 3.3 Given a scenario, identify the appropriate options for logging configuration.
Objective 3.4 Given a scenario, identify an appropriate option for configuring cluster conformance tests.
Objective 3.5 Given a scenario, identify an appropriate option for configuring an ingress controller to satisfy ingress options on cluster.
Objective 3.6 Given a scenario, identify the appropriate option for separation of application teams.
Objective 3.7 Given a scenario, identify why to use one networking plugin over another.
Objective 3.8 Given a scenario, configure authentication.
Now I’m going to go through all the objectives and based in what I can remember I will give you my recommendations. This is 100% based in what I can remember so please if somebody else that have already done the exam want to comment of correct please be free to do so… 🙂
Recommendations
Objective 1.1 and 1.2 – Secrets and Configmaps.
This two objectives are very straight-forward. If you passed the CKA you should already have have good understanding when you use a secret and when you use a configmap. Expect some question putting both approaches in contrast.
Objective 1.3 – Logging
I think the reference for this objective is good enough for the exam. You need to be able to identify what logging method is the best considering the scenario.
- Basic Logging (kubectl log pod)
- Node Level logging
- Cluster Level Logging
- Node Logging Agent (Fluetd/Elasticsearch/Kibana – EFK Stack)
- Sidecar container with logging agent
- Exposing logs directly from app
Objective 1.4 – Monitoring
For me the questions here where challenging. The reference takes you to the Prometheus main site. In my preparation I installed Prometheus played a little with the default metrics and connected is to Grafana with some dashboards.
To be able to get prepared for this objective you need to get deeper than that. You need to read the documentation and get prepared to get questions for example about instrumenting and writing your own exporters.
Objective 1.5 – Probes
This one is another that I found straight-forward. The reference to the Kubernetes documentation is good enough.
Objective 1.6 and 1.7 – Expose applications and containers
Here is about about services types, I got funny questions like exposing UDP ports and supporting direct connectivity of pods without services.
Objective 1.8 – Helm
Current version of Helm is 3.x but the questions I got where based in helm 2.x. So if you are just getting started with Helm like myself, if you see questions about Tiller you will be lost. Not sure if this will be updated when you are reading this but well, just in case take a look at Helm 2.x and not just Helm 3.0 because the deprecation of Tiller do a difference in term of security considerations with Helm.
Objective 1.9 – Troubleshooting
This objective don’t have a reference, but I think with the CKA knowledge you should be good.
Objective 1.10 – Scheduling
Know how to influence pod scheduling. Maybe is just me but I was not very used with Pod Affinity, pay attention to that one.
- nodeSelector
- Node isolation/restriction
- Affinity / Anti-affinity
- Node Affinity
- Pod Affinity
- nodeName
Objective 1.11 – cloud native principles
For this objective I think the reference is good. Read and understand the 12 factors.
Objective 1.12 – docker files fixing
I think the references are good to understand the best practices but I recommend if you are not used to write Docker files to write some… you will not write them from scratch for the exam you will be more moving lines up and down.
Objective 2.1 – RBAC
You should have the knowledge from the CKA, here you will have scenarios where you need to mix Roles, ClusterRoles with RoleBinding and ClusterRoleBinding to fulfill the requirements.
Objective 2.2 – Audit
Here you need to know the different kind of audit methods, and how the get configured.
Manual modifying files in the master node
- Log Backend: write to disk
- Webhook backend: write to external API
Using API resource
- Dynamic backend: write to external webhook agent using AuditSink API object.
Objective 2.3, 2.4, 2.5, 2.6 – psp, admission controllers, opa and netpols
I mix all of this because at the end PSP and OPA are Admission Controller, Network Policies are not but they are combined in the same scenarios during the exam.
You need to know what security feature to implement based in the scenario, so you need to know what is possible with each functionality. For example for OPA you don’t need to know Rego but you need to know what kind of validations you can do.
Objective 3.1 – Backup
Know the differences between doing a ETC Backup vs using a tool like Velero. You need to know the functionality of Velero.
Objective 3.2 – cluster options
Here I found the reference misleading. You need to double-click on the metrics-server and Horizontal Pod Autoscaler
Objective 3.3 – logging (Again)
I never understood why the exam guide have logging in the section 1 and also in the section 3.
Objective 3.4 – conformance testing
Another objective that send you to a main page of a full project in this case Sonobuoy. Play with Sonobuoy but also understand what kind of testing is required to run for your cluster to be considered in conformance.
Objective 3.5 – ingress
This one is straight forward as well, as this is part of CKA curriculum.
Objective 3.6 – team separation / MULTI-TENANCY
Here you need to be able to identify when is better or enough to use namespaces for isolation of the teams vs for example bootstrap a full independent cluster.
Objective 3.7 – cni
There’s too many CNI options. You should focus on the main ones:
- Calico
- Cilium
- Flannel
- Weave
Objective 3.8 – authentication
You should understand the main authentication methods:
- X509 Client Certs
- Static Token File
- Bootstrap Tokens
- Static Password File
- Service Account Tokens
- OpenID Connect Tokens
- Webhook Token Authentication
- Authenticating Proxy
Well that’s it… I hope it helps someone that is getting prepared to focus the preparation.