DEV Community

Cover image for CKA (Certified Kubernetes Administrator) Study Guide 2025
Mohammed Nasser
Mohammed Nasser

Posted on

CKA (Certified Kubernetes Administrator) Study Guide 2025

CKA (Certified Kubernetes Administrator) Study Guide

Part 1: Core Components & Scheduling

1. ETCD

Default Port: 2379

Version Differences

ETCD v2 Commands:

etcdctl set key1 value1
etcdctl get key1
Enter fullscreen mode Exit fullscreen mode

ETCD v3 Commands:

export ETCDCTL_API=3
etcdctl put key1 value1
etcdctl get key1
Enter fullscreen mode Exit fullscreen mode

Accessing ETCD in Kubernetes

kubectl exec etcd-controlplane -n kube-system -- sh -c \
  "ETCDCTL_API=3 etcdctl get / --prefix --keys-only --limit=10 \
  --cacert /etc/kubernetes/pki/etcd/ca.crt \
  --cert /etc/kubernetes/pki/etcd/server.crt \
  --key /etc/kubernetes/pki/etcd/server.key"
Enter fullscreen mode Exit fullscreen mode

2. Pods & Deployments

Imperative vs. Declarative Commands

Generate YAML without Creating Resource:

kubectl run nginx --image=nginx --dry-run=client -o yaml
Enter fullscreen mode Exit fullscreen mode

Create Deployment:

kubectl create deployment nginx --image=nginx
Enter fullscreen mode Exit fullscreen mode

Generate Deployment YAML:

kubectl create deployment nginx --image=nginx --dry-run=client -o yaml
Enter fullscreen mode Exit fullscreen mode

Scale Deployment:

kubectl scale deployment nginx --replicas=4
Enter fullscreen mode Exit fullscreen mode

Edit Running ReplicaSet:

kubectl edit replicaset <rs-name>
Enter fullscreen mode Exit fullscreen mode

ReplicaSet vs. ReplicationController

Key Difference: ReplicaSet supports selector matching (matchLabels), while ReplicationController does not.


3. Services

ClusterIP Service

kubectl expose pod redis --port=6379 --name redis-service --dry-run=client -o yaml
Enter fullscreen mode Exit fullscreen mode

NodePort Service

kubectl expose pod nginx --type=NodePort --port=80 --name=nginx-service --dry-run=client -o yaml
Enter fullscreen mode Exit fullscreen mode

Imperative Service Creation

kubectl create service nodeport nginx --tcp=80:80 --node-port=30080 --dry-run=client -o yaml
Enter fullscreen mode Exit fullscreen mode

4. Scheduling & Affinity

Manual Scheduling

Method 1: Use nodeName in Pod definition

spec:
  nodeName: node01
  containers:
  - name: nginx
    image: nginx
Enter fullscreen mode Exit fullscreen mode

Method 2: Use pod-binding-definition.yaml

Labels & Selectors

Get Pods with Multiple Selectors:

kubectl get pods --selector env=dev,bu=finance
Enter fullscreen mode Exit fullscreen mode

Taints & Tolerations

Taint a Node:

kubectl taint nodes node1 key=value:NoSchedule
Enter fullscreen mode Exit fullscreen mode

Pod Tolerations Example:

tolerations:
- key: "spray"
  value: "mortein"
  effect: "NoSchedule"
  operator: "Equal"
Enter fullscreen mode Exit fullscreen mode

Node Affinity

affinity:
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      nodeSelectorTerms:
      - matchExpressions:
        - key: color
          operator: In
          values:
          - blue
Enter fullscreen mode Exit fullscreen mode

Affinity Types:

  • requiredDuringSchedulingIgnoredDuringExecution - Hard requirement
  • preferredDuringSchedulingIgnoredDuringExecution - Soft requirement

5. Resource Management

Requests & Limits

Pod Definition Example:

resources:
  requests:
    cpu: "100m"
    memory: "256Mi"
  limits:
    cpu: "500m"
    memory: "1Gi"
Enter fullscreen mode Exit fullscreen mode

LimitRange (CPU & Memory Constraints)

apiVersion: v1
kind: LimitRange
metadata:
  name: cpu-limit-range
spec:
  limits:
  - default:
      cpu: "500m"
      memory: "512Mi"
    defaultRequest:
      cpu: "100m"
      memory: "256Mi"
    max:
      cpu: "1"
      memory: "1Gi"
    min:
      cpu: "100m"
      memory: "128Mi"
    type: Container
Enter fullscreen mode Exit fullscreen mode

Resource Quotas

Restrict Namespace Resource Usage:

apiVersion: v1
kind: ResourceQuota
metadata:
  name: mem-cpu-quota
  namespace: dev
spec:
  hard:
    requests.cpu: "1"
    requests.memory: 1Gi
    limits.cpu: "2"
    limits.memory: 2Gi
    pods: "10"
Enter fullscreen mode Exit fullscreen mode

6. DaemonSets & Static Pods

DaemonSet Example

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: fluentd
  namespace: kube-system
spec:
  selector:
    matchLabels:
      app: fluentd
  template:
    metadata:
      labels:
        app: fluentd
    spec:
      containers:
      - name: fluentd
        image: fluentd
Enter fullscreen mode Exit fullscreen mode

Use Case: Deploy one pod per node (monitoring agents, log collectors, etc.)

Static Pods

Location: /etc/kubernetes/manifests/

Example (busybox.yaml):

apiVersion: v1
kind: Pod
metadata:
  name: static-busybox
spec:
  containers:
  - name: busybox
    image: busybox
    command: ["sleep", "1000"]
Enter fullscreen mode Exit fullscreen mode

Key Characteristics:

  • Managed directly by kubelet on a specific node
  • Not managed by kube-apiserver
  • Mirror pods appear in kubectl output
  • Control plane components often run as static pods

7. Custom Schedulers

Deploy Custom Scheduler

apiVersion: v1
kind: Pod
metadata:
  name: my-scheduler
  namespace: kube-system
spec:
  containers:
  - command:
    - /usr/local/bin/kube-scheduler
    - --config=/etc/kubernetes/my-scheduler-config.yaml
    image: k8s.gcr.io/kube-scheduler:v1.22.0
    name: kube-second-scheduler
Enter fullscreen mode Exit fullscreen mode

Use Custom Scheduler in Pod

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  schedulerName: my-scheduler
  containers:
  - name: nginx
    image: nginx
Enter fullscreen mode Exit fullscreen mode

8. Admission Controllers & Webhooks

Check Enabled Admission Controllers

kubectl exec kube-apiserver-controlplane -n kube-system -- \
  kube-apiserver -h | grep enable-admission-plugins
Enter fullscreen mode Exit fullscreen mode

Mutating Webhook Example

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: demo-webhook
webhooks:
- name: webhook-server.webhook-demo.svc
  clientConfig:
    service:
      name: webhook-server
      namespace: webhook-demo
      path: "/mutate"
    caBundle: <base64-encoded-ca-cert>
  rules:
  - operations: ["CREATE"]
    apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
  admissionReviewVersions: ["v1", "v1beta1"]
  sideEffects: None
Enter fullscreen mode Exit fullscreen mode

Common Admission Controllers:

  • NamespaceLifecycle - Prevents operations in terminating namespaces
  • LimitRanger - Enforces LimitRange constraints
  • ResourceQuota - Enforces resource quotas
  • PodSecurityPolicy - Controls pod security settings
  • DefaultStorageClass - Sets default storage class

Part 2: Operations & Advanced Topics

1. Monitoring & Metrics

Metrics Server

In-memory monitoring solution for CPU/Memory metrics.

Deploy Metrics Server:

kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
Enter fullscreen mode Exit fullscreen mode

Commands:

kubectl top nodes    # Show node resource usage
kubectl top pods     # Show pod resource usage
kubectl top pods -n kube-system --sort-by=memory
kubectl top pods -n kube-system --sort-by=cpu
Enter fullscreen mode Exit fullscreen mode

Logging

# View logs
kubectl logs <pod-name>

# Stream logs (multi-container pods)
kubectl logs -f <pod-name> -c <container>

# View previous container logs
kubectl logs <pod-name> --previous

# Tail last N lines
kubectl logs <pod-name> --tail=50
Enter fullscreen mode Exit fullscreen mode

2. Deployment Strategies

Strategy Types

RollingUpdate (Default):

spec:
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 25%       # Extra pods allowed during update
      maxUnavailable: 25%  # Max unavailable pods during update
Enter fullscreen mode Exit fullscreen mode

Recreate:

spec:
  strategy:
    type: Recreate
Enter fullscreen mode Exit fullscreen mode

Image Updates

# Update image
kubectl set image deployment/myapp nginx=nginx:1.25

# Manual edit
kubectl edit deployment/myapp

# Rollback to previous version
kubectl rollout undo deployment/myapp

# Check rollout status
kubectl rollout status deployment/myapp

# View rollout history
kubectl rollout history deployment/myapp
Enter fullscreen mode Exit fullscreen mode

3. Container Configuration

Command vs Args

containers:
- name: ubuntu
  image: ubuntu
  command: ["sleep"]      # Overrides ENTRYPOINT
  args: ["5000"]          # Overrides CMD
Enter fullscreen mode Exit fullscreen mode

Equivalents:

  • command = Dockerfile ENTRYPOINT
  • args = Dockerfile CMD

4. ConfigMaps & Secrets

ConfigMaps

Imperative Creation:

# From literals
kubectl create configmap app-config \
  --from-literal=APP_COLOR=blue \
  --from-literal=APP_MODE=prod

# From file
kubectl create configmap app-config \
  --from-file=config.properties
Enter fullscreen mode Exit fullscreen mode

Declarative Usage:

# As environment variable
env:
- name: APP_COLOR
  valueFrom:
    configMapKeyRef:
      name: app-config
      key: APP_COLOR

# As volume
volumes:
- name: config-volume
  configMap:
    name: app-config
Enter fullscreen mode Exit fullscreen mode

Secrets

Create Secret:

kubectl create secret generic db-secret \
  --from-literal=DB_HOST=mysql \
  --from-literal=DB_PASSWORD=admin123
Enter fullscreen mode Exit fullscreen mode

Base64 Encoding:

echo -n "secret" | base64       # Encode: c2VjcmV0
echo "c2VjcmV0" | base64 -d    # Decode: secret
Enter fullscreen mode Exit fullscreen mode

Mounting Secrets:

# As environment variables
envFrom:
- secretRef:
    name: db-secret

# As volume
volumes:
- name: secret-volume
  secret:
    secretName: db-secret
Enter fullscreen mode Exit fullscreen mode

5. Multi-Container Pods

Sidecar Pattern

containers:
- name: app
  image: nginx
  volumeMounts:
  - name: log-volume
    mountPath: /var/log/nginx

- name: log-collector
  image: fluentd
  volumeMounts:
  - name: log-volume
    mountPath: /var/log/nginx

volumes:
- name: log-volume
  emptyDir: {}
Enter fullscreen mode Exit fullscreen mode

Init Containers

initContainers:
- name: init-db
  image: busybox
  command: ['sh', '-c', 'until nslookup db-service; do echo waiting for db; sleep 2; done']

containers:
- name: app
  image: nginx
Enter fullscreen mode Exit fullscreen mode

Key Characteristics:

  • Run before app containers
  • Run sequentially (one at a time)
  • Must complete successfully before app containers start

6. Autoscaling

Horizontal Pod Autoscaler (HPA)

Imperative:

kubectl autoscale deployment/myapp --cpu-percent=50 --min=2 --max=5
Enter fullscreen mode Exit fullscreen mode

Declarative:

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: myapp-hpa
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: myapp
  minReplicas: 1
  maxReplicas: 10
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 50
  - type: Resource
    resource:
      name: memory
      target:
        type: Utilization
        averageUtilization: 70
Enter fullscreen mode Exit fullscreen mode

Vertical Pod Autoscaler (VPA)

apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  name: myapp-vpa
spec:
  targetRef:
    apiVersion: "apps/v1"
    kind: Deployment
    name: myapp
  updatePolicy:
    updateMode: "Auto"  # Options: Off, Initial, Recreate, Auto
Enter fullscreen mode Exit fullscreen mode

Key Differences

Feature HPA VPA
Scales Pod count (horizontal) Resource requests/limits (vertical)
Triggers CPU/Memory metrics Resource utilization over time
Use Case Handle variable load Optimize resource allocation
Requires Restart No Yes (for most modes)

7. Cluster Maintenance

Node Operations

Drain Node (Safe maintenance):

kubectl drain node01 --ignore-daemonsets --delete-emptydir-data
Enter fullscreen mode Exit fullscreen mode

Cordon Node (Mark unschedulable):

kubectl cordon node01
Enter fullscreen mode Exit fullscreen mode

Uncordon Node (Allow scheduling):

kubectl uncordon node01
Enter fullscreen mode Exit fullscreen mode

Upgrade Workflow

1. Upgrade Control Plane:

# Update kubeadm
apt-get update
apt-get install kubeadm=1.28.0-00

# Check upgrade plan
kubeadm upgrade plan

# Apply upgrade
kubeadm upgrade apply v1.28.0

# Upgrade kubelet and kubectl
apt-get install kubelet=1.28.0-00 kubectl=1.28.0-00
systemctl daemon-reload
systemctl restart kubelet
Enter fullscreen mode Exit fullscreen mode

2. Upgrade Worker Nodes:

# On worker node
kubeadm upgrade node

# Upgrade kubelet
apt-get install kubelet=1.28.0-00
systemctl daemon-reload
systemctl restart kubelet
Enter fullscreen mode Exit fullscreen mode

Upgrade Process:

  1. Drain the node
  2. Upgrade kubeadm
  3. Run kubeadm upgrade
  4. Upgrade kubelet and kubectl
  5. Restart kubelet
  6. Uncordon the node

Quick Reference

Essential Commands

# Cluster Information
kubectl cluster-info
kubectl get nodes
kubectl get componentstatuses

# Resource Management
kubectl get all -A
kubectl get pods -o wide
kubectl describe pod <pod-name>
kubectl delete pod <pod-name> --grace-period=0 --force

# Configuration
kubectl apply -f <file.yaml>
kubectl delete -f <file.yaml>
kubectl edit <resource> <name>

# Debugging
kubectl logs <pod-name>
kubectl exec -it <pod-name> -- /bin/bash
kubectl port-forward <pod-name> 8080:80

# Performance
kubectl top nodes
kubectl top pods
Enter fullscreen mode Exit fullscreen mode

YAML Templates

Basic Pod:

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
  labels:
    app: myapp
spec:
  containers:
  - name: nginx
    image: nginx:1.21
    ports:
    - containerPort: 80
Enter fullscreen mode Exit fullscreen mode

Basic Deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
    spec:
      containers:
      - name: nginx
        image: nginx:1.21
Enter fullscreen mode Exit fullscreen mode

Key Takeaways

Part 1

  • ETCD v3 is the current standard
  • ReplicaSets are preferred over ReplicationControllers due to selector flexibility
  • Taints/Tolerations restrict nodes, Node Affinity attracts pods
  • Static Pods are managed by kubelet directly, not the API server
  • Custom Schedulers allow advanced scheduling logic
  • Admission Webhooks enforce policies at resource creation time

Part 2

  • Metrics Server is required for kubectl top and HPA functionality
  • RollingUpdate is the default deployment strategy (25% surge/unavailable)
  • ConfigMaps/Secrets can be mounted as environment variables or volumes
  • HPA scales pods horizontally based on metrics
  • VPA adjusts resource requests/limits vertically
  • Always drain nodes before maintenance, uncordon afterward

Exam Tips

  1. Use imperative commands with --dry-run=client -o yaml to generate YAML templates quickly
  2. Practice kubectl shortcuts: po (pods), svc (services), deploy (deployments), ns (namespaces)
  3. Bookmark Kubernetes documentation - you can reference it during the exam
  4. Master YAML indentation - use 2 spaces, never tabs
  5. Know the exam environment - Practice with vim/nano and tmux
  6. Time management - Flag difficult questions and return later
  7. Verify your changes - Always check resources after creating/modifying them

Document Version: 1.0

Last Updated: October 2025
Mohamed Nasser Mohamed
https://www.linkedin.com/in/mohamednasser8/

Top comments (0)