CKA Certification Study Guide 2026: Pass the Kubernetes Exam

Why CKA Matters in 2026

Kubernetes runs the infrastructure behind modern applications, and the Certified Kubernetes Administrator (CKA) is the credential that proves you can manage it in production. With over 5.6 million developers using Kubernetes worldwide according to the Cloud Native Computing Foundation (CNCF), demand for qualified administrators continues to outstrip supply. The CKA stands apart from vendor-specific certifications because it tests real, hands-on skills in a live Kubernetes environment — not multiple-choice theory.

According to PayScale data referenced by Coursera, professionals with Kubernetes certification earn an average salary of $126,000 per year. The 2024 Stack Overflow Developer Survey showed that Kubernetes is used by 19.4% of all developer respondents, with adoption climbing steadily among professional developers working in cloud-native environments. Whether you are a DevOps engineer, a systems administrator, or a platform engineer, the CKA signals that you can deploy, manage, and troubleshoot Kubernetes clusters under pressure. If you are still mapping out which credentials to pursue, check out our IT Certification Roadmap 2026 to see where CKA fits in the bigger picture.

The exam costs $445 for the certification only, which includes two exam attempts and access to the Killer.sh exam simulator. You can also bundle it with the Kubernetes Fundamentals (LFS258) course for $645 or with the THRIVE-ONE annual subscription for $625. There are no formal prerequisites — anyone can register — but hands-on experience is essential to passing.

CKA Exam Structure Breakdown

The CKA is an online, proctored, performance-based exam. You get two hours to solve approximately 15-20 tasks directly in a live Kubernetes cluster from the command line. There are no multiple-choice questions. Every task requires you to create, modify, or debug Kubernetes resources using kubectl and related tools. The exam is currently based on Kubernetes v1.34, and the Linux Foundation updates the exam environment to the latest minor version within 4-8 weeks of each Kubernetes release.

The exam is divided into five domains, each weighted differently. Here is the breakdown:

Domain	Weight
Troubleshooting	30%
Cluster Architecture, Installation & Configuration	25%
Services & Networking	20%
Workloads & Scheduling	15%
Storage	10%

You need a score of 66% or higher to pass. Each task is worth a specific number of points, and partial credit is not awarded — a task is either fully correct or incorrect. This all-or-nothing scoring makes precision critical. You are allowed to access the official Kubernetes documentation during the exam, but you cannot open any other browser tabs or resources.

Troubleshooting: The Heaviest Domain

At 30% of the total score, Troubleshooting is the single most important domain on the CKA exam. This section tests your ability to diagnose and fix problems with clusters, nodes, cluster components, application resource usage, container output streams, services, and networking. Expect tasks like identifying why a pod is stuck in CrashLoopBackOff, figuring out why a node is in NotReady state, or determining why a service is not routing traffic to its pods.

Here is a concrete example of the type of troubleshooting task you might face:

A pod named api-deployment-7f9b8c6d4-x2kjp in the production namespace is in CrashLoopBackOff state. You need to identify the root cause and fix it. The approach:

Run kubectl describe pod api-deployment-7f9b8c6d4-x2kjp -n production to see events and status.
Run kubectl logs api-deployment-7f9b8c6d4-x2kjp -n production --previous to see logs from the last failed container.
Check if the issue is a missing ConfigMap, an incorrect command, a failed readiness probe, or a resource limit.
Fix the underlying Deployment or ConfigMap and verify the pod reaches Running state.

Key commands to master for this domain include kubectl describe, kubectl logs, kubectl get events, kubectl top nodes, kubectl top pods, and journalctl -u kubelet. Practice diagnosing failing DNS resolution with CoreDNS logs, broken network policies that block inter-pod communication, and nodes that have dropped out of the cluster due to certificate expiration.

Cluster Architecture and Configuration

This domain accounts for 25% of the exam and covers RBAC, cluster bootstrapping with kubeadm, highly-available control planes, Helm, Kustomize, CRDs, operators, and extension interfaces like CNI, CSI, and CRI. You need to understand how all the control plane components — kube-apiserver, etcd, kube-scheduler, kube-controller-manager — interact with each other and with worker nodes running the kubelet and kube-proxy.

One of the most common tasks in this domain is bootstrapping a new cluster. A typical task might look like this:

Install container runtime (containerd) on all nodes.
Run kubeadm init --apiserver-advertise-address=192.168.1.10 --pod-network-cidr=10.244.0.0/16 on the control plane node.
Apply a CNI plugin: kubectl apply -f https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml
Join worker nodes using the kubeadm join command output from step 2.

RBAC tasks are equally common. You might be asked to create a Role that grants a ServiceAccount permission to list and get pods in a specific namespace, then bind that Role with a RoleBinding. Here is a practical pattern:

kubectl create role pod-reader --verb=get --verb=list --resource=pods -n monitoring
kubectl create rolebinding pod-reader-binding --role=pod-reader --serviceaccount=monitoring:prometheus -n monitoring

Know how to manage etcd backups and restores, upgrade clusters with kubeadm upgrade, and install Helm charts with custom values. Familiarity with CRDs and operators is also tested — you may need to install a custom resource definition and deploy an operator that manages instances of that resource.

Services and Networking Essentials

At 20% of the exam, Services and Networking covers pod-to-pod connectivity, NetworkPolicies, service types (ClusterIP, NodePort, LoadBalancer), Ingress resources, Gateway API, and CoreDNS. You need to understand how Kubernetes assigns IP addresses to pods, how services discover and route to backend pods via labels and selectors, and how ingress controllers expose HTTP routes to external traffic.

A typical networking task could be: Create a NetworkPolicy in the frontend namespace that allows ingress traffic only from pods in the backend namespace on port 8080. The solution looks like this:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-backend
  namespace: frontend
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: backend
    ports:
    - port: 8080

You should practice creating all three service types, configuring Ingress resources with host-based and path-based routing, and debugging CoreDNS issues when pods cannot resolve service names. Know the difference between endpoints and endpointSlices, and be comfortable using kubectl get endpoints to verify that services have healthy backends. The Gateway API is a newer addition to the curriculum — understand how GatewayClass, Gateway, and HTTPRoute resources replace traditional Ingress objects.

Workloads, Scheduling, and Storage

The Workloads and Scheduling domain (15%) covers Deployments, StatefulSets, DaemonSets, Jobs, CronJobs, ConfigMaps, Secrets, autoscaling, resource limits, node affinity, taints and tolerations, and pod admission controllers. You need to know how to perform rolling updates and rollbacks, configure horizontal pod autoscaling, and use scheduling constraints to control where pods run.

A representative task: Scale a Deployment named web-app in the staging namespace to 5 replicas, then configure a horizontal pod autoscaler that scales between 3 and 10 replicas based on CPU utilization at 70%:

kubectl scale deployment web-app --replicas=5 -n staging
kubectl autoscale deployment web-app --min=3 --max=10 --cpu-percent=70 -n staging

The Storage domain (10%) focuses on PersistentVolumes (PVs), PersistentVolumeClaims (PVCs), StorageClasses, dynamic volume provisioning, access modes, and reclaim policies. Know the difference between ReadWriteOnce, ReadWriteMany, and ReadOnlyMany access modes, and understand how StorageClasses enable dynamic provisioning without manually creating PVs.

Example storage task: Create a StorageClass named fast-ssd that provisions volumes from a specific provisioner with WaitForFirstConsumer volume binding mode, then create a PVC that uses this StorageClass:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: fast-ssd
provisioner: pd.csi.storage.gke.io
volumeBindingMode: WaitForFirstConsumer
reclaimPolicy: Delete

8-Week Study Plan

Passing the CKA requires structured preparation. Based on the exam domains and their weights, here is an 8-week study plan designed for working professionals who can dedicate 10-15 hours per week. This approach mirrors the structured study methodology we cover in our Google Cloud Associate Engineer study guide — start with fundamentals, layer on advanced topics, then drill with timed practice.

Weeks 1-2: Foundations and Cluster Setup — Install Kubernetes locally using Minikube, kind, or kubeadm on virtual machines. Work through the official Kubernetes documentation for core concepts: Pods, Deployments, Services, ConfigMaps, and Secrets. Practice creating resources both imperatively with kubectl commands and declaratively with YAML manifests. Complete the free Kubernetes Basics interactive tutorial on the official docs.

Weeks 3-4: Cluster Architecture and Networking — Focus on the two highest-weighted domains after Troubleshooting. Practice bootstrapping clusters with kubeadm on at least two nodes. Configure RBAC with Roles and RoleBindings. Install and configure a CNI plugin (Calico, Flannel, or Cilium). Create NetworkPolicies and Ingress resources. Study CoreDNS configuration and debugging. Set up etcd and practice backup/restore procedures.

Weeks 5-6: Workloads, Storage, and Scheduling — Deploy StatefulSets and DaemonSets. Configure autoscaling with HPA. Practice node affinity, taints, and tolerations. Create StorageClasses, PVs, and PVCs. Deploy a stateful application (like MySQL or PostgreSQL) using persistent storage and verify data survives pod restarts.

Week 7: Troubleshooting Deep Dive — Dedicate this entire week to the Troubleshooting domain (30% of the exam). Intentionally break things: delete a kube-apiserver manifest, corrupt a ConfigMap, misconfigure a network policy, and practice diagnosing and fixing each issue. Use kubectl describe, kubectl logs, journalctl, and kubectl get events extensively.

Week 8: Full Practice Exams and Speed Drills — Use the Killer.sh simulator (included with your exam purchase) for full timed practice runs. Each simulator session gives you 17 questions with 36 hours of access. Focus on speed — aim to complete tasks in under 5 minutes each. Practice using kubectl aliases, bookmarks in the Kubernetes documentation, and imperative commands to generate YAML quickly (e.g., kubectl create deployment --dry-run=client -o yaml).

Practice Resources and Exam Tips

The CKA tests speed and accuracy under time pressure. Here are the resources and techniques that make the biggest difference on exam day.

Speed techniques: Set up bash aliases before the exam starts (the exam allows you to configure your shell). Essential aliases include alias k=kubectl, alias kg='k get', alias kd='k describe', and export do='--dry-run=client -o yaml'. Using k run nginx --image=nginx $do > pod.yaml to generate YAML templates saves 30-60 seconds per task compared to writing manifests from scratch.

Documentation navigation: You can access kubernetes.io/docs during the exam, but not other websites. Bookmark key pages in advance: the kubectl cheat sheet, NetworkPolicy examples, StorageClass examples, and the kubeadm upgrade documentation. Use the browser’s built-in search (Ctrl+F) to find specific examples quickly.

Context management: The exam provides multiple clusters. Always verify you are working in the correct context before executing commands. Use kubectl config use-context at the start of each task, and double-check with kubectl config current-context. Working in the wrong cluster is the single most common reason candidates lose points.

Essential practice resources: Beyond the included Killer.sh simulator, consider these options:

KodeKloud CKA course — hands-on labs aligned to each exam domain, widely recommended by certified professionals.
Minikube or kind clusters — set up a local environment for unrestricted practice without time limits.
Killer.sh additional sessions — you can purchase extra simulator attempts if you exhaust the two included sessions. For more practice resources across different certifications, see our ranking of the best IT certification practice tests.
Official Kubernetes documentation — the single most important resource during the exam. Practice finding examples quickly.

Exam-day strategy: Skim all questions first and solve the easy ones immediately — this banks points fast. Leave complex troubleshooting tasks for later. If a task takes more than 7-8 minutes, flag it and move on. You can return to flagged tasks with your remaining time. Remember that every task is independent: a mistake on one task does not affect others.