CKAD is aimed at developers who deploy and configure applications on Kubernetes — not cluster admins. The exam tilts toward workload configuration, multi-container pod patterns, resource management, and observability hooks. You still get a live cluster and two hours, but the tasks lean more toward app packaging than cluster maintenance.
Practice this topic
Multi-container pod patterns: Sidecar (auxiliary container enhancing main — logging agent, service mesh proxy), Ambassador (proxy to external services, e.g., database connection pooler), Adapter (transforming output format for the main container). These aren't Kubernetes constructs — they're design patterns using shared pod resources (network namespace, volumes). Init containers: run sequentially to completion before app containers start. Used for prerequisite checks, data population, or secret retrieval. If an init container fails, the pod restarts (respects restartPolicy). Ephemeral containers: added to running pods for debugging (kubectl debug) — no resource limits, no probes, not restarted.
ConfigMap: key-value pairs or file content. Consumed as env vars (envFrom or env with valueFrom.configMapKeyRef), as volume mounts (each key becomes a file), or via the Downward API. Secrets: same consumption patterns but base64-encoded at rest. Create imperatively: kubectl create secret generic name --from-literal=key=val --from-file=path. Downward API: exposes pod metadata (name, namespace, labels, annotations) and resource fields (requests/limits) via env vars or volume files. Resource quotas (ResourceQuota): namespace-level limits on count and compute. LimitRange: per-container/pod default requests/limits and min/max constraints — fills in missing resource specs automatically.
Liveness probe: kubelet kills the container if it fails (restart). Readiness probe: removes pod from Service endpoints if it fails (no traffic, no restart). Startup probe: delays liveness/readiness checks until the app is ready — use for slow-starting apps. Probe types: httpGet, tcpSocket, exec (exit code 0 = success). Pod lifecycle hooks: postStart (runs immediately after container starts, blocks ready state), preStop (runs before SIGTERM — use for graceful shutdown, connection draining). terminationGracePeriodSeconds: how long Kubernetes waits after SIGTERM before sending SIGKILL (default 30s). PodDisruptionBudget (PDB): limits voluntary disruptions during node drains or rolling updates. minAvailable or maxUnavailable specify the constraint. Essential for stateful apps during maintenance windows.
Service account tokens: automounted by default into /var/run/secrets/kubernetes.io/serviceaccount/. Set automountServiceAccountToken: false to disable for security-sensitive workloads. CronJob: schedule in cron syntax (minute hour day month weekday), concurrencyPolicy (Allow/Forbid/Replace), successfulJobsHistoryLimit, failedJobsHistoryLimit. Job: activeDeadlineSeconds caps total runtime, ttlSecondsAfterFinished for automatic cleanup. Helm basics (now in CKAD scope): helm install, upgrade, rollback, uninstall. Chart structure: Chart.yaml (metadata), values.yaml (defaults), templates/ (Go templates). Override values with --set key=val or -f values-override.yaml.
The postStart hook always completes before the container ENTRYPOINT starts
postStart hook does not guarantee it runs before ENTRYPOINT completes — timing is non-deterministic
Readiness probe failure restarts the container to recover it
Readiness probe failure removes the pod from Service endpoints but does NOT restart the container
Kubernetes Secrets are encrypted at rest by default
Secrets are not encrypted at rest by default in Kubernetes — that requires etcd encryption configuration
Try free CKAD practice questions with explanations, topic links and progress tracking.