How to pass Certified Kubernetes Administrator (CKA Exam) : Resources and Topics
CKA is not a tough exams but still the exams tests your time management and coding skills rather than testing your knowledge in multiple choice questions.
There are many resources to study but if you really want to crack the exam in one go follow these simple steps. Practice is the key here . You should know the imperative commands to save your time during the exam. These command are useful for both CKA & CKAD exam .
CKA Exam Syllabus (TopicWeightage)
- Cluster Architecture, Installation & Configuration 25%
2. Services & Networking 20%
3. Troubleshooting 30%
4. Workloads & Scheduling15%
5. Storage10%
Best courses and resources for CKA preparation :
- https://www.udemy.com/course/certified-kubernetes-administrator-with-practice-tests/
- Certified Kubernetes Administrator 2022 [Udemy Best Course]
- https://cloudacademy.com/learning-paths/certified-kubernetes-administrator-exam-preparation-242/
- https://killer.sh/cka
- https://github.com/bbachi/CKAD-Practice-Questions
- https://kubernetes.io/docs/reference/kubectl/cheatsheet/
- https://github.com/ahmetb/kubernetes-network-policy-recipes.(network policies.
Pre Setup during the exam : ( saves times) Once you’ve gained access to your terminal it wise to spend a couple of minute to setup your environment.
alias k=kubectl
export do="--dry-run=client -o yaml"
k create deploy nginx --image=nginx $do
export now="--force --grace-period 0"
k delete pod x $nowCKA ( Topics and Resources)
- Schedule Pod on Master Node/Worker nodes : Create Pod which can only be scheduled on a master node do not add new labels on any nodes. Here we need to add the toleration for running on master nodes, but also the nodeSelector to make sure it only runs on master nodes. If we only specify a toleration the Pod can be scheduled on master or worker nodes. https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/#example-use-cases
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
nodeSelector:
node-role.kubernetes.io/control-plane: ""2. Context : You have access to multiple clusters from your main terminal through kubectl contexts. Get the context and write them into a file.
k config get-contexts
# write the name of contexts to a file
k config get-contexts -o name > /tmp/context.file3. Scale down StatefulSet/deployments : Create a deployment with
3 replicas . Next, deploy the application on with a new version of image, by performing a rolling update. Finally, rollback that update to the previous version. https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
4. Configure a LivenessProbe ReadinessProbe which does check if the url is reachable. https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
5. Kubectl sorting: There are various pods in all namespaces. Write a command into into a file which lists all pods sorted by their AGE or UID. Also list all the pods showing name and namespace. (few examples are listed below)
https://kubernetes.io/docs/reference/kubectl/cheatsheet/
# List all the pods showing uid and creationTimestamp1. kubectl get pod -A --sort-by=.metadata.creationTimestamp
2. kubectl get pod -A --sort-by=.metadata.uid# List PersistentVolumes sorted by capacity
3. kubectl get pv --sort-by=.spec.capacity.storage#List all the pods showing name and namespace with a json path expression
4. kubectl get pods -o=jsonpath='{.items[*]['metadata.name', 'metadata.namespace']}'#List the nginx/httpd pod with custom columns POD_NAME and POD_STATUS5. kubectl get po -o=custom-columns='POD_NAME:.metadata.name, POD_STATUS:.status.containerStatuses[].state'# Check the image version in pod without the describe command6. kubectl get po nginx -o jsonpath='{.spec.containers[].image}{'\n'}'# Get list of all the pods showing name and namespace with a jsonpath expression7. kubectl get pods -o=jsonpath='{.items[*]['metadata.name' , 'metadata.namespace']}'
6. RBAC ServiceAccount Role RoleBinding Create a new ServiceAccount in a given Namespace . Create a Role and RoleBinding for the same. https://kubernetes.io/docs/reference/access-authn-authz/rbac/
RBAC combinations and 3 valid ones:
- Role + RoleBinding (available in single Namespace, applied in single Namespace)
- ClusterRole + RoleBinding (available cluster-wide, applied in single Namespace)
- ClusterRole + ClusterRoleBinding (available cluster-wide, applied cluster-wide)
- Role + ClusterRoleBinding (NOT POSSIBLE: available in single Namespace, applied cluster-wide)
7. Storage, PV, PVC, Pod volume: Create a PersistentVolume with capacity of 2Gi, accessMode ReadWriteOnce, hostPath “/mnt/data” and no storageClassName defined. Next create a new PersistentVolumeClaim . It should request 2Gi storage, accessMode ReadWriteOnce and should not define a storageClassName. The PVC should bound to the PV correctly. Finally create a new Deployment with the nginx image which mounts that volume at “/usr/share/nginx/html” . https://kubernetes.io/docs/tasks/configure-pod-container/configure-persistent-volume-storage/
8. Node and Pod Resource Usage: If the metrics-server is installed in the cluster. You want to know the kubectl commands to:
- show Nodes resource usage ( k top node)
- show Pods and their containers resource usage (k top pod )
9. Kill Scheduler, Manual Scheduling:
The first step is ssh into the master node. Temporarily stop the kube-scheduler, this means in a way that you can start it again afterwards. Create a single pod and confirm its created but not scheduled on any node as the kube-scheduler is stopped . Now you’re the scheduler, schedule that Pod on the master node . This can be done by adding a nodeName in the the spec section of the pod definition file. The next step is the force replace the pods which is in pending state. The Pod will start running on the master now as requested, although no tolerations were specified. Start the scheduler again. Schedule a second test Pod and make sure it is running on the worker node as expected.
10. DaemonSet on all Nodes : Create a DaemonSet with image httpd:2.4-alpine and add some labels . The Pods it creates should request cpu and memory. The Pods of that DaemonSet should run on all nodes, master and worker. For this make sure to add the toleration so that it is scheduled on master and worker nodes. https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane 11. Multi Containers and Pod shared Volume: Create a Pod named multi-container-pod in with three containers, named con1, con2 and con3. There should be a volume attached to that Pod and mounted into every container, but the volume shouldn't be persisted or shared with other Pods.
12. Cluster Event Logging: The following command is handy
kubectl get events -A --sort-by=.metadata.creationTimestamp13. Namespaces and Api Resources: Create a new Namespace . Write the names of all namespaced Kubernetes resources (like Pod, Secret, ConfigMap…) into a file. Find the Namespace with the highest number of Roles defined in it and write its name and amount of Roles into a new file.
14. Fix Kubelet: If the kubelet is not running on worker nodes . Fix it and confirm that cluster has nodes available in Ready state . You should be able to schedule a Pod on that worker nodes afterwards. For this we need to ssh in the worker nodes and check the status . If the kubelet is stopped start the kublet.
ps aux | grep kubelet
systemctl status kubelet
systemctl start kubelet
systemctl enable kubelet15. Create Secret and mount into Pod: Create a Pod of image busyboxwhich should keep running for some time. Create a Secret from a file in the some namespace and mount it readonly into the Pod at /tmp/secret. Create a new Secret in same namespace called secret2 which should contain user=user and pass=1234. These entries should be available inside the Pod's container as environment variables USER and PASS. Confirm everything is working. https://kubernetes.io/docs/concepts/configuration/secret/
16. Update Kubernetes Version and join cluster: One of the node is running an older Kubernetes version and is not even part of the cluster. Update Kubernetes on that node to the exact version that's running on master. Then add this node to the cluster. The detailed steps are defined in the document . https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade
17. Create a Static Pod and Service: Create a Static Pod named static-pod in some namespace on master node . It should use the nginx image and have resource requests for CPU and memory. Then create a NodePort Service named static-pod-service which exposes that static-pod on port 80 and check if it has Endpoints and if its reachable through the master internal IP address. You can connect to the internal node IPs from your main terminal.
18. Etcd Snapshot Save and Restore: Make a backup of etcd running on master and save it on the master node at /tmp/etcd-backup.db. Then create a Pod of your kind in the cluster. Finally restore the backup, confirm the cluster is still working . https://discuss.kubernetes.io/t/etcd-backup-and-restore-management/11019
19. NetworkPolicy: Create a new NetworkPolicy which allows Pods in namespace test to connect to port 9000 of Pods in namespace echo.Further ensure that the new NetworkPolicy:
* does not allow access to Pods, which don't listen on port 9000
* does not allow access from Pods, which are not in namespace test
https://kubernetes.io/docs/concepts/services-networking/network-policies/
20. Monitor the logs of pod foo : Extract log lines corresponding to error unable-to-access-website .
21. Add an init container to a pod definition file or pod . The init container should create an empty file named /workdir/calm.txt. If the empty file is not created the the pod should exit. https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
22. Schedule a pod on the node : Create pod with a image nginx and schedule on the node which has a label disk=ssd https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/
23. Adding a sidecar container . Adding a sidecar container, using the busybox image, to the existing Pod X . The new sidecar container should run few commands. Use a Volume, mounted at /var/log, to make the log file available to the sidecar container. https://kubernetes.io/docs/concepts/cluster-administration/logging/
24. Create a new nginx Ingress resource : Create a resource named minimal-ingress in the namespace default . Exposing service test on path /testpath using service port 80 . https://kubernetes.io/docs/concepts/services-networking/ingress/
IMPORTANT : You get two free sessions of killer.sh with your exam voucher. The sessions last 36 hours each and the questions are harder than the real CKA exam. The environment/ layout of the terminal is very similar to the real exam so it helps to become comfortable with how the real exam would look.
