AdvancedExam Strategy 9 min read

How to Pass the CKA (Certified Kubernetes Administrator) Exam

Master kubectl, conquer the cluster — your blueprint for CKA success.

The Certified Kubernetes Administrator (CKA) exam is one of the most respected cloud-native certifications, validating your ability to design, deploy, and manage Kubernetes clusters in production. With a 2-hour performance-based test requiring hands-on kubectl and cluster administration skills, preparation must go beyond theory. This guide breaks down the exam domains, real commands you must know, time management strategies, and the exact lab setup used by successful candidates. Whether you're troubleshooting etcd backups or configuring RBAC, these steps will help you pass on your first attempt.

1

Understand the Exam Domains and Scoring

The CKA exam covers 5 domains: Cluster Architecture, Installation & Configuration (25%), Workloads & Scheduling (15%), Services & Networking (20%), Storage (10%), and Troubleshooting (30%). You need 66% to pass. The exam includes 15-20 performance-based tasks completed in a live terminal. Focus heavily on Troubleshooting — it's the largest domain and often where candidates lose time.

Bash
kubectl version --short
kubectl cluster-info

Bookmark the official Kubernetes documentation — you can open it during the exam.

Do not rely on memorization alone; you must be able to execute commands quickly under time pressure.

2

Set Up Your Practice Environment with kind or kubeadm

Install a local Kubernetes cluster using kind (Kubernetes in Docker) or kubeadm on a VM. Practice deploying a multi-node cluster from scratch. Use kubeadm init with a custom pod network CIDR, then join worker nodes. This mirrors the exam's cluster setup tasks.

Bash
kubeadm init --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=192.168.1.100
kubeadm join 192.168.1.100:6443 --token <token> --discovery-token-ca-cert-hash sha256:<hash>

Use kind for quick cluster teardown and rebuilds — essential for practicing cluster lifecycle tasks.

3

Master kubectl Imperative Commands

The exam heavily rewards speed with imperative commands. Learn to create resources without YAML files: run pods, expose deployments, create configmaps, and set resource limits. Practice using --dry-run=client -o yaml to generate YAML quickly when needed.

Bash
kubectl run nginx --image=nginx --restart=Never --port=80 --dry-run=client -o yaml
kubectl expose pod nginx --port=80 --target-port=80 --name=nginx-svc --type=NodePort
kubectl create configmap app-config --from-literal=key1=value1 --from-literal=key2=value2

Use aliases: alias k=kubectl and alias kgp='kubectl get pods' to save seconds per command.

4

Practice etcd Backup and Restore

Etcd is the cluster's brain — backing it up is a common exam task. Use etcdctl with the correct endpoints and certificates. Practice snapshotting and restoring on a test cluster. Know the difference between etcd v2 and v3 API syntax.

Bash
ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/server.crt \
  --key=/etc/kubernetes/pki/etcd/server.key \
  snapshot save /tmp/etcd-backup.db

ETCDCTL_API=3 etcdctl snapshot restore /tmp/etcd-backup.db --data-dir=/var/lib/etcd-restore

Always verify the etcdctl API version — using v2 syntax on a v3 cluster will fail silently.

5

Configure RBAC and Network Policies

RBAC is a core domain. Create ServiceAccounts, Roles, and RoleBindings to restrict access. For network policies, define ingress and egress rules using pod selectors and namespace selectors. Test with curl from a busybox pod.

YAML
kubectl create serviceaccount my-sa
kubectl create role pod-reader --verb=get,list,watch --resource=pods
kubectl create rolebinding my-sa-binding --role=pod-reader --serviceaccount=default:my-sa

# NetworkPolicy YAML snippet
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

Use kubectl auth can-i --as=system:serviceaccount:default:my-sa to verify RBAC permissions.

6

Troubleshoot Cluster and Application Issues

Troubleshooting is 30% of the exam. Practice diagnosing: CrashLoopBackOff, ImagePullBackOff, node NotReady, and service connectivity failures. Use kubectl describe, logs, exec, and top. Check kubelet logs via journalctl and verify CNI plugin status.

Bash
kubectl describe pod failing-pod
kubectl logs failing-pod --previous
kubectl exec -it debug-pod -- sh
journalctl -u kubelet -n 50 --no-pager
kubectl get nodes -o wide
curl -k https://<node-ip>:6443/healthz

Create a debug pod with networking tools: kubectl run debug --image=nicolaka/netshoot -it --rm -- /bin/bash

7

Manage Cluster Upgrades and Drain Nodes

You must demonstrate upgrading a cluster from one minor version to the next. Practice draining nodes, upgrading kubeadm and kubelet, then uncordoning. Know the sequence: drain, upgrade kubeadm, upgrade kubelet, restart kubelet, uncordon.

Bash
kubectl drain node-1 --ignore-daemonsets --delete-emptydir-data
apt-get update && apt-get install -y kubeadm=1.28.x-00
kubeadm upgrade apply v1.28.x
apt-get install -y kubelet=1.28.x-00 kubectl=1.28.x-00
systemctl restart kubelet
kubectl uncordon node-1

Never skip the drain step — upgrading a node with running pods can cause data loss.

Key tips

  • Use the official Kubernetes documentation during the exam — it's searchable and contains YAML examples for almost every resource type.

  • Practice with a timer: set a 2-hour countdown and simulate the exam environment with 15 tasks from killer.sh or the official CKA simulator.

  • Master kubectl explain — it shows field descriptions and required API versions directly in the terminal without leaving the exam interface.

  • For etcd tasks, always check the --endpoints and certificate paths in the exam environment — they differ from your lab setup.

  • Learn to read YAML errors quickly: indentation mistakes and missing required fields are the most common syntax errors.

  • Bookmark the Kubernetes.io tasks page — it has step-by-step guides for RBAC, network policies, and cluster upgrades.

Frequently asked questions

How many questions are on the CKA exam and what is the passing score?

The CKA exam contains 15-20 performance-based tasks. The passing score is 66% (out of 100). Each task is weighted differently based on complexity. You have 2 hours to complete all tasks. The exam is proctored and you are allowed to use the official Kubernetes documentation during the test.

Can I use kubectl autocomplete during the exam?

Yes, kubectl autocomplete is available and highly recommended. Run 'source <(kubectl completion bash)' and 'complete -F __start_kubectl k' in your exam terminal. This saves significant time when typing long resource names or commands.

What version of Kubernetes is used in the CKA exam?

The CKA exam typically uses the latest stable minor version minus one (e.g., 1.28 or 1.29). The CNCF updates the exam environment every few months. Always check the official CKA curriculum page for the current version before scheduling your exam.

Is the CKA exam open book? Can I use Google?

The exam allows access to the official Kubernetes documentation at kubernetes.io/docs. You cannot use Google, forums, or any other external websites. The documentation is searchable within the exam browser. Bookmark key pages like 'kubectl Cheat Sheet' and 'Tasks' before starting.

How long should I study for the CKA exam?

Most successful candidates study 2-3 months with 10-15 hours per week. Hands-on practice is essential — at least 80% of your study time should be in a terminal. Completing the official CKA simulator (killer.sh) twice under timed conditions is a strong indicator of readiness.

Related glossary terms

Browse full glossary →

Practice with real exam questions

Apply what you just learned with exam-style practice questions.

Related guides