CKA

CKA Study Guide: How to Pass the Certified Kubernetes Administrator Exam

A practical CKA study guide with exam tips, domain breakdowns, and a study plan that actually works. From someone who passed it.

Table of Contents

The CKA exam is a hands-on, performance-based test where you solve real Kubernetes problems in a live terminal. You get two hours. You need a 66% to pass. And the single biggest factor in whether you pass or fail is how fast you can work with kubectl.

That is the short version. The rest of this CKA study guide breaks down exactly what the exam covers, how to study for each domain, and the specific habits that separate people who pass from people who don't.

What the CKA Exam Actually Tests

The Certified Kubernetes Administrator exam is not a multiple choice quiz. You sit in a proctored browser environment with a terminal and 15 to 20 tasks. Each task gives you a scenario and asks you to do something. Create a deployment. Fix a broken cluster. Troubleshoot a networking issue. Configure RBAC.

You have access to the official Kubernetes documentation during the exam. That sounds generous until you realize that looking things up eats your clock. If you have to search the docs for basic kubectl syntax, you will run out of time. The docs are there for edge cases and YAML field names you forgot, not for learning on the fly.

The exam runs on a PSI proctoring platform. You share your screen, your webcam is on, and you cannot have anything else on your desk. One monitor only. No notes. No second browser tabs outside the allowed docs.

Ready to register?

The CKA exam costs $445 and includes one free retake plus two practice sessions.

Register for the CKA Exam

CKA Exam Domains and Weights

The exam covers five domains. The weights tell you where to spend your study time.

DomainWeightWhat It Covers
Cluster Architecture, Installation & Configuration25%Manage RBAC, install clusters with kubeadm, manage etcd snapshots, upgrade clusters
Troubleshooting30%Debug cluster components, application failures, networking issues
Workloads & Scheduling15%Deployments, rolling updates, ConfigMaps, Secrets, resource limits, scheduling
Services & Networking20%Services, Ingress, DNS, NetworkPolicies
Storage10%PVs, PVCs, StorageClasses, volume modes

Troubleshooting is 30% of the exam. That is the biggest chunk. If you are weak at debugging broken clusters, you will struggle regardless of how well you know the other domains.

The Study Plan

Here is a study plan that works for someone who already uses Linux and has at least basic container experience. If you have never touched a terminal, back up and learn Linux first. The LFCS certification is a solid starting point.

Weeks 1 to 3: Core Concepts and Workloads

Start here. Get comfortable creating and managing the basic Kubernetes objects from the command line.

What to learn:

  • Pods, Deployments, ReplicaSets, DaemonSets, StatefulSets
  • Creating resources imperatively with kubectl (not just YAML files)
  • ConfigMaps and Secrets
  • Resource requests and limits
  • Labels, selectors, and annotations
  • Rolling updates and rollbacks
  • Jobs and CronJobs

How to practice: Spin up a cluster with kind or minikube. Do everything from the terminal. The exam does not care if you can write perfect YAML from memory. It cares whether you can get the right result in the time limit.

The fastest workflow for the exam is to generate YAML with kubectl create or kubectl run using the --dry-run=client -o yaml flag, then edit the output. Memorizing full YAML manifests is a waste of time.

# Generate a deployment YAML without creating it
kubectl create deployment nginx --image=nginx --replicas=3 --dry-run=client -o yaml > deploy.yaml

# Generate a pod YAML
kubectl run busybox --image=busybox --dry-run=client -o yaml -- sleep 3600 > pod.yaml

Practice this pattern until it is muscle memory.

Weeks 3 to 5: Cluster Administration

This is the "admin" part of the Certified Kubernetes Administrator. You need to know how to install, upgrade, and maintain clusters.

What to learn:

  • Installing a cluster with kubeadm (init, join, token management)
  • Upgrading a cluster version with kubeadm
  • etcd backup and restore
  • Managing certificates
  • RBAC: Roles, ClusterRoles, RoleBindings, ClusterRoleBindings
  • Service accounts
  • Cordon, drain, and uncordon nodes

etcd backup and restore is almost always on the exam. Learn the exact commands:

# Backup etcd
ETCDCTL_API=3 etcdctl snapshot save /tmp/etcd-backup.db \
  --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/server.crt \
  --key=/etc/kubernetes/pki/etcd/server.key

# Restore etcd
ETCDCTL_API=3 etcdctl snapshot restore /tmp/etcd-backup.db \
  --data-dir=/var/lib/etcd-from-backup

After restoring, you need to update the etcd pod manifest to point to the new data directory. That second step trips people up on exam day.

kubeadm cluster upgrades are also a common exam task. The process is:

  1. Upgrade kubeadm on the control plane node
  2. Run kubeadm upgrade plan to verify
  3. Run kubeadm upgrade apply v1.XX.X
  4. Upgrade kubelet and kubectl
  5. Restart the kubelet
  6. Repeat on worker nodes (using kubeadm upgrade node instead)

Practice this a few times. The order matters.

Weeks 5 to 7: Networking and Services

Networking trips up a lot of people. The concepts are not hard, but the troubleshooting can be.

What to learn:

  • Services: ClusterIP, NodePort, LoadBalancer
  • Exposing applications with kubectl expose
  • Ingress resources and Ingress controllers
  • CoreDNS and how DNS resolution works in a cluster
  • NetworkPolicies (ingress and egress rules)
  • Understanding Pod-to-Pod, Pod-to-Service, and external communication

NetworkPolicies are high-value exam questions. The YAML for network policies is not intuitive, so practice writing them by hand. A common pattern:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: frontend
      ports:
        - protocol: TCP
          port: 8080

Remember: once you apply any NetworkPolicy to a Pod, all traffic not explicitly allowed is denied. That default-deny behavior catches people off guard.

Weeks 7 to 8: Storage

Storage is only 10% of the exam, but it is easy points if you know it.

What to learn:

  • Persistent Volumes (PV) and Persistent Volume Claims (PVC)
  • StorageClasses and dynamic provisioning
  • Volume access modes (ReadWriteOnce, ReadOnlyMany, ReadWriteMany)
  • Using volumes in Pod specs
  • Configuring Pods to use PVCs

The typical exam question gives you a PV definition and asks you to create a PVC that binds to it, then mount it in a Pod. Practice this flow until you can do it without checking the docs.

Weeks 8 to 10: Troubleshooting

Troubleshooting is 30% of the exam. This is where you win or lose.

What to learn:

  • Debugging Pods (CrashLoopBackOff, ImagePullBackOff, Pending)
  • Debugging Services (endpoints, selectors, ports)
  • Debugging cluster components (kubelet, API server, scheduler, controller manager)
  • Reading logs from control plane components
  • Checking node status and conditions
  • Fixing broken kubelet configurations

Build a troubleshooting checklist:

When a Pod is not running:

  1. kubectl get pods to see the status
  2. kubectl describe pod <name> to check events
  3. kubectl logs <pod> to see container output
  4. Check if the image exists and is accessible
  5. Check resource limits (is the node out of resources?)
  6. Check node taints and Pod tolerations

When a Service is not reachable:

  1. kubectl get endpoints <service> to check if Pods are registered
  2. Verify the selector matches the Pod labels
  3. Check the target port matches what the container is listening on
  4. Test from within the cluster using a debug Pod

When a control plane component is down:

  1. Check static pod manifests in /etc/kubernetes/manifests/
  2. Check kubelet logs with journalctl -u kubelet
  3. Look at container runtime logs
  4. Verify certificates have not expired

Practice breaking things on purpose and fixing them. That is the best way to build this skill.

Get hands-on practice

The CKA exam comes with two practice simulator sessions. They are harder than the real exam, which is exactly what you want.

Register for the CKA Exam

Exam Day Tips That Actually Matter

Set up your terminal first

You get a few minutes at the start to set up your environment. Use them.

# Set the kubectl alias (usually already set, but verify)
alias k=kubectl

# Enable autocompletion
source <(kubectl completion bash)
complete -F __start_kubectl k

# Set your default editor
export EDITOR=vim

The alias and autocompletion save you hundreds of keystrokes over two hours. That is not a small thing.

Use the right vim settings

If you use vim (and you should, since it is available on every exam node), add these settings:

# Add to ~/.vimrc at the start of the exam
set tabstop=2
set shiftwidth=2
set expandtab

YAML is whitespace-sensitive. A single wrong indent and your resource will fail to create. These vim settings make sure you get consistent 2-space indentation.

Read the question weight

Each question shows how many points it is worth. If a question is worth 2% and you have been stuck on it for 10 minutes, move on. Come back later if you have time. The questions worth 7% or 8% deserve more of your attention.

Use the imperative approach whenever possible

Writing YAML from scratch is slow. Use imperative commands to generate a starting point, then modify as needed.

# Create a pod
k run nginx --image=nginx

# Create a deployment
k create deployment web --image=nginx --replicas=3

# Expose a deployment as a service
k expose deployment web --port=80 --target-port=80 --type=NodePort

# Create a service account
k create serviceaccount my-sa

# Create a role
k create role pod-reader --verb=get,list,watch --resource=pods

# Create a rolebinding
k create rolebinding read-pods --role=pod-reader --serviceaccount=default:my-sa

Every command you can run imperatively instead of writing YAML saves you 2 to 5 minutes.

Context switching

The exam uses multiple clusters. Each question tells you which cluster to use and gives you the command to switch. Always run the context switch command before answering. If you solve the problem on the wrong cluster, you get zero points and waste time.

# Always run the provided context command first
kubectl config use-context <cluster-name>

# Verify you are on the right cluster
kubectl config current-context

Make this a habit during practice. It will save you on exam day.

Best CKA Study Resources

Courses

The Linux Foundation's official CKA training (Kubernetes Fundamentals, LFS258) is thorough and comprehensive. Good if you want deep understanding of the internals and exam-specific prep.

Choose a structured training course that includes hands-on labs so you practice as you learn. Labs are critical for building the speed you need on exam day.

Practice Environments

Practice sessions are included free with your exam registration (two sessions, 36 hours each). The questions are harder than the real exam. If you can pass the practice exam, you can pass the CKA. Use both sessions. Do the first one a week before your exam and the second one 2 to 3 days before.

Your own cluster using kind, minikube, or kubeadm on VMs is the best long-term practice. Build, break, fix, repeat.

Documentation

Bookmark these pages. You will use them during the exam:

Practice navigating the docs quickly. Know where to find the YAML spec for common resources. On exam day you do not have time to browse.

Common Mistakes That Fail People

Not practicing in a terminal. Reading about Kubernetes is not the same as using Kubernetes. The exam is 100% hands-on. If your study is 80% reading and 20% doing, flip that ratio.

Spending too long on one question. Some questions are genuinely hard. If you are stuck after 5 to 7 minutes, flag it and move on. Easier questions later in the exam might be worth the same points.

Forgetting to switch contexts. Every question specifies a cluster. If you forget to switch, you do the work on the wrong cluster. Zero points.

Fighting with YAML indentation. Set up your vim/nano properly at the start. Use --dry-run=client -o yaml to generate templates. Do not write YAML from scratch unless you absolutely have to.

Skipping the practice exams. They come free with your registration. They simulate the real exam environment. Not using them is like leaving points on the table.

Ignoring troubleshooting. It is 30% of the exam. Some people spend all their study time on creating resources and almost none on fixing broken ones. That is a mistake.

How Long Should You Study?

It depends on where you are starting from.

BackgroundStudy Time
Already working with Kubernetes daily3 to 4 weeks
Familiar with containers, some K8s experience6 to 8 weeks
Strong Linux skills, new to Kubernetes8 to 12 weeks
New to both Linux and KubernetesStart with LFCS first, then 8 to 12 weeks for CKA

These are estimates for studying 1 to 2 hours per day. You can compress the timeline if you can commit more time.

Is the CKA Worth It?

Short answer: yes, if you work with Kubernetes or plan to.

The CKA is the most recognized Kubernetes certification in the industry. It shows up in job postings for DevOps engineers, platform engineers, and SREs constantly. CKA holders report salaries between $130,000 and $180,000 in the US, depending on experience and location.

More importantly, the study process forces you to understand Kubernetes at a level that most people skip. You learn how the cluster actually works, not just how to copy and paste YAML files from Stack Overflow.

Read more in our full breakdown: Is Kubernetes Certification Worth It?

What Comes After the CKA?

Once you pass the CKA, you have a few paths:

CKAD if you want to add application development skills. The CKA vs CKAD comparison covers the overlap and differences. There is about 40% overlap between the two exams, so your CKA study carries over.

CKS if you want to specialize in security. The CKS requires a valid CKA, so you are already eligible. It covers cluster hardening, supply chain security, and runtime monitoring.

Kubestronaut if you want to go all the way. That means passing all five Kubernetes certifications (KCNA, KCSA, CKA, CKAD, CKS) and keeping them all active at the same time. The Kubestronaut path guide covers the optimal order.

Start your CKA journey

$445 includes the exam, one free retake, and two practice sessions. That retake alone makes it lower risk than most certification exams.

Register for the CKA Exam

FAQ

How hard is the CKA exam?

The CKA has a pass rate of around 50 to 60%. It is not easy, but it is very passable if you prepare properly. The difficulty comes from the time pressure, not the complexity of individual questions. Most tasks are things you would do in a real Kubernetes environment. The challenge is doing them quickly and accurately under a 2 hour limit.

Can I use notes during the CKA exam?

No. You cannot use personal notes, cheat sheets, or any external resources. You can access the official Kubernetes documentation (kubernetes.io/docs), the Kubernetes blog, and the kubectl reference during the exam. That is it.

How many questions are on the CKA exam?

The CKA has 15 to 20 performance-based tasks. The exact number varies between exam sessions. Each task has a point value, and the values are not equal. Some tasks are worth 4% while others are worth 8% or more.

What happens if I fail the CKA?

You get one free retake included with your exam purchase. You can schedule the retake whenever you are ready. If you fail the retake too, you need to purchase a new exam. Use the time between attempts to practice the areas where you struggled.

How long is the CKA valid?

The CKA certification is valid for 2 years from the date you pass. After that, you need to recertify. The recertification exam is the same as the original CKA exam.

Should I get the CKA or CKAD first?

If you manage clusters and infrastructure, get the CKA first. If you primarily write and deploy applications on Kubernetes, the CKAD might be a better starting point. Most people in DevOps or platform engineering roles start with the CKA. See our full CKA vs CKAD comparison for a detailed breakdown.

Do I need Linux experience for the CKA?

Yes. The exam environment is Linux-based and you work entirely in a terminal. You need to be comfortable with bash, file editing (vim or nano), systemd, and basic Linux troubleshooting. If you are not there yet, the LFCS or at minimum a few weeks of hands-on Linux practice should come first.

Is the CKA open book?

Yes, but with restrictions. You can access kubernetes.io/docs and the kubectl reference during the exam. You cannot access Stack Overflow, blogs, GitHub, or any other websites. The docs are a reference tool, not a study tool. If you are relying on them to figure out how to do something basic, you will run out of time.