The Certified Kubernetes Administrator (CKA) exam, administered by the Linux Foundation in partnership with the Cloud Native Computing Foundation (CNCF), is the industry-standard certification for professionals who deploy, manage, and troubleshoot Kubernetes clusters in production environments. Unlike traditional multiple-choice IT exams, the CKA is entirely performance-based: you work in real Kubernetes clusters through a command-line terminal, solving practical tasks under time pressure.
The CKA has earned a reputation as one of the most challenging and respected certifications in the DevOps and cloud-native space. According to a 2024 CNCF survey, 78% of organizations using Kubernetes in production reported that CKA certification was a preferred or required qualification for their infrastructure engineering roles. The exam costs $395 USD (which includes one free retake), runs for 2 hours, and requires a passing score of 66%.
This guide covers every domain in the CKA exam curriculum, explains the critical concepts and commands you must know, and provides a study plan focused on the hands-on skills that determine whether you pass or fail.
Exam Overview and Format
| Detail | Information |
|---|---|
| Exam Code | CKA |
| Administered By | Linux Foundation / CNCF |
| Format | Performance-based (live Kubernetes clusters) |
| Number of Tasks | 15-20 |
| Time Limit | 2 hours |
| Passing Score | 66% |
| Cost | $395 USD (includes 1 free retake) |
| Kubernetes Version | 1.29+ (as of 2024/2025) |
| Open Book? | Yes (kubernetes.io/docs only) |
| Proctoring | Online via PSI |
The CKA is an open-book exam, meaning you can access the official Kubernetes documentation at kubernetes.io/docs during the exam. This is both an advantage and a trap. Candidates who rely on searching documentation during the exam waste critical time. The documentation should be a reference for specific YAML syntax, not a substitute for understanding core concepts.
"The CKA exam is not about memorizing YAML manifests. It is about understanding how Kubernetes works well enough to diagnose problems under pressure. The candidates who pass are the ones who have spent dozens of hours in a terminal creating, breaking, and fixing clusters. The ones who fail are the ones who only watched videos." -- Mumshad Mannambeth, founder of KodeKloud and creator of the most popular CKA preparation course
Domain 1: Cluster Architecture, Installation, and Configuration (25%)
Kubernetes Architecture
Kubernetes -- an open-source container orchestration platform originally developed by Google and donated to the CNCF in 2014, designed to automate the deployment, scaling, and management of containerized applications across clusters of machines.
A Kubernetes cluster consists of two types of nodes:
Control plane nodes run the components that manage the cluster:
- kube-apiserver: The front door to the cluster. All communication (from
kubectl, other components, and external systems) goes through the API server. - etcd: A distributed key-value store that holds all cluster state and configuration data. Losing etcd data means losing the cluster.
- kube-scheduler: Determines which node should run a newly created pod based on resource requirements, affinity rules, and constraints.
- kube-controller-manager: Runs controller loops that watch the cluster state and make changes to move the current state toward the desired state. Examples include the ReplicaSet controller and the Node controller.
Worker nodes run the actual workloads:
- kubelet: The agent on each worker node that ensures containers are running in pods as specified. Communicates with the API server.
- kube-proxy: Manages network rules on each node to enable service communication. Implements Kubernetes Service networking.
- Container runtime: The software that runs containers.
containerdis the standard runtime as of Kubernetes 1.24+ (Docker shim was removed).
Cluster Installation with kubeadm
The CKA tests your ability to bootstrap a cluster using kubeadm, the official cluster creation tool:
- Install
containerd,kubelet,kubeadm, andkubectlon all nodes - Initialize the control plane:
kubeadm init --pod-network-cidr=10.244.0.0/16 - Configure
kubectlaccess: copy the admin kubeconfig to~/.kube/config - Install a CNI (Container Network Interface) plugin like
CalicoorFlannel - Join worker nodes:
kubeadm join <control-plane-ip>:6443 --token <token>
RBAC (Role-Based Access Control)
RBAC -- Kubernetes' authorization mechanism that controls who can perform what actions on which resources, using Roles (namespace-scoped), ClusterRoles (cluster-scoped), RoleBindings, and ClusterRoleBindings.
Creating a Role that allows reading pods in a specific namespace:
kubectl create role pod-reader --verb=get,list,watch --resource=pods -n development
kubectl create rolebinding pod-reader-binding --role=pod-reader --user=jane -n development
etcd Backup and Restore
Backing up and restoring etcd is a critical CKA skill:
- Back up etcd:
ETCDCTL_API=3 etcdctl snapshot save /tmp/etcd-backup.db --endpoints=https://127.0.0.1:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key - Verify the backup:
ETCDCTL_API=3 etcdctl snapshot status /tmp/etcd-backup.db - Restore from backup:
ETCDCTL_API=3 etcdctl snapshot restore /tmp/etcd-backup.db --data-dir=/var/lib/etcd-restored
Domain 2: Workloads and Scheduling (15%)
Pods, Deployments, and ReplicaSets
Pod -- the smallest deployable unit in Kubernetes, consisting of one or more containers that share networking (same IP address) and storage volumes. Pods are ephemeral and are not restarted when they fail; higher-level controllers manage pod lifecycle.
- Deployment: Manages ReplicaSets and provides declarative updates. The most common way to run stateless applications. Supports rolling updates and rollbacks.
- ReplicaSet: Ensures a specified number of pod replicas are running at all times. Rarely created directly; Deployments manage them.
- DaemonSet: Ensures one pod runs on every node (or a selected subset). Used for node-level agents like log collectors (
Fluentd) and monitoring agents (Prometheus Node Exporter). - StatefulSet: Manages stateful applications that require stable network identities and persistent storage. Used for databases like
PostgreSQLandMongoDB.
Scheduling and Resource Management
Resource requests and limits control how much CPU and memory a pod can use:
- Requests: The minimum resources guaranteed to a pod. The scheduler uses requests to decide which node has capacity.
- Limits: The maximum resources a pod can consume. Exceeding memory limits causes an OOM (Out of Memory) kill. Exceeding CPU limits causes throttling.
| Resource Type | Request Effect | Limit Effect |
|---|---|---|
| CPU | Scheduling guarantee | Throttling when exceeded |
| Memory | Scheduling guarantee | OOM kill when exceeded |
Node affinity -- scheduling rules that constrain which nodes a pod can run on, based on node labels. Can be required (hard constraint) or preferred (soft constraint).
Taints and tolerations -- a mechanism where nodes repel pods unless the pod explicitly tolerates the taint. Used to reserve nodes for specific workloads (GPU nodes, high-memory nodes).
Domain 3: Services and Networking (20%)
Service Types
Kubernetes Service -- an abstraction that provides a stable network endpoint for accessing a set of pods, decoupling the client from the underlying pod IP addresses that change as pods are created and destroyed.
- ClusterIP (default): Exposes the service on an internal IP within the cluster. Only accessible from within the cluster.
- NodePort: Exposes the service on a static port on each node's IP. Accessible from outside the cluster via
<NodeIP>:<NodePort>. - LoadBalancer: Provisions an external load balancer (cloud provider dependent). AWS uses Elastic Load Balancer, Azure uses Azure Load Balancer, Google Cloud uses Network Load Balancer.
Ingress
Ingress -- a Kubernetes resource that manages external HTTP/HTTPS access to services within a cluster, providing URL-based routing, TLS termination, and virtual hosting.
An Ingress resource requires an Ingress Controller (like nginx-ingress or traefik) to be installed in the cluster. The Ingress resource defines routing rules; the controller implements them.
Network Policies
NetworkPolicy -- a Kubernetes resource that specifies how pods are allowed to communicate with each other and with external endpoints, functioning as a pod-level firewall.
By default, all pods can communicate with all other pods. NetworkPolicies restrict this by specifying ingress (incoming) and egress (outgoing) rules based on pod labels, namespace labels, and IP blocks. A CNI plugin that supports NetworkPolicies (like Calico or Cilium) must be installed.
DNS in Kubernetes
Kubernetes runs a DNS service (typically CoreDNS) that provides DNS resolution for services and pods:
- Services:
<service-name>.<namespace>.svc.cluster.local - Pods:
<pod-ip-dashed>.<namespace>.pod.cluster.local
Domain 4: Storage (10%)
Persistent Volumes and Claims
PersistentVolume (PV) -- a cluster-level storage resource provisioned by an administrator or dynamically by a StorageClass, representing a piece of physical storage (disk, NFS share, cloud volume).
PersistentVolumeClaim (PVC) -- a user's request for storage that binds to an available PV matching the requested size and access mode.
Access modes:
- ReadWriteOnce (RWO): Volume can be mounted as read-write by a single node
- ReadOnlyMany (ROX): Volume can be mounted as read-only by many nodes
- ReadWriteMany (RWX): Volume can be mounted as read-write by many nodes
StorageClasses
StorageClass -- a Kubernetes resource that defines the type of storage available for dynamic provisioning. Each StorageClass references a provisioner (like kubernetes.io/aws-ebs for AWS or kubernetes.io/gce-pd for Google Cloud) and parameters like disk type and replication.
When a PVC references a StorageClass, Kubernetes automatically provisions a PV without administrator intervention. This is the standard approach in production cloud environments.
Domain 5: Troubleshooting (30%)
This is the largest domain and the one where most candidates either pass or fail. Troubleshooting on the CKA means diagnosing why a cluster component, application, or network configuration is not working and fixing it within minutes.
Essential Troubleshooting Commands
kubectl get pods -A -o wide # See all pods across all namespaces with node info
kubectl describe pod <name> -n <ns> # Detailed pod info including events
kubectl logs <pod> -n <ns> # Container logs
kubectl logs <pod> -c <container> # Logs for a specific container in a multi-container pod
kubectl exec -it <pod> -- /bin/sh # Shell into a running container
kubectl get events --sort-by='.lastTimestamp' # Recent cluster events
systemctl status kubelet # Check kubelet service on a node
journalctl -u kubelet # Kubelet logs
crictl ps # List containers via container runtime
Common Failure Scenarios
| Symptom | Likely Cause | Investigation |
|---|---|---|
| Pod stuck in Pending | Insufficient resources or scheduling constraints | kubectl describe pod for events |
| Pod in CrashLoopBackOff | Application error, misconfigured command | kubectl logs for error messages |
| Pod in ImagePullBackOff | Wrong image name, missing credentials | Check image name and imagePullSecrets |
| Service not reachable | Wrong selector, no endpoints | kubectl get endpoints |
| Node NotReady | Kubelet down, resource pressure | kubectl describe node, check kubelet |
Node Troubleshooting
When a node shows as NotReady:
- SSH to the node and check kubelet status:
systemctl status kubelet - If kubelet is not running, check the logs:
journalctl -u kubelet -n 50 - Common causes: expired certificates, wrong container runtime configuration, disk pressure, memory pressure
- Restart kubelet if needed:
systemctl restart kubelet - Check certificate expiration:
kubeadm certs check-expiration
Kelsey Hightower, a distinguished engineer at Google and co-author of Kubernetes: Up and Running, has said that "Kubernetes troubleshooting is really Linux troubleshooting plus API object troubleshooting. If you understand how Linux networking, processes, and storage work, you already understand 70% of what Kubernetes does. The remaining 30% is understanding the Kubernetes API objects that orchestrate those Linux primitives."
Study Plan and Resources
Six-Week Study Plan
- Week 1: Cluster architecture and installation. Set up a multi-node cluster with
kubeadmon virtual machines or use a cloud lab environment like KillerCoda. - Week 2: Workloads. Create Deployments, DaemonSets, StatefulSets. Practice scaling and rolling updates.
- Week 3: Networking. Configure Services, Ingress, and NetworkPolicies. Understand CoreDNS.
- Week 4: Storage. Create PVs, PVCs, and StorageClasses. Practice with hostPath and dynamic provisioning.
- Week 5: Troubleshooting. Practice breaking and fixing cluster components, nodes, and applications.
- Week 6: Full practice exams under timed conditions. Review weak areas.
Essential Resources
- KodeKloud CKA course by Mumshad Mannambeth: The most recommended CKA preparation course, featuring integrated hands-on labs
- Kubernetes the Hard Way by Kelsey Hightower: A free GitHub tutorial that walks through building a Kubernetes cluster from scratch, providing deep understanding of each component
- killer.sh CKA simulator: Included with your exam purchase. Simulates the real exam environment with harder-than-actual-exam questions. Complete both sessions before exam day.
- Kubernetes: Up and Running by Kelsey Hightower, Brendan Burns, and Joe Beda: The definitive book on Kubernetes fundamentals
- Official Kubernetes documentation: Your primary reference during the exam. Practice navigating it efficiently.
Exam Day Strategy
- Speed matters. You have approximately 6-8 minutes per task. If a task is taking more than 10 minutes, flag it and move on.
- Use
kubectlimperative commands to save time:kubectl run,kubectl create deployment,kubectl exposeare faster than writing YAML from scratch. - Set up aliases at the start of the exam:
alias k=kubectland enable autocompletion withsource <(kubectl completion bash)followed bycomplete -o default -F __start_kubectl k - Bookmark key documentation pages before the exam starts: pod spec, deployment spec, networkpolicy spec, PV/PVC spec.
- Verify your work. After completing a task, run a
kubectl getorkubectl describecommand to confirm the resource was created correctly.
HashiCorp and the CNCF jointly reported in 2024 that Kubernetes adoption reached 84% among organizations with more than 500 employees, up from 69% in 2022. This growth directly correlates with increased demand for CKA-certified professionals, with job postings requiring CKA growing 45% year-over-year according to LinkedIn job market data.
Common Exam Pitfalls and How to Avoid Them
Understanding where candidates commonly lose points helps you focus your preparation on the areas that matter most.
Context Switching Between Clusters
The CKA exam uses multiple Kubernetes clusters. Each task specifies which cluster to work in, and you must switch contexts using kubectl config use-context <context-name>. Forgetting to switch contexts is one of the most common mistakes -- you solve the problem correctly but on the wrong cluster, earning zero points for that task. Build a habit of reading the context instruction first and switching immediately before doing any work.
YAML Indentation Errors
Kubernetes YAML manifests are sensitive to indentation. A misaligned field silently changes the meaning of a resource definition or causes an outright parsing failure. Rather than writing YAML from scratch, use imperative commands to generate templates:
kubectl run nginx --image=nginx --dry-run=client -o yaml > pod.yaml
kubectl create deployment web --image=nginx --replicas=3 --dry-run=client -o yaml > deploy.yaml
Edit the generated YAML rather than building from an empty file. This approach eliminates most indentation errors and saves significant time.
Time Management Failures
With 15-20 tasks in 2 hours, you cannot afford to spend 15 minutes on a single question. The most effective strategy is a two-pass approach: complete all tasks you can solve quickly in the first pass (targeting 5-6 minutes each), then return to difficult tasks in the second pass. Tasks are not equally weighted -- a 4-point task that takes 15 minutes is a worse investment than two 3-point tasks that take 5 minutes each.
Neglecting to Verify Solutions
After completing a task, always verify your work. Run kubectl get to confirm the resource exists, kubectl describe to check its configuration, and if applicable, curl or wget to test connectivity. Candidates who verify each solution catch mistakes that would otherwise cost them the 66% passing threshold.
Tim Hockin, a principal software engineer at Google and one of the original Kubernetes contributors, has noted that "the best Kubernetes administrators are not the ones who can write YAML the fastest. They are the ones who verify their work, understand the error messages, and methodically eliminate incorrect configurations. That discipline is exactly what the CKA exam tests."
See also: CKAD Certified Kubernetes Application Developer study guide, Docker and container fundamentals, Terraform infrastructure as code certification guide
References
- Cloud Native Computing Foundation. "CKA Exam Curriculum." CNCF/Linux Foundation, 2025.
- Hightower, Kelsey, Burns, Brendan, and Beda, Joe. Kubernetes: Up and Running, Third Edition. O'Reilly Media, 2023.
- CNCF. "CNCF Annual Survey 2024: Kubernetes and Cloud Native Adoption." CNCF Research, 2024.
- Hightower, Kelsey. "Kubernetes the Hard Way." GitHub, 2024.
- Linux Foundation. "CKA Certification Handbook." Linux Foundation Training, 2025.
- Mannambeth, Mumshad. "CKA Certification Course." KodeKloud, 2024.
Frequently Asked Questions
How hard is the CKA exam?
The CKA is considered one of the more challenging IT certifications because it is entirely performance-based. You work in real Kubernetes clusters solving practical tasks. Most candidates need 4-8 weeks of dedicated hands-on practice. The exam includes one free retake.
Is the CKA exam open book?
Yes, you can access the official Kubernetes documentation at kubernetes.io/docs during the exam. However, relying too heavily on documentation wastes time. Practice navigating the docs efficiently and memorize common kubectl commands and YAML structures.
What is the CKA passing score?
The passing score is 66%. The exam contains 15-20 performance-based tasks to be completed in 2 hours. Tasks are weighted differently, with troubleshooting tasks typically carrying the most weight at 30% of the total score.