Vmware Certified Master Specialist – Cloud Native – Certification Guide

As promised I will try to share my experience with the Vmware Certified Master Specialist – 5V0-71.19. This is the first VMware exam that I do that don’t have an associated curriculum, and as this is also a new exam so I didn’t find any guide on how to get prepared. My hope is this helps somebody getting prepared for the exam.

This is a Master Specialist exam, is not entry level so be ready for a challenging test. It has the prerequisite to hold a valid Certified Kubernetes Administrator (CKA) credential by The Linux Foundation so you need to upload your certificate in the VMware CertMetrics site at least 24 hours before the exam.

The exam is multiple choice like other VMware exams, but is based in scenarios, are not the traditional questions. The exam guide have a lot of references for the different objectives. Some of the references are good enough but to be honest some are misleading.

The exam expect you to be able to identify the best approach for the given situations:

Section 1 – Application Deployment to a Cluster

Objective 1.1 Identify the situation that would require a secret.
Objective 1.2 Identify the situation that would require a config map.
Objective 1.3 Given a scenario, identify proper logging for the application.
Objective 1.4 Given a scenario, identify proper metrics for the application.
Objective 1.5 Given a scenario, identify proper probes for the application.
Objective 1.6 Given a scenario, identify the proper way to expose an application to outside users.
Objective 1.7 Given a scenario, identify the proper way to expose a container.
Objective 1.8 Given a scenario, identify helm best practice.
Objective 1.9 Given a common complex error, identify appropriate next steps or identify what the error implies.
Objective 1.10 Given a scenario, identify how to influence scheduling in a cluster.
Objective 1.11 Given an application architecture scenario, identify the changes that should be made to the application to make it suitable for Cloud Native platforms.
Objective 1.12 Given a Dockerfile, identify changes that best suit container best practices.

Section 2 – Cluster Security

Objective 2.1 Given a scenario, identify proper RBAC to implement.
Objective 2.2 Given a scenario, identify proper audit capabilities to implement.
Objective 2.3 Given a scenario, identify the Proper Pod Security Policy to implement.
Objective 2.4 Given a scenario, identify appropriate admission control options to implement on a cluster.
Objective 2.5 Given a scenario, identify appropriate open policy agent configuration to implement.
Objective 2.6 Given a scenario, identify appropriate network policy to implement.

Section 3 – Cluster Operations

Objective 3.1 Given a scenario, identify an appropriate option for configuring backup on a cluster.
Objective 3.2 Given a scenario, identify appropriate options for cluster.
Objective 3.3 Given a scenario, identify the appropriate options for logging configuration.
Objective 3.4 Given a scenario, identify an appropriate option for configuring cluster conformance tests.
Objective 3.5 Given a scenario, identify an appropriate option for configuring an ingress controller to satisfy ingress options on cluster.
Objective 3.6 Given a scenario, identify the appropriate option for separation of application teams.
Objective 3.7 Given a scenario, identify why to use one networking plugin over another.
Objective 3.8 Given a scenario, configure authentication.

Now I’m going to go through all the objectives and based in what I can remember I will give you my recommendations. This is 100% based in what I can remember so please if somebody else that have already done the exam want to comment of correct please be free to do so… 🙂

Recommendations

Objective 1.1 and 1.2 – Secrets and Configmaps.

This two objectives are very straight-forward. If you passed the CKA you should already have have good understanding when you use a secret and when you use a configmap. Expect some question putting both approaches in contrast.

Objective 1.3 – Logging

I think the reference for this objective is good enough for the exam. You need to be able to identify what logging method is the best considering the scenario.

Basic Logging (kubectl log pod)
Node Level logging
Cluster Level Logging
- Node Logging Agent (Fluetd/Elasticsearch/Kibana – EFK Stack)
- Sidecar container with logging agent
- Exposing logs directly from app

Objective 1.4 – Monitoring

For me the questions here where challenging. The reference takes you to the Prometheus main site. In my preparation I installed Prometheus played a little with the default metrics and connected is to Grafana with some dashboards.
To be able to get prepared for this objective you need to get deeper than that. You need to read the documentation and get prepared to get questions for example about instrumenting and writing your own exporters.

Objective 1.5 – Probes

This one is another that I found straight-forward. The reference to the Kubernetes documentation is good enough.

Objective 1.6 and 1.7 – Expose applications and containers

Here is about about services types, I got funny questions like exposing UDP ports and supporting direct connectivity of pods without services.

Objective 1.8 – Helm

Current version of Helm is 3.x but the questions I got where based in helm 2.x. So if you are just getting started with Helm like myself, if you see questions about Tiller you will be lost. Not sure if this will be updated when you are reading this but well, just in case take a look at Helm 2.x and not just Helm 3.0 because the deprecation of Tiller do a difference in term of security considerations with Helm.

Objective 1.9 – Troubleshooting

This objective don’t have a reference, but I think with the CKA knowledge you should be good.

Objective 1.10 – Scheduling

Know how to influence pod scheduling. Maybe is just me but I was not very used with Pod Affinity, pay attention to that one.

nodeSelector
Node isolation/restriction
Affinity / Anti-affinity
- Node Affinity
- Pod Affinity
nodeName

Objective 1.11 – cloud native principles

For this objective I think the reference is good. Read and understand the 12 factors.

Objective 1.12 – docker files fixing

I think the references are good to understand the best practices but I recommend if you are not used to write Docker files to write some… you will not write them from scratch for the exam you will be more moving lines up and down.

Objective 2.1 – RBAC

You should have the knowledge from the CKA, here you will have scenarios where you need to mix Roles, ClusterRoles with RoleBinding and ClusterRoleBinding to fulfill the requirements.

Objective 2.2 – Audit

Here you need to know the different kind of audit methods, and how the get configured.

Manual modifying files in the master node

Log Backend: write to disk
Webhook backend: write to external API

Using API resource

Dynamic backend: write to external webhook agent using AuditSink API object.

Objective 2.3, 2.4, 2.5, 2.6 – psp, admission controllers, opa and netpols

I mix all of this because at the end PSP and OPA are Admission Controller, Network Policies are not but they are combined in the same scenarios during the exam.
You need to know what security feature to implement based in the scenario, so you need to know what is possible with each functionality. For example for OPA you don’t need to know Rego but you need to know what kind of validations you can do.

Objective 3.1 – Backup

Know the differences between doing a ETC Backup vs using a tool like Velero. You need to know the functionality of Velero.

Objective 3.2 – cluster options

Here I found the reference misleading. You need to double-click on the metrics-server and Horizontal Pod Autoscaler

Objective 3.3 – logging (Again)

I never understood why the exam guide have logging in the section 1 and also in the section 3.

Objective 3.4 – conformance testing

Another objective that send you to a main page of a full project in this case Sonobuoy. Play with Sonobuoy but also understand what kind of testing is required to run for your cluster to be considered in conformance.

Objective 3.5 – ingress

This one is straight forward as well, as this is part of CKA curriculum.

Objective 3.6 – team separation / MULTI-TENANCY

Here you need to be able to identify when is better or enough to use namespaces for isolation of the teams vs for example bootstrap a full independent cluster.