The CKA (Certified Kubernetes Administrator) is one of the most demanding and respected technical certifications in the cloud-native infrastructure world. Unlike traditional multiple-choice certifications, the CKA is a 100% hands-on exam: you have 2 hours to solve Kubernetes administration tasks in a real cluster, from the command line. This guide prepares you to take on the challenge.
Table of contents
CKA exam overview
Developed by the CNCF (Cloud Native Computing Foundation) in partnership with the Linux Foundation, the CKA validates your ability to administer a production Kubernetes cluster.
| Characteristic | Detail |
|---|---|
| Format | 100% hands-on (CLI in a real cluster) |
| Duration | 2 hours |
| Number of tasks | 15 to 20 tasks |
| Passing score | 66% |
| Allowed documentation | kubernetes.io/docs (single tab) |
| Cost | USD 395 (includes one retake) |
| Validity | 3 years |
Exam domains (approximate weighting):
- Storage - 10%
- Troubleshooting - 30%
- Workloads and scheduling - 15%
- Cluster architecture, installation and configuration - 25%
- Services and networking - 20%
Mastering kubectl: the foundation
During the exam, you will live in the terminal. Speed when running kubectl commands is critical. Essential commands to master:
Basic commands
# List resources
kubectl get pods -n kube-system
kubectl get all --all-namespaces
kubectl get nodes -o wide
# Describe a resource (diagnostic)
kubectl describe pod <pod-name> -n <namespace>
# Show logs
kubectl logs <pod-name> --previous
kubectl logs <pod-name> -c <container>
# Access a container
kubectl exec -it <pod-name> -- /bin/bash
# Force-delete (no graceful termination)
kubectl delete pod <name> --force --grace-period=0Generating YAML with --dry-run
Generating YAML manifests rather than writing them from scratch saves a lot of time:
# Generate a pod YAML without creating it
kubectl run nginx --image=nginx --dry-run=client -o yaml > pod.yaml
# Generate a deployment
kubectl create deployment myapp --image=nginx --replicas=3 \
--dry-run=client -o yaml > deploy.yaml
# Generate a service
kubectl expose deployment myapp --port=80 --type=ClusterIP \
--dry-run=client -o yaml > svc.yamlk=kubectl and enable bash autocompletion at the start of the exam. It can save several minutes over 2 hours.
alias k=kubectl
source <(kubectl completion bash)
complete -F __start_kubectl kWorkloads: pods, deployments, services
Pods and containers
Pod concepts to master:
- Static Pods: defined directly in
/etc/kubernetes/manifests/, managed by kubelet without the controller - Init Containers: run before the main container, useful for initialization
- Sidecars: helper containers in the same pod (logs, proxy)
- Resource requests and limits:
cpuandmemoryto guarantee quality of service - Probes: livenessProbe, readinessProbe, startupProbe for container health
Deployments and updates
- Deployment strategies:
RollingUpdate(default) andRecreate - Rollback:
kubectl rollout undo deployment/myapp - Scaling:
kubectl scale deployment myapp --replicas=5
Services
- ClusterIP: only accessible inside the cluster (default)
- NodePort: exposes the service on each node on a static port (30000-32767)
- LoadBalancer: provisions an external cloud load balancer
- Ingress: HTTP/HTTPS routing to multiple services through an ingress controller
RBAC and Kubernetes security
RBAC (Role-Based Access Control) is frequently tested on the CKA.
RBAC objects
- Role: permissions in a specific namespace
- ClusterRole: cluster-wide permissions
- RoleBinding: binds a Role to a user/group/ServiceAccount in a namespace
- ClusterRoleBinding: binds a ClusterRole cluster-wide
# Create a role allowing reading pods
kubectl create role pod-reader \
--verb=get,list,watch \
--resource=pods \
-n default
# Bind that role to a user
kubectl create rolebinding read-pods \
--role=pod-reader \
--user=alice \
-n default
# Check permissions
kubectl auth can-i list pods --as=alice -n defaultServiceAccounts
ServiceAccounts let pods interact with the Kubernetes API. Always associate dedicated ServiceAccounts with minimal permissions instead of using the default account.
Networking in Kubernetes
Internal DNS
CoreDNS automatically resolves service names within the cluster:
- Service in the same namespace:
my-service - Service in another namespace:
my-service.other-namespace - Full FQDN:
my-service.namespace.svc.cluster.local
NetworkPolicies
NetworkPolicies control pod-to-pod traffic. They require a compatible network plugin (Calico, Cilium, Weave). Key points for the exam:
- By default, all pods communicate freely with each other
- An
IngressNetworkPolicy controls who can reach your pods - An
EgressNetworkPolicy controls where your pods can connect - A pod with no NetworkPolicy is fully open
Persistent storage
PersistentVolumes and PersistentVolumeClaims
- PersistentVolume (PV): a storage resource provisioned by an administrator or dynamically through a StorageClass
- PersistentVolumeClaim (PVC): a storage request made by a pod
- StorageClass: defines the type of storage and the dynamic provisioner
Important access modes:
ReadWriteOnce (RWO): a single node can mount the volume read-writeReadOnlyMany (ROX): multiple nodes can mount it read-onlyReadWriteMany (RWX): multiple nodes can mount it read-write (NFS, CephFS)
Cluster troubleshooting
With 30% of the score, troubleshooting must be a top priority. Learn a systematic method:
Pod in error: diagnosis
# Step 1: check the pod status
kubectl get pod <name> -o wide
# Step 2: read the events
kubectl describe pod <name>
# Step 3: current container logs
kubectl logs <name>
# Step 4: previous container logs (after a crash)
kubectl logs <name> --previousNode Not Ready
# Check node status
kubectl get nodes
kubectl describe node <node-name>
# Connect to the node and check kubelet
systemctl status kubelet
journalctl -u kubelet -n 50Pod-to-pod network issues
# Test connectivity from a temporary pod
kubectl run test --image=busybox --rm -it -- wget -O- http://my-service:80
# Check service endpoints
kubectl get endpoints my-servicePreparation strategy
Intensive practice is the only path to passing the CKA. Plan 8 to 12 weeks if you are new to Kubernetes, 4 to 6 weeks with prior experience.
| Phase | Duration | Focus |
|---|---|---|
| Foundations | Weeks 1-3 | Kubernetes architecture, kubectl, pods, deployments, services |
| Advanced topics | Weeks 4-6 | RBAC, networking, storage, ConfigMaps, Secrets |
| Troubleshooting | Weeks 7-8 | Failure scenarios, methodical diagnosis, etcd backup/restore |
| Mock exams | Weeks 9-10 | Killer.sh (official simulator), timed exercises |
Specific exam day tips
- Set up your aliases and autocompletion as the very first step of the exam
- Note the kubectl context for every task: each question may target a different cluster (
kubectl config use-context <cluster>) - Use
--dry-run=client -o yamlto generate manifests quickly - kubernetes.io documentation is allowed: prepare your bookmarks (RBAC, NetworkPolicy, PV/PVC)
- Tackle the easiest tasks first to lock in points
- Do not spend more than 5-6 minutes on a difficult task; move to the next one and come back later
Conclusion
The CKA is a certification that truly rewards practice. It is not about memorizing answers but about demonstrating real operational mastery of Kubernetes. Every hour spent in a terminal is worth more than several hours of reading. With rigorous preparation and intensive training, the CKA badge is within reach - and it will open many doors in the DevOps and cloud-native world.
Practice for the CKA on Certifexpress
Theory questions and hands-on scenarios to strengthen your Kubernetes knowledge before the exam.
Access CKA practiceFound this article useful? Share it!