This guide is part of the Complete CKA Certification Course
The Certified Kubernetes Administrator (CKA) exam has a duration of 2 hours. To pass the exam, candidates need to achieve a score of at least 66%. The exam will be on Kubernetes version 1.31. Once the certificate is earned, the CKA certification remains valid for 2 years. The cost to take the exam is $395 USD.
Important Note: The CKA exam is updating after November 25, 2024, with new topics and a focus on real-world Kubernetes skills like Gateway API, Helm, Kustomize, CRDs & Operators. This guide is based on the new CKA syllabus. You can read more about the exam changes here CKA Exam Changes
-
Cluster Architecture, Installation & Configuration (25%)
- Manage role based access control (RBAC)
- Prepare underlying infrastructure for installing a Kubernetes cluster
- Create and manage Kubernetes clusters using kubeadm
- Manage the lifecycle of Kubernetes clusters
- Use Helm and Kustomize to install cluster components
- Understand extension interfaces (CNI, CSI, CRI, etc.)
- Understand CRDs, install and configure operators
-
- Understand deployments and how to perform rolling update and rollbacks
- Use ConfigMaps and Secrets to configure applications
- Configure workload autoscaling
- Understand the primitives used to create robust, self-healing, application deployments
- Configure Pod admission and scheduling (limits, node affinity, etc.)
CKA Certification Exam has the following key domains:
Following are the subtopics under Cluster Architecture, Installation & Configuration
RBAC | Service Accounts | Roles & ClusterRoles : Understand the difference between Roles (namespace level) and ClusterRoles (cluster level).
# Create a service account
k create sa <sa-name> -n <namespace>
# Create a role
k create role <role-name> --verb=<verbs> --resource=<resources> -n <namespace>
# Create rolebinding
k create rolebinding <binding-name> --role=<role-name> --user=<username> -n <namespace>
# Create a clusterrole
k create clusterrole <clusterrole-name> --verb=<verbs> --resource=<resources>
# Create clusterrolebinding
k create clusterrolebinding <binding-name> --clusterrole=<clusterrole-name> --user=<username>
# Check RBAC authorization
k auth can-i <verb> <resource> --as=<username>
Setup Virtual Machines : Ensure that each virtual machine (VM) meets the minimum system requirements for setting up a Kubernetes cluster.
Kubeadm Cluster Prerequisites : Ensure that all VMs can communicate with each other, as Kubernetes requires all nodes to have unrestricted communication for pod-to-pod networking.
Provision underlying infrastructure to deploy a Kubernetes cluster : Tools like VirtualBox, VMware, or KVM can be used to set up virtual machines locally and for cloud environments, consider providers like AWS, GCP, or Azure for flexibility and scalability.
Cluster Setup : kubeadm is a tool used for easy cluster bootstrap, be familiar with creating a cluster control plane node and adding worker nodes.
# Set Up kubeconfig
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/configPerform Cluster Version upgrade Using Kubeadm : Managing the lifecycle involves upgrading clusters, managing control plane nodes, and ensuring consistency across versions.
Helm : Helm makes it easier to package and deploy Kubernetes applications. Practice installing, upgrading, and uninstalling releases.
# Install a helm chart
helm install <release-name> <chart-name>
# List helm releases
helm list
# Upgrade a helm release
helm upgrade <release-name> <chart-name>
# Search for a chart
helm search repo <chart-name>
# Install helm chart
helm install <release-name> <chart-name>
# Uninstall a helm release
helm uninstall <release-name>Kustomize : Start by creating a directory containing all the Kubernetes manifests you want to manage with Kustomize.
# Example directory structure
example-app/
├── deployment.yaml
├── service.yaml
└── kustomization.yaml
# Use Kustomize to apply resources
k apply -k kustomization.yaml
Container Runtime Interface (CRI) : Kubernetes uses the CRI to communicate with container runtimes.
# Check container runtime
crictl info
# List all containers
crictl ps
# View specific container details
crictl inspect <container-id>
# View container logs
crictl logs <container-id>
Network Plugin : Kubernetes uses network plugins (CNI) to manage pod networking, get a good understanding of popular plugins like Calico, Flannel, and Weave Net, and understand the role of CNIs in providing network connectivity, security policies, and IPAM.
# List installed CNI plugins
ls /etc/cni/net.d/Container Storage Interface (CSI) for Kubernetes GA : The CSIs is a standardized mechanism that allows storage providers to provide persistent storage support for Kubernetes.
# List CSI drivers
k get csidrivers
Custom Resources : CRDs allows you to extend Kubernetes APIs to create new kinds of Kubernetes objects beyond the built-in ones.
# List CRDs
k get crd
# Describe a CRD
k describe crd <crd-name>
# Delete a CRD
k delete <resource-name> <name>
Operator pattern : The Operator pattern allows you to automate the lifecycle of applications running on Kubernetes by packaging operational knowledge into Kubernetes-native applications.
Following are the subtopics under Workloads & Scheduling
Deployments : Understand the use of --record for version history, which is crucial for rollbacks.
# Create deployment with 3 replicas
k create deploy <deployment-name> --image=<image-name> --replicas=3
# Create deployment manifest file
k create deploy <deployment-name> --image <image-name> --replicas=3 --dry-run=client -o yaml > deploy.yaml
# List deployment
k get deploy
# Check replicaSet
k get rs
# Describe the deployment
k describe deploy <deployment-name>
# Scale deployment replicas
k scale deploy <deployment-name> --replicas=2
# View Deployments Manifest file
k get deploy <deployment-name> -o yaml
# Update container image in a deployment
k set image deploy <deployment-name> nginx=<image-name> --record
# Rollback to previous deployment version
k rollout undo deploy <deployment-name>
# View deployment rollout history
k rollout history deploy <deployment-name>
# Rollback to a specific revision
k rollout undo deploy <deployment-name> --to-revision=1
# Pause deployment rollout
k rollout pause deploy <deployment-name>
# Resume deployment rollout
k rollout resume deploy <deployment-name>
# Rollout & restart a deployment
k rollout restart deploy <deployment-name>
# Delete deployment
k delete deploy <deployment-name>ConfigMaps : Use ConfigMaps to separate environment-specific configurations from the container image.
# Create configmap
k create cm <configmap-name>
# Edit the configmap
k edit cm <configmap-name>
# Create configmap manifest file
k create cm <configmap-name> --dry-run=client -o yaml > cm.yaml
# Create configmap from literal values
k create cm <configmap-name> --from-literal=<key1>=<value1> --from-literal=<key2>=<value2>
# Create configmap from a file
k create cm <configmap-name> --from-file=<file-name>Secrets : Remember that Secrets are base64-encoded and not encrypted and they are for storing sensitive data.
# Create generic secret from literal values
k create secret generic <secret-name> --from-literal=<key1>=<value1> --from-literal=<key2>=<value2>
# Create TLS secret from certificate files
k create secret tls <secret-name> --cert=tls.crt --key=tls.key
Autoscaling Workloads : Practice setting up Horizontal Pod Autoscaler (HPA).
# Using autoscaling
k autoscale deploy <deployment-name> --min=2 --max=5Configure Liveness, Readiness and Startup Probes : Using liveness and readiness probes in your deployment ensure that your applications are self-healing and automatically recover from failures.
# Startup probe
startupProbe:
httpGet:
path: /startup
port: 8080
failureThreshold: 30
periodSeconds: 10
# Liveness probe
livenessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 15
failureThreshold: 1
periodSeconds: 10
# Readiness probe
readinessProbe:
httpGet:
path: /ready
port: 8080
failureThreshold: 30
periodSeconds: 10Pods : Always remember that a Pod may contain one or more containers, and they share storage/network resources, making communication between containers in the same Pod fast and efficient.
# Create a Pod
k run <pod-name> --image=<image-name> --restart=Never
# Create a temporary interactive pod
k run -it <pod-name> --image=<image-name> --rm --restart=Never -- sh
# Delete pod immediately
k delete po <pod-name> --grace-period 0 --force
# Pod resource limits
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"Static Pods : To create a static pod, place the manifest in /etc/kubernetes/manifests on the desired node.
# Static pod manifest path
/etc/kubernetes/manifestsLabels and Selectors : When using selectors, you can filter Kubernetes resources by these labels to perform operations like scaling or applying configuration changes.
# Add a label to a pod
k label pod <pod-name> <label-key>=<label-value>
# List pods with their labels
k get po --show-labels
# List pods with specific label
k get po --selector <label-key>=<label-value>
# Remove a label from a pod
k label po <pod-name> <label-key>-Taints and Tolerations : Use taints on critical nodes like control plane nodes or nodes to prevent general-purpose workloads from being scheduled on them.
# Check taints on nodes
k describe no <node-name> | egrep "Name:|Taints:"
# Taint a node
k taint nodes <node-name> <key>=<value>:<effect>
# Add toleration to a pod
tolerations:
- key: <key>
operator: <operator>
value: <value>
effect: <effect>
tolerationSeconds: <in seconds>
# Remove taint from a node
k taint no <node-name> <key>=<value>-
Node Name & Node Selector : Node Selectors are used to schedule pods onto specific nodes by using labels on the nodes.
# Label a node
k label no <pod-name> <label-key>=<label-value>
# Use node selector on pod
nodeSelector:
<label-key>: <label-value>
# Remove labels from a node
k label no <pod-name> <label-key>-
Node Affinity : Use node affinity to control the placement of your pods, ensuring that workloads are distributed efficiently across nodes as per there requirements.
# Example Node affinity
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: <label-key>
operator: In
values:
- <label-value>Admission Controllers Reference : Use admission controllers to enforce policies such as resource quotas, pod security policies, and image validation.
Following are the subtopics under Storage
Storage Classes : Understand the difference between default storage class and other classes
# Example storage class manifest file
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: local-storage
provisioner: kubernetes.io/no-provisioner
volumeBindingMode: WaitForFirstConsumer
reclaimPolicy: Delete
# List storageclasses
k get sc
# Describe storageclass
k describe sc <storageclass-name>
Dynamic Volume Provisioning : Understand which type of persistent storage is supported (like AWS EBS, GCE Persistent Disks) and practice using them.
Volumes : Understand which type of persistent storage is supported (like AWS EBS, GCE Persistent Disks) and practice using them.
Persistent Volumes : Remember to know the different reclaim policies: Retain, Delete, and Recycle. Understand access modes like ReadWriteOnce, ReadOnlyMany.
# List persistentvolume
k get pv
# Describe persistentvolume
k describe pv <persistentvolume-name>
# Delete persistentvolume
k delete pv <persistentvolume-name>
# List persistentvolumeclaim
k get pvc
# Describe persistentvolumeclaim
k describe pvc <persistentvolumeclaim-name>
# Delete persistentvolumeclaim
k delete pvc <persistentvolumeclaim-name>Configure a Pod to Use a PersistentVolume for Storage : Practice creating a pod with persistent storage defined in a YAML manifest. Ensure familiarity with both bindings and mounting.
# Example volume bindings and mounting
volumeMounts:
- name: mysql-storage
mountPath: /var/lib/mysql
volumes:
- name: mysql-storage
persistentVolumeClaim:
claimName: mysql-pvcFollowing are the subtopics under Services & Networking
Cluster Configurations : Use kubectl exec to test network connectivity between pods.
# Execute shell in a pod
k exec -it <pod-name> -- /bin/sh
# Execute shell in a specific container within a pod
k exec -it <pod-name> -c webserver -- sh
# Get pod IP addresses
k get po -o wide
# Check pod-to-pod connectivity
k exec <pod-name> -- curl <target-service-ip>:<port>
# Check network interfaces inside a pod
k exec <pod-name> -- ifconfigNetwork Policies : Practice setting up network policies to restrict traffic flow between pods.
# List network policies
k get netpol
# Description network policies
k describe netpol <policy-name>Service : Practice exposing deployments using all types of services: ClusterIP, NodePort, and LoadBalancer.
# Expose deployment as a service
k expose deploy <deployment-name> --name=<service-name> --port=<port> --target-port=<container-port> --type=<service-type>
# List services
k get svc
# List service endpoints
k get ep
Gateway API : The Gateway API provides more flexibility and extensibility compared to traditional Ingress. Use it when you need advanced traffic routing, such as assigning multiple gateways with different capabilities to different services.
Ingress : Practice creating Ingress resources with different rules to route traffic to services based on hostnames and paths, you can also define multiple services under a single Ingress resource by utilizing both path-based and host-based rules.
# Example manifest file to create ingress object
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx-example
rules:
- http:
paths:
- path: /examplepath
pathType: Prefix
backend:
service:
name: example
port:
number: 80
# List all ingress resources
k get ing
# Describe an ingress resource
k describe ing <ingress-name>CoreDNS : CoreDNS is used for service discovery within the Kubernetes cluster. Familiarize yourself with modifying the Corefile configuration to add custom DNS behaviors like forwarding queries for specific domains outside the cluster.
# Get CoreDNS ConfigMap in the kube-system namespace
k get cm coredns -n kube-system
# Edit CoreDNS ConfigMap for custom DNS configurations
k edit cm coredns -n kube-system
# Get logs of CoreDNS pods
k logs -n kube-system -l k8s-app=kube-dnsFollowing are the subtopics under Troubleshooting
Troubleshooting Clusters : When draining a node, use --ignore-daemonsets to safely move workloads that can be moved while ignoring daemonsets.
# List all available nodes
k get no
# Describe nodes
k describe no <node-name>
# Drain a node
k drain <node-name> --ignore-daemonsets
# Cordon/uncordon a node
k cordon <node-name>
k uncordon <node-name>
Troubleshooting kubectl : Make sure your kubectl is configured to connect to the correct cluster context.
Troubleshooting kubeadm : Monitor control plane components such as API server, etcd, controller-manager for potential issues during the cluster lifecycle and make sure proper certificate expiration and connectivity between components.
# Cluster components manifest file location
/etc/kubernetes/manifests
# Check kubectl configuration
k config view
# Get logs of kubectl
journalctl -u kubelet
# Check status of kubectl
k get --raw /healthz
# Check status of API server
k get componentstatuses
Metrics Server : Use kubectl top to monitor resource utilization.
# Get no cpu and memory usage
k top no
# Sort pods based on cpu utilization
k top po --sort-by=cpu
# Sort pods based on memory usage
k top po --sort-by=memory
# Get pod cpu and memory usage
k top pod
Logging Architecture : Logs are vital for understanding what's happening inside containers. Use kubectl logs to access logs from running containers.
# Get logs of a pod
k logs <pod-name>
# Get logs of a multi container pod
k logs <pod-name> -c <container-name>
# Get live logs of a pod
k logs <pod-name> -f
Debugging a ReplicaSet | Debug a Deployment : Practice using the describe and logs commands to inspect failed services or pods.
# Describe a pod
k describe pod <pod-name>
# Describe a service
k describe svc <service-name>
# Check recent events in the cluster
k get events