The Certified Kubernetes Administrator (CKA) is one of the most respected and sought-after certifications in cloud-native engineering. Unlike multiple-choice exams you can cram for overnight, the CKA puts you in a live Kubernetes cluster and asks you to perform real administrative tasks — under a ticking two-hour clock.
It is genuinely hard. The average first-attempt pass rate sits at 60–65%. But with the right preparation strategy, it is absolutely passable — and the career ROI is exceptional. DevOps engineers and platform engineers with a CKA regularly command significantly higher salaries, and the certification appears in the majority of senior Kubernetes job postings.
This guide is built for 2026. The exam curriculum was revised in early 2025, and many older guides are now outdated. Everything here reflects the current five-domain structure, the Kubernetes v1.35 environment, and tips from engineers who passed in 2025–2026.
What is the CKA Certification?
The Certified Kubernetes Administrator (CKA) is a performance-based certification offered by the Cloud Native Computing Foundation (CNCF) in partnership with the Linux Foundation. It is designed to validate that you have the practical skills to install, configure, manage, and troubleshoot production-grade Kubernetes clusters.
The key word is performance-based. There are no multiple-choice questions. Instead, you are given a set of tasks to complete directly in a live Kubernetes environment using kubectl and the command line. This is what makes the CKA both harder and more valuable than a traditional certification.
Who should get the CKA?
- DevOps engineers who manage or administer Kubernetes clusters
- Platform engineers building internal developer platforms on Kubernetes
- Site Reliability Engineers (SREs) responsible for cluster health
- Cloud engineers who want to move into Kubernetes administration
- Anyone looking to qualify for senior DevOps or cloud-native roles
Exam Details: Format, Cost, Duration, and Passing Score
| Detail | Value |
|---|---|
| Exam format | Performance-based (hands-on tasks in a live cluster) |
| Duration | 2 hours |
| Number of tasks | ~17 tasks (weighted by difficulty) |
| Passing score | 66% |
| Cost | $445 USD (includes one free retake) |
| Delivery | Remote proctored via PSI (online, from your own computer) |
| Kubernetes version | v1.35 (as of March 2026) |
| Allowed resources | kubernetes.io/docs, kubernetes.io/blog, helm.sh/docs |
| Browser | Chrome required |
| Results | Emailed within 24 hours |
| Certification validity | 2 years |
Important things to know before registering
- You get one free retake included. If you fail, you can retake after a 24-hour waiting period without paying again. Use your first attempt as a high-quality practice run if needed.
- Watch for sales. The Linux Foundation regularly runs discounts of 20–40% around KubeCon, Black Friday, and New Year. Waiting for a sale can save $100+.
- The exam tasks are weighted. A 7% task is worth more than a 3% task. Do not treat all tasks equally — prioritize higher-weight tasks when under time pressure.
- You can use the official Kubernetes docs during the exam. This is a huge advantage, but only if you know how to navigate them quickly. Practice finding things fast — searching for the right page mid-exam wastes precious minutes.
The 5 CKA Exam Domains (2026 Curriculum)
The CKA exam is divided into five domains. The most important thing to understand is that each domain carries a different weight. Your study time must be allocated accordingly. Many candidates fail because they study evenly across all topics — spending as much time on Storage (10%) as on Troubleshooting (30%).
Domain weightings at a glance
Domain 1: Troubleshooting (30%) — Your #1 priority
This is the largest domain and the one that separates candidates who pass from those who don’t. The exam is fundamentally a fixing exam, not a building exam. You will be given broken scenarios and expected to diagnose and resolve them.
Typical troubleshooting tasks include:
- A pod is in
CrashLoopBackOff— find the root cause and fix it - A worker node shows
NotReady— SSH in, fix the kubelet, rejoin the cluster - Pods cannot resolve DNS — diagnose the CoreDNS issue
- A deployment is stuck on rollout — find out why and unblock it
- An application cannot reach another service — trace the network path and fix it
Master these commands for troubleshooting: kubectl describe, kubectl logs, kubectl logs --previous, kubectl exec -it, journalctl -u kubelet, and systemctl status kubelet.
Domain 2: Cluster Architecture, Installation & Configuration (25%)
This domain covers the core mechanics of how a Kubernetes cluster is built and managed. Key topics:
- Installing and bootstrapping a cluster with
kubeadm - Upgrading a cluster (control plane + worker nodes) using
kubeadm upgrade - Backing up and restoring
etcdusingetcdctl - Managing RBAC — creating Roles, ClusterRoles, RoleBindings, and ServiceAccounts
- Understanding control plane components: API server, etcd, scheduler, controller manager
The etcd backup and restore task appears in almost every exam attempt. Practice this until you can do it in under five minutes without looking at the docs. It is worth significant marks.
Domain 3: Services & Networking (20%)
Networking is where many candidates struggle. You need a solid understanding of how traffic flows inside and between pods, and how to control it. Key topics:
- Services: ClusterIP, NodePort, LoadBalancer — know when and how to use each
- NetworkPolicies — creating deny-all and selective allow policies
- CoreDNS configuration and troubleshooting
- Ingress controllers and Ingress resources
- Gateway API (newly GA in Kubernetes v1.35 — questions have appeared on recent exams)
Domain 4: Workloads & Scheduling (15%)
This domain tests your ability to manage applications running on the cluster:
- Deployments, ReplicaSets, DaemonSets, StatefulSets, Jobs, and CronJobs
- Rolling updates and rollbacks
- ConfigMaps and Secrets — creating and mounting them in pods
- Resource requests and limits
- Node affinity, taints and tolerations, pod affinity
- Horizontal Pod Autoscaler (HPA)
Domain 5: Storage (10%)
Storage questions are fewer but still appear. Make sure you can:
- Create PersistentVolumes (PV) and PersistentVolumeClaims (PVC)
- Understand StorageClasses and dynamic provisioning
- Mount volumes into pods using
volumeMounts - Understand access modes: ReadWriteOnce, ReadOnlyMany, ReadWriteMany
Prerequisites: Are You Ready to Start?
The CKA does not have formal prerequisites, but your study time will vary significantly based on your current experience level.
| Your background | Estimated study time |
|---|---|
| Active Kubernetes admin with daily cluster work | 4–6 weeks |
| Docker/containers experience, some Kubernetes exposure | 8–10 weeks |
| Strong Linux and networking background, new to K8s | 10–14 weeks |
| Complete beginner to containers and orchestration | 4–6 months |
Before starting CKA preparation, you should be comfortable with:
- Linux command line (file navigation, process management,
systemctl,journalctl) - Basic networking concepts (TCP/IP, DNS, ports, firewalls)
- Docker and containers (what a container is, how images work)
- YAML syntax — you will write a lot of YAML under time pressure
12-Week CKA Study Plan
This plan is built for someone with basic Kubernetes familiarity who can dedicate about 1–2 hours per weekday and 3–4 hours on weekends. Adjust the pace based on your starting point.
- Complete the Kubernetes architecture module in your chosen course (see resources below)
- Set up a local practice environment using
minikubeorkind - Learn and practice core
kubectlcommands daily - Understand the role of each control plane component: API server, etcd, scheduler, controller manager
- Practice
kubeadm initand joining worker nodes
- Deploy Deployments, DaemonSets, StatefulSets, Jobs, and CronJobs using imperative commands
- Practice rolling updates, rollbacks, and scaling
- Work with ConfigMaps and Secrets — create them and mount them in pods
- Practice taints, tolerations, and node affinity rules
- Set resource requests and limits on pods
- Understand ClusterIP, NodePort, and LoadBalancer services — create each type
- Create and test NetworkPolicies (deny-all, allow specific pods)
- Set up and troubleshoot CoreDNS
- Configure Ingress resources and understand how Ingress controllers work
- Study the Gateway API — it appears on the current exam
- Create PersistentVolumes and PersistentVolumeClaims manually
- Understand StorageClasses and dynamic provisioning
- Deep-dive into RBAC: create Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings
- Create ServiceAccounts and bind them to Roles
- Practice using
kubectl auth can-ito verify permissions
- Practice the full
kubeadm upgradeworkflow on a multi-node cluster - Master
etcdctl snapshot saveandetcdctl snapshot restore— do this 10+ times - Practice draining and uncordoning nodes
- Understand cluster backup and disaster recovery strategies
- Set up and verify cluster component health with
kubectl get componentstatuses
- Deliberately break your cluster: stop kubelet, delete kube-proxy, misconfigure a pod — then fix it
- Practice diagnosing pods in
CrashLoopBackOff,ImagePullBackOff, andPendingstates - Use both sessions of the included killer.sh simulator
- Time yourself on every practice scenario — two hours goes fast
- Review the official CNCF curriculum one final time and fill any gaps
- Practice your exam environment setup routine (aliases, vim config)
Best Study Resources for 2026
Most popular
Hands-on practice
Included with exam
Free labs
Allowed in exam
Deep understanding
Essential kubectl Commands and Shortcuts
Speed is critical in the CKA exam. You have roughly 7 minutes per task on average. Every second saved typing commands is a second you can spend solving the actual problem. Set up these shortcuts at the very beginning of your exam session — before you start any tasks.
Set up your environment first (do this before task 1)
# Enable kubectl autocomplete
source <(kubectl completion bash)
echo "source <(kubectl completion bash)" >> ~/.bashrc
# Set alias for kubectl
alias k=kubectl
complete -F __start_kubectl k
# Set vim as default editor
export KUBE_EDITOR=vim
# Useful vim settings (~/.vimrc)
set expandtab
set tabstop=2
set shiftwidth=2Fastest ways to create resources imperatively
# Create a pod quickly
k run nginx --image=nginx --restart=Never
# Generate a pod YAML without creating it
k run nginx --image=nginx --restart=Never --dry-run=client -o yaml > pod.yaml
# Create a deployment
k create deployment webapp --image=nginx --replicas=3
# Expose a deployment as a service
k expose deployment webapp --port=80 --type=ClusterIP
# Create a ConfigMap
k create configmap app-config --from-literal=ENV=production
# Create a Secret
k create secret generic app-secret --from-literal=password=S3cur3!
# Scale a deployment
k scale deployment webapp --replicas=5
# Create a ServiceAccount
k create serviceaccount my-sa
# Create a Role
k create role pod-reader --verb=get,list,watch --resource=pods
# Bind a Role to a user
k create rolebinding pod-reader-binding --role=pod-reader --user=jane
# Check RBAC permissions
k auth can-i list pods --as=janeCritical troubleshooting commands
# Check pod status and events
k describe pod <pod-name>
# View logs
k logs <pod-name>
k logs <pod-name> --previous # logs from crashed container
# Execute into a running container
k exec -it <pod-name> -- /bin/sh
# Check node status
k get nodes
k describe node <node-name>
# Check kubelet on a worker node (SSH in first)
systemctl status kubelet
journalctl -u kubelet -f
# Check control plane components
k get pods -n kube-system
# Check events across the cluster
k get events --sort-by=.metadata.creationTimestampetcd backup and restore — memorize this
# Backup etcd
ETCDCTL_API=3 etcdctl snapshot save /opt/etcd-backup.db \
--endpoints=https://127.0.0.1:2379 \
--cacert=/etc/kubernetes/pki/etcd/ca.crt \
--cert=/etc/kubernetes/pki/etcd/server.crt \
--key=/etc/kubernetes/pki/etcd/server.key
# Verify the backup
ETCDCTL_API=3 etcdctl snapshot status /opt/etcd-backup.db
# Restore etcd
ETCDCTL_API=3 etcdctl snapshot restore /opt/etcd-backup.db \
--data-dir=/var/lib/etcd-restored--dry-run=client -o yaml pattern is your best friend in the exam. Generate a YAML template imperatively, redirect it to a file, then edit only what you need to change. This is ten times faster than writing YAML from scratch.How to Use killer.sh Effectively
Your exam purchase includes two 36-hour killer.sh simulator sessions. This is the single best exam preparation tool available and you should not waste it.
When to use your sessions
- Session 1: At the end of week 10 (after you have covered all domains). Use it as a diagnostic — your score tells you exactly which domains need more work. Do not check solutions until you have tried everything.
- Session 2: 3–4 days before your exam date. This is your final rehearsal. Time yourself strictly.
What to expect from killer.sh
- killer.sh is intentionally harder and longer than the real exam. This is by design.
- Most candidates score 40–65% on their first session. This does not mean you will fail the real exam.
- The value is not in the score — it is in reviewing every solution, understanding why your approach was wrong or slower, and building muscle memory for the exam interface.
How to get maximum value from each session
- Simulate real exam conditions — no notes, no external resources except kubernetes.io, strict 2-hour timer.
- After time is up, spend 2–3 hours reviewing every solution — even the ones you got right. There is often a faster approach.
- Write down every command you had to look up. Drill those commands over the next few days.
- Pay attention to how the killer.sh solutions navigate the docs — their patterns are efficient and worth copying.
Exam Day Strategy: How to Manage 2 Hours
Time management is the CKA’s hardest challenge for most candidates. Two hours sounds like plenty. With 17 tasks in an unfamiliar environment, under stress, it evaporates.
The two-pass strategy
- First pass (60–70 min): Work through tasks in order. Answer everything you can do confidently and quickly. If a task is going to take more than 5 minutes and you are not sure how to approach it — flag it and move on. Do not let one hard task eat 20 minutes of your exam time.
- Second pass (remaining time): Return to flagged tasks. Now you have answered the high-confidence tasks and secured those marks. Tackle the harder ones with a clear head.
Check task weights before deciding how long to spend
Each task displays its percentage weight. A 3% task that is stumping you is not worth 15 minutes of your time. A 7% task that you are close to solving is absolutely worth 10 minutes. Always weigh the mark value before deciding to persist or skip.
Before starting any tasks — set up your terminal
Spend the first 3–5 minutes setting up your environment: kubectl autocomplete, the k alias, vim config, and any other shortcuts. This investment pays back immediately across every task.
Practical exam day checklist
- Test your internet connection and webcam the night before
- Clear your desk — the proctor will ask you to show your entire workspace on camera
- Have a valid government-issued photo ID ready
- Use Chrome (other browsers are not supported)
- Book your slot for a time when you are most alert — morning works best for most people
- Do a light review the day before — do not cram new material the night before
- Pre-bookmark these pages in the exam browser: kubectl cheat sheet, kubeadm upgrade docs, etcd backup docs, NetworkPolicy examples
Key Topics You Must Master: etcd, RBAC, and Networking
These three areas appear on almost every CKA attempt and carry significant combined weight. They deserve dedicated deep-practice sessions.
etcd backup and restore
This task appears consistently and carries high marks. The commands are exact and unforgiving — a wrong certificate path means the command fails silently or with a cryptic error. Practice this specific workflow on a real cluster at least 10 times until it is completely automatic.
Key things to remember:
- Always set
ETCDCTL_API=3— the v2 API will not work for snapshots - The certificate files are always at
/etc/kubernetes/pki/etcd/on a kubeadm cluster - After restoring, update the etcd static pod manifest to point to the new data directory
- Use
snapshot statusto verify your backup before calling it done
RBAC
RBAC questions test whether you can control who can do what in a Kubernetes cluster. Practice these patterns until they are second nature:
# Create a Role that allows listing pods in a specific namespace
k create role pod-reader -n dev \
--verb=get,list,watch \
--resource=pods
# Bind that role to a user
k create rolebinding pod-reader-binding -n dev \
--role=pod-reader \
--user=alice
# Verify: can alice list pods in dev?
k auth can-i list pods -n dev --as=alice
# Create a ClusterRole (cluster-wide)
k create clusterrole node-reader \
--verb=get,list \
--resource=nodes
# Bind to a ServiceAccount
k create clusterrolebinding node-reader-binding \
--clusterrole=node-reader \
--serviceaccount=default:my-saNetworkPolicy
Network policies are frequently tested and are where candidates lose marks through minor YAML errors. The key pattern to master is the “deny all, then allow specific” approach:
# Step 1: Deny all ingress to pods with label app=backend
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-ingress
namespace: production
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
---
# Step 2: Allow only pods with label app=frontend to reach backend on port 8080
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend
namespace: production
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080Common Mistakes That Cause Candidates to Fail
- Not switching context before starting a task. Each task specifies a cluster context. If you forget to run
kubectl config use-context <context-name>, you will apply your changes to the wrong cluster and get zero marks for that task. This is the most common and most painful mistake. - Spending too long on one task. Getting stuck on a 4% question for 20 minutes while 30% worth of tasks remain untouched is how candidates fail. Learn to recognize when to flag and move on.
- Writing YAML from scratch instead of generating it. Hand-typing YAML is slow and error-prone. Always use
--dry-run=client -o yamlto generate a base YAML and then edit it. - Not verifying work. After completing a task, always verify it. If you created a pod, run
kubectl get podto confirm it is Running. If you created a service, test connectivity withkubectl exec. A task that looks done but has a typo gives zero marks. - Ignoring the namespace. Kubernetes namespaces are on every exam task. Always read the task carefully — if it specifies a namespace, add
-n <namespace>to every command. A resource created in the wrong namespace scores zero. - Relying on theory without enough hands-on practice. You cannot pass the CKA by watching videos. The exam is entirely hands-on. If you are not spending at least 70% of your study time with your hands on a real keyboard in a real cluster, you are not prepared.
- Using killer.sh too early or too late. Using it in week 2 is too early — you will not know enough to learn from the solutions. Using it the night before your exam is too late to act on what you learn.
- Overlooking the Gateway API. This was added to the curriculum in the 2025 revision and has appeared on recent exams. If you are studying from a pre-2025 guide, this topic will be missing entirely.
CKA vs CKAD vs CKS: Which One Should You Take?
| Certification | Who it is for | Focus | Prerequisite |
|---|---|---|---|
| CKA | Cluster admins, DevOps, SREs, platform engineers | Installing, managing, and troubleshooting clusters | None |
| CKAD | Developers who deploy apps on Kubernetes | Building, deploying, and configuring applications | None |
| CKS | Security engineers, senior DevOps/SREs | Hardening clusters and securing workloads | Active CKA required |
If you are in a cluster administration, DevOps, or platform engineering role — start with the CKA. It is the most versatile and has the broadest job market impact. If you are primarily a developer who deploys apps on Kubernetes but does not manage the cluster itself, the CKAD is a better fit. The CKS requires an active CKA, so you cannot skip it.
Frequently Asked Questions
How hard is the CKA exam really?
It is genuinely difficult. The industry first-attempt pass rate is around 60–65%. The combination of a live environment, strict time limit, weighted tasks, and the requirement to switch between multiple cluster contexts makes it challenging even for experienced engineers. However, with structured preparation — particularly a lot of hands-on practice — it is absolutely passable on the first attempt.
Can I use Google during the CKA exam?
No. You are only allowed to access kubernetes.io/docs, kubernetes.io/blog, and helm.sh/docs. No Stack Overflow, no GitHub, no other external resources. This is why learning to navigate the official Kubernetes docs quickly is a core exam skill.
How many times can I retake the CKA?
Your $445 exam purchase includes one free retake. If you fail both the original exam and the retake, you will need to purchase a new exam voucher to try again.
How long does it take to get CKA results?
Results are emailed within 24 hours. Most candidates receive them within 12 hours. You will receive your score and a pass/fail result. If you pass, you can download your certificate and digital badge from the Linux Foundation portal.
Is the CKA worth it in 2026?
Yes — particularly for engineers in or targeting DevOps, platform engineering, or SRE roles. Kubernetes is the backbone of cloud-native infrastructure and shows no signs of losing that position. A CKA signals proven practical ability, which is rare and valued by employers. The certification is valid for two years, so you will need to recertify by retaking the exam when it expires.
What Kubernetes version is on the 2026 CKA exam?
As of March 2026, the exam runs on Kubernetes v1.35. The exam version is updated periodically — always check the official CNCF exam handbook before your exam date to confirm the current version.
Conclusion
Your CKA preparation at a glance:
- Prioritize Troubleshooting (30%) and Cluster Architecture (25%) — they make up over half the exam
- Follow the 12-week study plan: foundations → workloads → networking → storage/RBAC → maintenance → mock exams
- Use Mumshad’s Udemy course + KodeKloud labs as your primary resources
- Master the
--dry-run=client -o yamlpattern and your terminal shortcuts - Practice etcd backup/restore until it is completely automatic
- Use killer.sh sessions strategically: once mid-prep, once 3–4 days before exam day
- On exam day: set up your aliases first, use the two-pass strategy, always switch context before each task
The CKA is one of the most rigorous certifications in cloud technology — but it is a fair exam. Everything you need to know is documented and practicable. The candidates who fail are almost always the ones who studied theory without enough hands-on time, not the ones who practiced daily on a real cluster.
Start your cluster today. Break things on purpose. Fix them. That is the real CKA study plan.
What’s next? Check out our related articles:
- Setting Up a Complete Monitoring Stack with Prometheus, Grafana, and Node Exporter on Kubernetes
- Complete DevOps CI/CD Pipeline with GitHub Actions, Docker & Kubernetes
- AZ-104 Certification Guide: Become a Microsoft Azure Administrator
- Terraform for Beginners: Provision AWS Infrastructure Step-by-Step
Have a question about CKA prep or want to share your exam experience? Leave a comment below — every question helps other readers.
