CKA CKAD CKS Certification Guide
Learn CKA CKAD CKS Certification Guide with plain-English explanations and real examples..
20+ years shipping production infrastructure and CI/CD at scale. Written from production experience, not tutorials.
- ✓Basic Linux command line, understanding of containers (Docker), familiarity with YAML, and at least 6 months of Kubernetes experience.
Think of CKA CKAD CKS Certification Guide like a tool in your DevOps toolkit — once you understand what it does and when to reach for it, managing Kubernetes clusters becomes second nature.
A senior engineer spent 40 minutes debugging a network policy that wasn't blocking traffic. The root cause? A missing podSelector in a CKA-style cluster setup. That's the difference between knowing Kubernetes and being certified. The CKA, CKAD, and CKS exams are not multiple-choice trivia—they are grueling, hands-on tests where you must solve real problems under time pressure. If you can't debug a broken control plane or write a secure pod security policy in 30 minutes, you will fail. This guide breaks down each certification, the exact skills tested, and the production pitfalls that separate a certified engineer from a dangerous one.
The Trinity: CKA, CKAD, CKS — What Each Tests
The Certified Kubernetes Administrator (CKA) focuses on cluster operations: installing, configuring, and maintaining a Kubernetes cluster. You'll troubleshoot control plane components, manage etcd backups, and handle node failures. The Certified Kubernetes Application Developer (CKAD) tests your ability to design, build, and deploy applications on Kubernetes—think Deployments, Services, ConfigMaps, and Helm charts. The Certified Kubernetes Security Specialist (CKS) is the hardest: it covers cluster hardening, runtime security, network policies, and auditing. All three are performance-based: you SSH into a real cluster and complete tasks in a terminal. No multiple choice. No cheats. Just you and a broken cluster.
CKA Deep Dive: Cluster Architecture and Installation
The CKA exam expects you to install a cluster from scratch using kubeadm. You must know the control plane components: kube-apiserver, kube-controller-manager, kube-scheduler, and etcd. You'll configure TLS certificates, set up kubeconfig files, and join worker nodes. A common task: upgrade a cluster from one minor version to the next. You must drain nodes, upgrade kubeadm and kubelet, then uncordon. Another task: backup and restore etcd. You'll use etcdctl to snapshot and restore. Production tip: always test your backup restore in a staging environment first—etcd snapshots are version-specific.
kubeadm reset on the master node without backing up etcd. The cluster was down for 4 hours while they rebuilt from scratch.CKAD Deep Dive: Workloads and Pod Design
CKAD is about application deployment: Deployments, StatefulSets, Jobs, CronJobs, and ConfigMaps. You'll write YAML from scratch, often with strict resource limits and liveness probes. A typical task: create a Deployment with 3 replicas, rolling update strategy, and a readiness probe that checks an HTTP endpoint. You must also handle multi-container pods with sidecar patterns. Production insight: always set resource requests and limits—without them, a single pod can starve the node. Another task: expose a Deployment via a Service of type ClusterIP, then verify connectivity using a temporary pod.
kubectl run and kubectl create deployment with --dry-run=client -o yaml to generate YAML quickly, then edit.CKS Deep Dive: Cluster Hardening and Security Policies
CKS is the most demanding. You'll harden the cluster: disable anonymous access, enable RBAC, use Pod Security Standards (baseline/restricted), and configure network policies. A common task: create a NetworkPolicy that allows only specific pods to communicate. Another: use kube-bench to audit the cluster and fix CIS benchmark failures. You'll also handle runtime security: use Falco to detect anomalous behavior, and configure Seccomp profiles. Production insight: many breaches start with a container running as root. Always enforce runAsNonRoot: true and drop all capabilities.
to.Exam Strategy: Time Management and Imperative Commands
All three exams are timed. You must be fast. Use imperative commands to create resources quickly, then edit YAML for complex changes. For example, kubectl run nginx --image=nginx --restart=Never creates a pod instantly. Use --dry-run=client -o yaml to generate YAML for editing. Bookmark the Kubernetes documentation—it's allowed during the exam. But don't rely on it heavily; you'll lose time. Practice with kubectl explain to get field definitions. Production insight: in real life, you'd use GitOps tools like ArgoCD, but the exam tests raw kubectl skills.
alias k=kubectl, alias kgp='kubectl get pods', alias kaf='kubectl apply -f'. Every second counts.kubectl run to spin up a debug pod in seconds. That speed saved the cluster from a cascading failure.Troubleshooting: The Common Denominator
All three exams heavily feature troubleshooting. For CKA: a node is NotReady, a control plane component is down, or etcd is corrupted. For CKAD: a pod is CrashLoopBackOff, a Service isn't routing traffic, or a ConfigMap isn't mounted. For CKS: a PodSecurityPolicy is blocking pods, or a NetworkPolicy is too restrictive. The key is to follow a systematic approach: check events, describe resources, inspect logs, and verify connectivity. Use kubectl describe, kubectl logs, and kubectl exec. Production insight: always check kubectl get events --sort-by='.lastTimestamp' first—it often points directly to the issue.
kubectl get events. Then describe the resource. Then check logs. Never jump to conclusions.Security in Depth: CKS-Specific Topics
CKS goes beyond basic RBAC. You'll configure Pod Security Admission (PSA) to enforce standards at the namespace level. You'll use kubectl auth can-i to verify permissions. You'll also set up audit logging: configure the API server to log all requests to a file, then analyze with kubectl logs. Another topic: container runtime security with gVisor or Kata Containers. You'll also handle secrets encryption at rest using KMS. Production insight: many clusters have audit logging disabled. Enable it—it's your only forensic evidence after a breach.
Mock Exam: Putting It All Together
Let's simulate a multi-part task that spans all three certifications. Scenario: You have a cluster with a broken control plane (CKA), a misconfigured application (CKAD), and a security vulnerability (CKS). Step 1: Fix the control plane—the kube-scheduler is not running. Check the static pod manifest, restart it. Step 2: The application Deployment has a wrong image tag, causing CrashLoopBackOff. Update the image. Step 3: The cluster allows privileged containers. Create a PodSecurityPolicy that restricts to baseline. This exercise forces you to switch contexts quickly, just like the real exams.
Resources and Study Plan
Official CNCF curriculum is the starting point. Use Killer.sh for realistic practice exams—they simulate the actual terminal environment. For CKA, focus on kubeadm, etcd, and networking. For CKAD, practice writing YAML under time constraints. For CKS, use kube-bench and Falco in a lab. Study plan: 2 weeks per certification, 2 hours daily. Week 1: theory and tutorials. Week 2: mock exams. Production insight: the best preparation is running a real cluster at home with Raspberry Pis or using kind. Break it intentionally, then fix it.
Common Pitfalls and How to Avoid Them
Pitfall 1: Not reading the question carefully. The exam often has multiple parts—if you miss one, you lose points. Pitfall 2: Overusing kubectl apply -f without checking YAML syntax. Use --validate flag. Pitfall 3: Forgetting to set context or namespace. Use kubectl config set-context and kubectl config set-context --namespace. Pitfall 4: Not saving your work. The exam environment may time out. Production insight: in a real cluster, a missing --validate flag once caused a typo in a YAML file that deleted all pods in a namespace. Always validate.
kind field. The resource was created as a different type, causing a conflict. Always validate.After Certification: Maintaining Skills
Certifications expire after 3 years. But more importantly, Kubernetes evolves fast. Stay current by contributing to open source, running a home lab, or following the CNCF landscape. Production insight: the best engineers are those who break things in staging and learn from failures. Join the Kubernetes Slack community, attend KubeCon, and read the changelogs. Remember: a certification is a starting point, not a destination.
| File | Command / Code | Purpose |
|---|---|---|
| check-cluster-health.sh | kubectl get componentstatuses | The Trinity: CKA, CKAD, CKS |
| etcd-backup.sh | ETCDCTL_API=3 etcdctl snapshot save /backup/etcd-snapshot-$(date +%Y%m%d).db \ | CKA Deep Dive |
| deployment.yaml | apiVersion: apps/v1 | CKAD Deep Dive |
| network-policy.yaml | apiVersion: networking.k8s.io/v1 | CKS Deep Dive |
| quick-pod.sh | kubectl run busybox --image=busybox --restart=Never -- sleep 3600 | Exam Strategy |
| troubleshoot-pod.sh | kubectl describe pod my-pod | Troubleshooting |
| pod-security-admission.yaml | apiVersion: v1 | Security in Depth |
| mock-exam.sh | kubectl get pods -n kube-system | grep scheduler | Mock Exam |
| install-kind.sh | curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64 | Resources and Study Plan |
| validate-yaml.sh | kubectl apply -f deployment.yaml --validate=true --dry-run=client | Common Pitfalls and How to Avoid Them |
| check-k8s-version.sh | kubectl version --short | After Certification |
Key takeaways
Interview Questions on This Topic
Which certification should I take first?
Frequently Asked Questions
20+ years shipping production infrastructure and CI/CD at scale. Written from production experience, not tutorials.
That's Kubernetes. Mark it forged?
4 min read · try the examples if you haven't