Kubernetes CKA Exam Cheat Sheet — 2026
Kubernetes CKA Exam Cheat Sheet — 2026
> One-page quick reference for exam day | citadelcloudmanagement.com
Exam Overview
- Code: CKA | Questions: 15-20 performance-based tasks | Time: 120 minutes | Passing: 66%
- Format: Hands-on in live cluster (not multiple choice) | Cost: $395 USD (includes 1 retake)
- Open book: kubernetes.io/docs, github.com/kubernetes, kubernetes.io/blog allowed
Domain 1: Cluster Architecture (25%)
Control Plane Components
- `kube-apiserver`: front door for all API calls, handles authentication/authorization
- `etcd`: key-value store, holds all cluster state (back this up!)
- `kube-scheduler`: assigns pods to nodes based on resource requests, affinity, taints
- `kube-controller-manager`: runs controllers (ReplicaSet, Node, Job, ServiceAccount)
- `cloud-controller-manager`: integrates with cloud provider APIs (load balancers, volumes)
Worker Node Components
- `kubelet`: agent on each node, ensures containers run in pods
- `kube-proxy`: maintains network rules, handles Service networking
- Container runtime: containerd (default), CRI-O
Key Commands
kubectl cluster-info # Check cluster endpoint
kubectl get nodes -o wide # List nodes with IPs
kubectl describe node <name> # Node details, capacity, conditions
kubectl cordon <node> # Mark node unschedulable
kubectl drain <node> --ignore-daemonsets # Evict pods, prepare for maintenance
kubectl uncordon <node> # Mark node schedulable again
etcd Backup/Restore
ETCDCTL_API=3 etcdctl snapshot save /tmp/backup.db \
--endpoints=https://127.0.0.1:2379 \
--cacert=/etc/kubernetes/pki/etcd/ca.crt \
--cert=/etc/kubernetes/pki/etcd/server.crt \
--key=/etc/kubernetes/pki/etcd/server.key
ETCDCTL_API=3 etcdctl snapshot restore /tmp/backup.db --data-dir=/var/lib/etcd-restored
Domain 2: Workloads & Scheduling (15%)
Pod Lifecycle
- Pending → ContainerCreating → Running → Succeeded/Failed
- `restartPolicy`: Always (default for Deployments), OnFailure (Jobs), Never
Deployments & Scaling
kubectl create deployment nginx --image=nginx --replicas=3
kubectl scale deployment nginx --replicas=5
kubectl set image deployment/nginx nginx=nginx:1.25
kubectl rollout status deployment/nginx
kubectl rollout undo deployment/nginx # Rollback
kubectl rollout history deployment/nginx # View revisions
Scheduling
- `nodeSelector`: simple key-value node selection
- `nodeAffinity`: complex rules (required/preferred)
- Taints (on nodes) + Tolerations (on pods): repel pods unless tolerated
- `kubectl taint nodes node1 key=value:NoSchedule`
- Resource requests (scheduling) vs limits (enforcement)
Other Workloads
- DaemonSet: one pod per node (monitoring, logging)
- StatefulSet: ordered, stable pods (databases)
- Job: run-to-completion; CronJob: scheduled Jobs
Domain 3: Services & Networking (20%)
Service Types
- ClusterIP: internal only (default)
- NodePort: expose on each node's IP at a static port (30000-32767)
- LoadBalancer: cloud provider load balancer
- ExternalName: CNAME record to external service
Key Networking Concepts
- Every pod gets its own IP address
- Pods can communicate across nodes without NAT
- NetworkPolicy: firewall rules for pod-to-pod traffic (requires CNI that supports it)
kubectl expose deployment nginx --port=80 --type=NodePort
kubectl get svc # List services
kubectl get endpoints # See which pods back a service
Ingress
- HTTP/HTTPS routing to services based on host/path
- Requires an Ingress Controller (nginx, traefik, etc.)
- TLS termination with Secrets
DNS
- CoreDNS provides cluster DNS
- Service: `
. .svc.cluster.local` - Pod: `
. .pod.cluster.local`
Domain 4: Storage (10%)
Volumes
- `emptyDir`: temporary, dies with pod
- `hostPath`: mount from node filesystem (testing only)
- PersistentVolume (PV): cluster-level storage resource
- PersistentVolumeClaim (PVC): request for storage by a pod
- StorageClass: dynamic provisioning of PVs
# PVC example
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: my-pvc
spec:
accessModes: [ReadWriteOnce]
resources:
requests:
storage: 10Gi
storageClassName: standard
Access Modes
- ReadWriteOnce (RWO): single node read-write
- ReadOnlyMany (ROX): multiple nodes read-only
- ReadWriteMany (RWX): multiple nodes read-write
Domain 5: Troubleshooting (30%)
Debugging Flow
- `kubectl get pods` — check status (CrashLoopBackOff, ImagePullBackOff, Pending)
- `kubectl describe pod
` — events section shows why - `kubectl logs
` — application logs (`-p` for previous container) - `kubectl exec -it
-- /bin/sh` — shell into container
Common Issues
- ImagePullBackOff: wrong image name/tag, private registry auth missing
- CrashLoopBackOff: app crashing, check logs
- Pending: insufficient resources, no matching node (taints, affinity)
- OOMKilled: container exceeded memory limit
Node Troubleshooting
kubectl get nodes # Check node status
kubectl describe node <name> # Look at Conditions section
systemctl status kubelet # Check kubelet on the node
journalctl -u kubelet -f # Kubelet logs
crictl ps # List containers (containerd)
Essential kubectl Shortcuts
# Speed aliases (add to ~/.bashrc for the exam)
alias k=kubectl
export do="--dry-run=client -o yaml"
# Generate YAML without creating
k run nginx --image=nginx $do > pod.yaml
k create deployment nginx --image=nginx $do > deploy.yaml
# Quick context switching
kubectl config get-contexts
kubectl config use-context <name>
kubectl config set-context --current --namespace=<ns>
Exam Tips
- The exam is hands-on — practice with `kubectl` daily, not just reading
- Bookmark these docs pages: Pods, Deployments, Services, PV/PVC, NetworkPolicy, etcd backup
- Use `kubectl explain
` to check field names during the exam - Use `--dry-run=client -o yaml` to generate YAML templates quickly
- Time management: skip hard questions, come back later. 30% is troubleshooting — start there if confident
*Get the full study guide and 17 free courses at citadelcloudmanagement.com*
Get This Cheat Sheet Emailed to You
Plus a free 5-email study plan to help you pass on your first try.
No spam. Unsubscribe anytime.