Skip to main content
CNCF 🇺🇸 · 10 min read

CKA (Certified Kubernetes Administrator) Exam Guide 2026

The CKA (Certified Kubernetes Administrator) is the most respected hands-on Kubernetes credential in the industry. Unlike multiple-choice exams, it tests you in a live Kubernetes environment with 17 real tasks to complete in 2 hours. This 2026 guide covers every domain, a kubectl cheat sheet, killer.sh tips, and a proven 8-week preparation strategy.

0 likes 0 comments

The CKA (Certified Kubernetes Administrator) certification, offered by the Cloud Native Computing Foundation (CNCF) and the Linux Foundation, is the industry's gold standard for Kubernetes operations skills. Unlike most IT certifications that test you with multiple-choice questions, the CKA is a performance-based exam — you work in a live Kubernetes environment for two hours, completing 17 real-world tasks using kubectl and other command-line tools. There is no multiple choice, no memorization of terminology alone, and no shortcuts: you either know how to configure a cluster or you do not. This reputation makes the CKA genuinely meaningful to hiring managers, and it is one of the most commonly required certifications for DevOps, SRE, and Platform Engineering roles in 2026.

Exam Format and What to Expect

The CKA exam experience is unlike any other certification you may have taken. Understanding the logistics before exam day eliminates surprises and lets you focus entirely on the tasks.

Detail Value
Format Performance-based (live CLI environment, no multiple choice)
Number of Tasks ~17 tasks across multiple Kubernetes clusters
Time Limit 2 hours (120 minutes)
Passing Score 66%
Exam Cost $395 USD (includes one free retake)
Delivery Online proctored (PSI bridge) — no testing center option
One Allowed Resource kubernetes.io/docs and its subdomains (open in exam browser tab)
Validity 2 years
Results Score report within 24 hours via email

The exam is delivered through a PSI secure browser. You work in a remote desktop environment with a terminal connected to real Kubernetes clusters. Each task specifies which cluster context to use — you must switch contexts using kubectl config use-context at the start of each task. Forgetting to switch contexts is one of the most common causes of lost marks.

You are permitted to keep one additional browser tab open to kubernetes.io/docs. You can use the search function and navigate to any page on the official docs. You cannot use Google, GitHub, Stack Overflow, or any other external sites. Practice navigating the Kubernetes documentation efficiently — knowing where to find example YAML for PersistentVolumeClaims, NetworkPolicies, and RBAC resources will save you significant time.

💡 Pro Tip: Each task in the CKA has a point weight displayed next to it (typically 4–13% each). Always start with the highest-weight tasks you are confident about, then handle medium-difficulty tasks, and leave tasks you are uncertain about for last. A partially completed high-weight task often earns more partial credit than a fully completed low-weight task.

The Five Exam Domains with Weights

The CKA curriculum (v1.32) is organized into five content domains. Each domain maps to real day-to-day cluster administration tasks:

Domain 1: Cluster Architecture, Installation, and Configuration — 25%

This is the heaviest domain. It covers RBAC (roles, cluster roles, role bindings, cluster role bindings), bootstrapping a Kubernetes cluster using kubeadm, upgrading cluster components with kubeadm, managing etcd (backup and restore using etcdctl), understanding the control plane components (kube-apiserver, kube-scheduler, kube-controller-manager, etcd), and configuring highly available control plane nodes. The etcd backup and restore task appears on almost every CKA exam — practice this until it is muscle memory.

Domain 2: Workloads and Scheduling — 15%

Covers Deployments, DaemonSets, StatefulSets, Jobs, CronJobs, and how to manage rolling updates and rollbacks. You must know how to configure resource requests and limits, use node affinity and anti-affinity, taints and tolerations, and understand how the kube-scheduler selects nodes. ConfigMaps and Secrets management also falls here.

Domain 3: Services and Networking — 20%

This domain tests your ability to expose applications: ClusterIP, NodePort, and LoadBalancer service types, Ingress resources and Ingress controllers, CoreDNS configuration, and most importantly NetworkPolicies. NetworkPolicy questions are notoriously tricky — they require you to write YAML that controls pod-to-pod and pod-to-external traffic using label selectors. Practice writing NetworkPolicies from scratch without copying templates.

Domain 4: Storage — 10%

PersistentVolumes (PVs), PersistentVolumeClaims (PVCs), and StorageClasses. You need to know how to create PVs with specific access modes (ReadWriteOnce, ReadOnlyMany, ReadWriteMany) and reclaim policies (Retain, Delete), bind a PVC to a specific PV using selectors, and configure pods to use PVCs as volumes. Volume types (emptyDir, hostPath, configMap, secret) are also tested.

Domain 5: Troubleshooting — 30%

The largest single domain. Troubleshooting covers: diagnosing application failures (CrashLoopBackOff, ImagePullBackoff, OOMKilled), cluster component failures (kubelet not running, API server unreachable), node failures (cordoning, draining, fixing NotReady nodes), and examining logs with kubectl logs, kubectl describe, and journalctl. This is where experienced practitioners pull ahead — practice deliberately breaking clusters and fixing them.

Imperative vs Declarative kubectl Cheat Sheet

Speed is critical in the CKA. Using imperative commands to generate starter YAML files is far faster than writing from scratch. The exam environment has no code editor with Kubernetes YAML support — you work in vim or nano. Here are the essential patterns:

Task Imperative Command
Create a Pod kubectl run nginx --image=nginx --restart=Never
Generate Pod YAML (dry run) kubectl run nginx --image=nginx --dry-run=client -o yaml > pod.yaml
Create a Deployment kubectl create deployment app --image=nginx --replicas=3
Generate Deployment YAML kubectl create deployment app --image=nginx --dry-run=client -o yaml > deploy.yaml
Expose Deployment as Service kubectl expose deployment app --port=80 --target-port=8080 --type=ClusterIP
Create ConfigMap from literal kubectl create configmap app-config --from-literal=key1=value1
Create Secret (generic) kubectl create secret generic db-secret --from-literal=password=s3cr3t
Create ServiceAccount kubectl create serviceaccount monitoring-sa -n monitoring
Create Role kubectl create role pod-reader --verb=get,list,watch --resource=pods -n default
Bind Role to ServiceAccount kubectl create rolebinding sa-binding --role=pod-reader --serviceaccount=default:monitoring-sa
Drain a node kubectl drain node01 --ignore-daemonsets --delete-emptydir-data
Switch cluster context kubectl config use-context k8s-cluster-1
Get events (sorted by time) kubectl get events --sort-by=.lastTimestamp -n default
Backup etcd ETCDCTL_API=3 etcdctl snapshot save /backup/etcd.db --endpoints=https://127.0.0.1:2379 --cacert=... --cert=... --key=...

3 Sample Tasks with Solutions

The following tasks are representative of CKA exam difficulty. For each, read the task description, attempt a solution, then review the provided answer.

Task 1: Create a Pod with Resource Limits

Task: In the default namespace on cluster k8s-prod, create a Pod named resource-pod using the image nginx:1.25. Configure the container with a CPU request of 100m, a CPU limit of 200m, a memory request of 128Mi, and a memory limit of 256Mi. The pod must remain running.

Solution:

kubectl config use-context k8s-prod

kubectl run resource-pod --image=nginx:1.25 --dry-run=client -o yaml > resource-pod.yaml

# Edit resource-pod.yaml to add resources block under the container spec:
# resources:
#   requests:
#     cpu: "100m"
#     memory: "128Mi"
#   limits:
#     cpu: "200m"
#     memory: "256Mi"

kubectl apply -f resource-pod.yaml

# Verify
kubectl get pod resource-pod
kubectl describe pod resource-pod | grep -A 6 Limits

Task 2: Create a NetworkPolicy

Task: In namespace web-ns, create a NetworkPolicy named web-policy that allows ingress traffic to pods labeled app=frontend only from pods labeled app=backend in the same namespace, on port 80. All other ingress to app=frontend pods must be denied.

Solution:

kubectl config use-context k8s-prod

cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: web-policy
  namespace: web-ns
spec:
  podSelector:
    matchLabels:
      app: frontend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: backend
    ports:
    - protocol: TCP
      port: 80
EOF

# Verify
kubectl describe networkpolicy web-policy -n web-ns

Task 3: Backup and Restore etcd

Task: Create a snapshot backup of the etcd cluster to /opt/etcd-backup.db. The etcd server runs on https://127.0.0.1:2379 with TLS certificates at /etc/kubernetes/pki/etcd/.

Solution:

# First, confirm the etcd endpoint and cert paths
kubectl describe pod etcd-controlplane -n kube-system | grep -E "listen-client|cert-file|key-file|trusted-ca"

ETCDCTL_API=3 etcdctl snapshot save /opt/etcd-backup.db \
  --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/server.crt \
  --key=/etc/kubernetes/pki/etcd/server.key

# Verify the snapshot
ETCDCTL_API=3 etcdctl snapshot status /opt/etcd-backup.db --write-out=table

killer.sh Simulator Tips

Every CKA registration includes two free sessions on killer.sh, the premier CKA practice simulator. These sessions are intentionally harder than the real exam — many candidates score 40–60% on killer.sh and still pass the actual CKA. Here is how to use it effectively:

  • Do not use your first killer.sh session until you have completed at least 80% of your study plan. The simulator is most valuable as a final assessment tool, not as a learning tool for beginners. Using it too early wastes the session and can be demoralizing.
  • Use the first session with a 2-hour time limit enforced. Sit down, set a timer, complete as many tasks as possible, and submit. Do not look up answers during the session — treat it exactly like the real exam.
  • Spend 2–3 hours after the first session reviewing every task, including the ones you got right. The killer.sh solutions often show more efficient approaches than you used.
  • Use the second session 3–4 days before your real exam as a final confidence calibration. At this point you should be scoring 65%+ on killer.sh, which typically correlates with a comfortable pass on the real exam.

Environment Setup: tmux, Aliases, Bash Completion

The exam environment supports customization of the terminal. Setting up your environment at the start of the exam takes 2 minutes but saves 10+ minutes over 120 minutes of work. Practice these setups until they are automatic:

# Enable kubectl bash completion (run once at start of exam)
source <(kubectl completion bash)
echo "source <(kubectl completion bash)" >> ~/.bashrc

# Set essential aliases
alias k=kubectl
alias kgp="kubectl get pods"
alias kgs="kubectl get svc"
alias kgn="kubectl get nodes"
alias kdp="kubectl describe pod"
complete -F __start_kubectl k

# Set default namespace shortcut (update per task)
export do="--dry-run=client -o yaml"
export now="--force --grace-period 0"

# Example usage:
# k run nginx --image=nginx $do > pod.yaml
# k delete pod nginx $now

Using tmux for Split Panes

tmux allows you to split the terminal into multiple panes — one for running kubectl commands and one for editing YAML files simultaneously. The basic setup:

  • tmux — start a new session
  • Ctrl+B, % — split vertically
  • Ctrl+B, " — split horizontally
  • Ctrl+B, arrow key — switch between panes

8-Week Study Timeline

Weeks 1–2: Kubernetes Fundamentals
  • Set up a local cluster with kind or minikube (or use Killercoda free scenarios)
  • Deploy applications with kubectl run, create, apply — get comfortable with the CLI
  • Study core objects: Pods, ReplicaSets, Deployments, Services, Namespaces
  • Complete "Kubernetes for Absolute Beginners" by Mumshad Mannambeth (KodeKloud)
Weeks 3–4: Cluster Architecture and Storage
  • Bootstrap a cluster with kubeadm — do this at least three times from scratch
  • Practice RBAC: create roles, cluster roles, bindings, and service accounts
  • Configure PersistentVolumes, PVCs, and StorageClasses
  • Practice etcd backup and restore until it takes less than 3 minutes
Weeks 5–6: Networking and Scheduling
  • Write NetworkPolicies from scratch — ingress-only, egress-only, and combined
  • Configure Ingress resources with path-based and host-based routing
  • Practice taints, tolerations, node affinity, and pod affinity rules
  • Study CoreDNS: how pod DNS resolution works, how to debug DNS failures
Weeks 7–8: Troubleshooting and Final Prep
  • Work through deliberate break-and-fix scenarios (KodeKloud CKA course labs are excellent for this)
  • Use your first killer.sh session and spend a full day reviewing solutions
  • Practice navigating kubernetes.io/docs efficiently — find PVC, NetworkPolicy, and RBAC examples in under 30 seconds each
  • Use your second killer.sh session 3–4 days before exam day; schedule the real exam if scoring 65%+
💡 Pro Tip: The KodeKloud CKA course by Mumshad Mannambeth is the most popular and comprehensive preparation resource for the CKA. It includes interactive browser-based labs that run a real Kubernetes environment without requiring any local setup. The course is regularly updated to match the latest Kubernetes version used on the exam. Pair it with killer.sh for the best preparation combination.

Ready to Practice?

Reinforce your Kubernetes knowledge with our full CKA practice exam — 340 scenario-based questions covering all five domains, with detailed explanations for every answer.

Browse Practice Exams →

Comments

Sign in to leave a comment.

No comments yet. Be the first!

Comments are reviewed before publication.