Certified Kubernetes Administrator (CKA) Exam Guide: Master the Kubernetes skills required for the hands-on CNCF CKA exam (English Edition)

By Gavin R. Bayfield

Kubernetes is the de facto industry-standard for production-grade container orchestration. The CNCF Certified Kubernetes Administrator (CKA) Certification is an in-demand, industry-recognised benchmark denoting the holder as possessing the expertise required to create, secure, manage and troubleshoot Kubernetes clusters.

The CNCF CKA exam is a fully hands-on, command line based assessment. This guide structure follows the CKA curriculum. Start with need-to-know Kubernetes concepts and implementation details using hands-on code examples and command line walkthroughs. You will explore core concepts including cluster architecture, installation and configuration. As the book progresses, you will master security principles with RBAC, confidently deploy and manage applications, and explore the intricacies of Kubernetes storage and networking. The following chapters on Troubleshooting and Exam Preparation provide important exam and assessment environment hints and tips, command line techniques and crucial exam strategies. The final two chapters present full-length CKA practice exams with fully-worked exam-grade solutions.

This pragmatic blend of theory, worked examples, and analysis techniques ensures the reader is primed to be successful in the real Certified Kubernetes Administrator (CKA) exam.

• Language: English
• Publisher: BPB Online LLP
• Release date: Feb 1, 2024
• ISBN: 9789355519344

Book preview

C

HAPTER

1

Introduction

Introduction

Welcome to your CNCF Certified Kubernetes Administrator (CKA) exam guide!

Kubernetes is the de facto industry standard for production-grade container orchestration. Demand for Kubernetes skills and hands-on experience in the IT market is currently surging worldwide. The CNCF CKA certification is an industry-recognized benchmark denoting the holder as demonstrably possessing the expertise required to create, secure, manage, and troubleshoot Kubernetes clusters. CCNF certifications provide a key differentiator to advanced IT professionals and contractors competing for lucrative devops, administrator, and architect jobs and contract engagements.

Structure

This chapter covers the following topics:

Prerequisites

Overview of CNCF CKA website and resources

CNF CKA exam details

CNCF handbook

CNCF curriculum overview

Registering for the CNCF CKA exam

CNCF CKA exam simulator

Using the CNCF CKA exam guide

Objectives

This book is intended for current and future devops, architects, administrators, and IT cloud professionals looking to rapidly gain hands-on technical insight into Kubernetes with a focus on skills, knowledge, and capabilities required by a competent professional Kubernetes administrator.

The primary objective of this book is to advance your technical understanding, hands-on practice preparations and CKA exam techniques to ensure you are successful at your first attempt at the CKA online proctored exam.

Originally developed by Google, CNCF formally adopted Kubernetes as an open-source and vendor-neutral container management system in 2016.

Prerequisites

CNCF does not mandate any specific prerequisites for this CKA exam. With readers from a variety of technical backgrounds, the start of each section in this book provides technical explanations of the core Kubernetes concepts. This approach will enable the candidate to develop a pragmatic technical knowledge base from which to assess and navigate each CKA scenario-based question and provision the required hands-on-keyboard outcomes in the exam. However, this book assumes the candidate already has awareness and basic technical competencies in the following subject areas:

Fundamental Kubernetes concepts: The contemporary CKA exam version is v1.28.

Container runtime: Basic understanding of a container.

Linux: A working knowledge of basic Linux skills.

Minikube: It would help to set up a simple minikube installation on a local device and /or access the online KillerCoda.com / Killer.sh CKA hands-on online practice sessions made available for free to all registered CNCF CKA candidates (see the following access details).

YAML and JSON formats: A practical working knowledge is required to manage resource files for the extensive worked examples and walkthroughs in this book.

Vim editor: The default Linux editor requires a working knowledge of the default Linux vi editor and basic commands.

Helm: Basic knowledge and command line usage.

Overview of CNCF CKA website and resources

Available during every CKA exam session, a web browser is embedded in the exam Virtual Machine (VM) to allow the candidate to access only the following URL domains and resources:

https://kubernetes.io/docs/ (including use of page search function, noting only search results in the same permitted domain should be accessed)

https://kubernetes.io/blog/

Accessible links on these domains include all language translations. For example: https://kubernetes.io/zh-cn/docs/home.

Note that in the CNCF CKA hands-on exam, it is highly unlikely that the candidate will have sufficient time to generally browse through this vast library of content available on the kubernetes.io domain. We will examine plausible exam techniques and approaches, and devise a game-plan in later section of this book. For now, it is sufficient to mention that it is strongly recommended that you, as the CKA exam candidate, become familiar with the structure of the kubernetes.io/docs domain. We will need to be comfortable performing spot-checks to access specific, targeted information if and as required.

Given this, in this book, beyond the explanations, examples, and walkthroughs, the read-on references will be structured in the following format to promote their access using the search function available in the top left panel on the kubernetes.io/docs page. Upon entering the designated search phrase, from the resultant search results, look for the indicated kubernetes.io/docs page title. It is nearly always the top search result link but always in the first three in the list. Ensure the search result domain is under kubernetes.io/docs, then click this link in the generated search results and read the related content.

Read-on Reference format in this book:

Example:

This book is filled with example command line code and scripts, in run-book style intended to be literally typed (by you) into your local minikube environment or online KillerCoda.com / Killer.sh CKA session (via your CNCF access as a registered CKA exam candidate, see section below). The aim of all these candidate hands-on exercises is to replicate and reproduce each displayed outcome as described in this section. To this end, the following nomenclature conventions have been applied.

Nomenclature

Let us take a look at the nomenclature for the book:

Command line commands, scripts, and code are presented in a different font.

The command line prompt representing the exam VM session is represented in this book (simply) using $. Each example command is presented in the form $ . For example: $ kubeadm version -o json

These code commands and command outputs are sometimes truncated to save space using the ellipsis character ... embedded directly into the code content (providing there is no loss in semantics).

Documentation references in the form of URLs are provided in the exam-friendly format as described in the last section.

The sudo command is generally used to provision elevated access on the command line and is offered as a command prefix (if appropriate) in example walkthroughs in this book. However, the use of sudo is not required on cluster configurations accessed as root (and has no adverse effect).

The terms Kubernetes and K8s are used interchangeably in this book.

CNCF CKA exam details

The CNCF CKA exam typically consists of between 16 to 18 scenario-based questions for the candidate to undertake in a single two hour (120 minute) online session. A score of 66% is the minimum mark required to pass this exam.

The displayed % weightings included with each question should aid each candidate in their assessment of which questions should be attempted and in what order, to resolve the likely path of least resistance to achieve the pass mark. Note that the percentage weightings field is no longer displayed in the real exam. A range of approaches will be presented in a later section on CKA exam techniques.

The current Kubernetes minor system version for the exam is 1.28. CNCF certification policy states that the Kubernetes version for the exam is nominally updated within 2 months of the release of the latest Kubernetes minor version.

The online cost of the exam is $395 USD at the time of writing and it does include one free retake. Note that discount codes are available as part of CNCF promotion schemes (refer to the following section).

Be aware that each certification exam attempt is monitored remotely, known as proctored, via streaming audio, video, and screen-sharing feeds from your local device environment.

The CNCF CKA certification once achieved, is valid for a period of three years before expiring.

CNCF handbook

The CNCF CKA handbook for Kubernetes v1.28 can be found at the following link:

https://docs.linuxfoundation.org/tc-docs/certification/lf-handbook2

This handbook provides extensive guidance on the CKA assessment program and process, including details of the proctored exam environment. Key information has been summarized in this section, but be aware that this is the definitive source on the CKA exam.

This CNCF handbook links to the https://github.com/cncf/curriculum repository, which contains the CKA_Curriculum_vN.nn PDF file, at the time of writing, the current filename is CKA_Curriculum_v1.28.pdf.

CNCF curriculum overview

The structure of the CNCF CKA curriculum is listed below, with the mark scheme percentage breakdown against each chapter. Notice the chapter structure of this book is modeled on these technical topic groupings to map out best the likely hands-on skills, abilities, and technical knowledge required for each of these topics in the exam.

Cluster architecture, installation and configuration: 25%

Manage Role Based Access Control (RBAC)

Use Kubeadm to install a basic cluster.

Manage a highly available Kubernetes cluster.

Provision underlying infrastructure to deploy a Kubernetes cluster.

Perform a version upgrade on a Kubernetes cluster using Kubeadm

Implement etcd backup and restore.

Workloads and scheduling: 15%

Understand deployments and how to perform rolling update and rollbacks.

Use ConfigMaps and secrets to configure applications.

Know how to scale applications.

Understand the primitives used to create robust, self-healing, application deployments.

Understand how resource limits can affect pod scheduling.

Awareness of manifest management and common templating tools.

Services and networking: 20%

Understand host networking configuration on the cluster nodes.

Understand connectivity between pods.

Understand ClusterIP, NodePort, LoadBalancer service types and endpoints.

Know how to use ingress controllers and ingress resources.

Know how to configure and use CoreDNS.

Choose an appropriate container network interface plugin.

Storage: 10%

Understand storage classes, persistent volumes.

Understand volume mode, access modes and reclaim policies for volumes.

Understand persistent volume claims primitive.

Know how to configure applications with persistent storage.

Troubleshooting: 30%

Evaluate cluster and node logging.

Understand how to monitor applications.

Manage container stdout and stderr logs.

Troubleshoot application failure.

Troubleshoot cluster component failure.

Troubleshoot networking.

Registering for the CNCF CKA exam

Registering as a CNCF CKA candidate on the CNCF website is a straight-forward process on the CNCF website https://www.cncf.io/certification/cka/.

At the bottom of this page, there is a list of links to the official CNCF CKA exam materials including the CKA candidate handbook, curriculum overview, exam tips, frequently asked questions and more.

Signing up to the CNCF (email) mailing list accessible on the CNCF CKA web page should be considered at the onset of your CNCF CKA journey since periodic CNCF promotion campaigns provide discount codes that can offer significant discounts on course bundles and exam registration fees.

Clicking this web page register for exam button on the CKA exam link navigates to the Linux foundation training and certification page:

https://training.linuxfoundation.org/certification/certified-kubernetes-administrator-cka/.

Create a free account or reuse your existing account to centrally manage your CNCF course and certification records here. Confirm you are on the certified Kubernetes administrators page and scroll down to confirm the Kubernetes version for the CKA exam. Select the link to enroll as a candidate for the CKA Exam assessment, either exam-only, or with an incorporated course bundle option.

Note: Do not forget to apply the appropriate CNCF discount code at the online payment stage (requiring a payment credit or debit card).

Upon successful enrolment, CNCF will dispatch a confirmation email containing further assessment details and useful links. Each candidate has a 12-month period in which to schedule the CKA exam sitting, noting one additional free exam re-sit is included in the prices, available if required. A passing grade in your initial exam sitting means you will not be permitted to re-sit the CKA exam to attempt to obtain a better result.

When ready, navigate to the training portal dashboard: https://trainingportal.linuxfoundation.org/learn/dashboard/

Start or resume your access to the Certified Kubernetes Administrator (CKA) course (whether enrolled on exam-only or including CNCF course bundle content).

The following landing page will be presented refer to the following image:

Figure 1.1: Screenshot of PSI exam online proctoring capability check page¹

Follow this checklist carefully when registering for your exam, in due course scheduling your proctored exam sessions. Make sure you run the Check System Requirements checks on the laptop or similar larger-screen device you intend to sit the exam on. Put thought into ensuring the local physical place where you intend to sit this online exam is a quiet, calm working environment without clutter or access to external technical resources. The CNCF CKA exam is proctored, and you will be monitored at all stages during your online exam journey to ensure you comply with the rules which will explained in detail in latter section.

Remember the exam proctor is currently a real person, there to help you. As in life, infrequently, things can go a little wrong in online exam situations, for example, with online connectivity or local device and environment glitches. Rest assured, your proctor will assist you in all scenarios, has likely seen these issues before, and will get you back on track to enable you to complete your exam with minimum fuss and maximum efficiency.

The live exam environment itself is delivered into your local system using a downloadable PSI browser that hosts a remote VM command-line based session. Each candidate must verify that their own computer system meets the minimum device operating system requirements using a link provided as part of this Exam Preparation Checklist. Run this fully automated check and adhere to all warnings and guidance provided regarding the suitability of your nominated local system. Ensure you have a performant and reliable internet connection.

An example of a satisfactory laptop environment assessment completed using this tool looks like this. Refer to the following screenshot:

Figure 1.2: Screenshot of PSI exam online proctoring capability check page²

Please refer to the following snapshot:

Figure 1.3: Screenshot of system check passed page

CNCF CKA exam simulator

Note the highlighted link in the screenshot below provides access to two crucial online resources that you will use for your exam preparations:

Figure 1.4: Screenshot of Linux foundation exam simulators dashboard

Upon registration, this CKA Simulator web page provides free access to a complete practice exam and environment, noting the exact same exam can be attempted twice. Upon exam completion, fully worked solutions and detailed explanation are provided to the candidate, providing excellent technical insight and further guidance on worked solutions. Note the site’s claim that this practice exam is deliberately a little harder than the actual CNCF CKA exam assessment. Do not be too concerned in the first sitting if everything does not go your way. Just make sure you invest the time and effort required to examine and fill any gaps in your understanding using the worked solutions, then re-sit the exam using the second link.

The CKA KillerCoda.com link shown with an arrow provides seamless access into the free CKA session emulations running the same version of Kubernetes as the current CKA exam. Note that these Kubernetes practice environments are accessible from the internet without signing up for the CNCF CKA exam. It is strongly recommended that each candidate explore these tailored Kubernetes CKA base session environments to acquire invaluable hands-on experience. Follow the set of code and command line examples and walkthroughs provided in this book using the CKA playground environments or using a suitable alternate Kubernetes cluster environment.

An example CKA KillerCoda.com practice CKA exam session is shown below. Refer to the following screenshot:

Figure 1.5: ³Screenshot of killercoda.com CKA exam session

Alternate or supplementary options for running hands-on Kubernetes practice command-line sessions include use of locally installed (single node) minikube, or VM environments from third-party cloud vendors, for example AWS, GCP or Azure.

Using this CNCF CKA exam guide

This section will explain the structure of this book and how best to use it. We of course aim to rapidly advance your K8s administrative skills and knowledge, with a pragmatic focus on what each candidate needs to know to clear the CKA exam at the first attempt.

How best to use this book depends on the reader’s breadth and scope of current Kubernetes technical administrative competencies in terms of managing a live cluster. We will need to become familiar with the CKA exam environment and associated assessment process. We will delve into the details of various exam techniques and the best use of features and nuances of the local PSI secure browser hosting the exam VM environment in a later chapter.

The chapter and section structure followed in this book closely mirrors the formal CKA curriculum listing as presented in the preceding section. This approach helps ensure the technical content, command-line input and example scenario walkthroughs in this book remain on-topic, presenting the hands-on tasks to run in a VM environment, exactly as the CKA exam will ask you to do. The CKA live exam session is effectively run in an online open book format, with Kubernetes documentation accessible from the previously identified kubernetes.io domain. With the sometimes-extended sequences of command line input required in the CKA exam, it can be a good idea to open the embedded web browser in the exam VM and quickly check documented command syntax and sequence. Here, again it is useful to reiterate that the purpose of the frequent exam friendly link blocks found throughout this book, is to introduce each simple, memorable search phrase for a specific exam topic. Enter the search phrase into the kubernetes.io/docs search field to query and directly retrieve the nominated web page containing the applicable commands you will need.

Here is a second example below, using the search phrase kubeadm upgrade to access the web page listing the required kubeadm commands, found at the top of search results page:

You, as the CKA candidate, remain in the best position to assess your Kubernetes skills and knowledge and track your progress as you advance through this book. If you are comfortable with your understanding, a good reality check is first to clearly explain the key technical principles and K8s commands to someone else in a brief and simple way (like in an interview situation). If you can read a technical book from cover to cover that is great, but if that seems daunting, or if life is too busy, that is okay too. Perhaps start by reading the chapters on curriculum areas that you are less familiar with, or particularly interested in knowing more about. At a minimum, read the sections describing the technical commands and the crucial example walkthrough where applicable.

Your exam technique is crucial and will be discussed in detail in a later chapter of this book. Again, the primary objective here is to secure your CNCF Certified Kubernetes Administrator accreditation. As a CKA exam candidate, there is no substitute for hands-on keyboard experience on CKA-compatible VM sessions, interacting with Kubernetes clusters. We learn more when something does not work the first time, whether it is your typing that needs improvement, or you are not (yet) sufficiently familiar with the inevitable sunny day and rainy day outcomes for a given K8s management process or task. The detailed troubleshooting chapter should prove useful insight when tackling these unexpected outcomes, so perhaps read this chapter early.

You will find two complete CKA practice exams in this book. Attempt these in a realistic exam situation under a strict 2-hour time constraint as in the real exam. Ensure you review the CKA exam preparation chapter and make your considered (re)evaluations on which exam approach, hints and tips, and exam readiness checklist directives work best for you. The previously identified killer.sh CKA simulator session (CNCF-sanctioned practice exam) is deliberately designed to be a little harder than the actual CKA exam so recommend tackling this (twice), and carefully study the presented online solutions in the final month before your scheduled CKA exam date.

Final advice before we dive into the CKA technical content is this, practice hands-on: practice and practice, mimic and explore, as you follow through this book, and throughout your CKA exam journey. This is indeed the most effective way to learn the art and science of effective Kubernetes cluster management and administration.

Conclusion

This chapter has explained the structure, scope and approach taken in this guide on how to succeed in your CNCF Certified Kubernetes Administrator (CKA) exam.

---

¹CREDIT: https://trainingportal.linuxfoundation.org/learn/course/certified-kubernetes-administrator-cka/exam/exam

²CREDIT: https://www.psiexams.com/test-takers/online-proctoring-guide/

³CREDIT: https://killercoda.com/playgrounds/scenario/cka

Join our book’s Discord space

Join the book’s Discord Workspace for Latest updates, Offers, Tech happenings around the world, New Release and Sessions with the Authors:

https://discord.bpbonline.com

C

HAPTER

2

Cluster Architecture, Installation and Configuration

Introduction

This chapter discusses how authentication, authorization, and Role-Based Access Controls are managed in Kubernetes. Working by examples in detailed walkthroughs, we will examine and demonstrate how to install, upgrade, and back up a Kubernetes cluster. In addition, we will examine underpinning infrastructure, version and release management, and High-Availability (HA) considerations.

Structure

This chapter covers the following topics:

Fundamentals of authentication and authorization in Kubernetes

Role based access controls

Cluster roles and role bindings

Overview of use of kubeadm

Installing a basic Kubernetes cluster using kubeadm

Walkthrough of basic cluster installation

Overview of high availability cluster etcd topologies

Kubernetes HA cluster configurations

Implementing a HA cluster

Overview of Kubernetes infrastructure

Infrastructure for Kubernetes

Overview of Kubernetes cluster maintenance

Kubernetes versioning and release management

Kubernetes upgrade process

Cluster upgrade process

Walkthrough of Kubernetes upgrade using kubeadm

Overview of etcd

Best practices for backup and restore

Walkthrough of etcd backup and restore

Objectives

The aim of this chapter is to ensure the reader acquires the skills and knowledge required to handle all CKA exam questions on cluster architecture, installation, and configuration.

Fundamentals of authentication and authorization in Kubernetes

Let us examine how authentication and authorization is managed within a Kubernetes cluster.

Authentication

The Kubernetes API server controlplane component is the central messaging hub in the Kubernetes architecture, hosting the resource-based Kubernetes API. This RESTful Kubernetes API interface serves all internal cluster components and external clients and must be secured.

In Kubernetes, there are two fundamental types of authenticated identities: users, representing real people, and service accounts, representing systems, applications, and automation. Groups can be defined to contain both authenticated and unauthenticated identities. Service accounts are modeled as a resource in the Kubernetes API (for example, manageable using kubectl commands), but users and groups are not. Users are managed for authentication purposes via entries typically contained in the default kubeconfig file (refer to the following section).

Access to the API server can be secured with a full range of authentication plugins including HTTP basic authentication (discouraged), SSH, tokens, X.509 certificates (TLS/SSL), OIDC, Authenticating Proxy and webhook tokens.

Common client tools used to interact with the API server are kubectl and curl. For example, authenticating using TLS certificates provisioned by the cluster’s configured root certificate authority (CA), as shown:

Kubeconfig

Kubernetes provisions a default kubeconfig file located at $HOME/.kube/config. Note that the filename itself is called config. This yaml file