It has been a while since I posted, I think everyone says that after a long break!
I was motivated to write this post as I know several people that are looking to take their CKA soon.
I’m not going to be providing exact information that is on the exam as I believe that is against the rules. However, I will provide some hints on the resouces I used and the areas you need to focus on.
Get the best learning resources 🥇
I watched bunch of different courses in getting ready for the exam, but by far the best resources is Mumshad Mannambeth’s course on Udemy called “Prepare for the Certified Kubernetes Administrators Certification..” or you can get the course on KodeKloud. Either way you get access to the labs which are very good.
Not only does he go over, in detail the concepts, but also focus on helpful tips that help you pass the exam. Honestly, just going by the k8s documentation online is NOT enough.
Note that when you sign up for the CKA you get access to two free goes at killer.sh which is designed to be harder than the CKA. I recommend that you gives these a go sooner than later as they are a great learning tool. But, don’t be too dishearted if you don’t complete them in the alloted 120 min, they are tough!
Need for speed 🚀
The next thing you need to know is that the 2 hour exam goes past very quickly, your fingers will likely not stop moving the whole time.
Because of this the use of imperative commands is a MUST, there is certainly no time to create yaml files, espcially for the easier questions like updating an image or scaling the number of pods in a deployment.
One resource that I found to help with this is:
https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands
One helpful thing I found that I believe is a fairly new addition is the imperative command to create ingress rules.
https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#-em-ingress-em-
Remember that you allowed to access the K8s website during the exam, this includes the above resources. I’ll come back to this point later.
Note that the areas that you have to create yaml files are; PV, PVC, Storage Classes and Network policies. I recommend spending a lot more time with these, especially Network policies, as the YAML syntax was the hardest for me.
I found this resource which helped me play around with different sceanarios.
https://github.com/ahmetb/kubernetes-network-policy-recipes
You should also study and keep a bookmark of the “cheat sheet”
https://kubernetes.io/docs/reference/kubectl/cheatsheet/
JSON path and Custom Columns
Following on from the above, for speed, familiarity with JSON path and Custom Columns will save you a lot of time when you need to get specific data.
k get nodes -o jsonpath="{.items[*].spec.podCIDR}"Fortunatly Mumshad provides a free course via KodeCloud on this subject
https://kodekloud.com/courses/json-path-quiz/
There are also useful linkes on the k8s website
https://kubernetes.io/docs/reference/kubectl/jsonpath/
When practicing I recommend that you pipe the output of jsonpath to jq which it makes it easier to naviate the json data.
Custom columns is a little easier on the syntax
k get nodes -o custom-columns=NAME:.spec.podCIDRhttps://kubernetes.io/docs/reference/kubectl/overview/#custom-columns
Create a bookmark library 📖
As stated before, you have access to the k8s website as a resource (though not the k8s forum). However, it’s not the most organised site, and searching for resources can take time, which you don’t have.
It is important to have a well organised list of references on your bookmarks bar to allow you to quickly access what you need.
I suggest organising it something like this:
- Cheat Sheet
- Installation
- Update K8s
- ETCD
- Backup
- Restore
- Storage
- PV
- PVC
- Storage Classes
Understanding K8s file locations 🔍
Knowing where key file locations are is a must, for example you need to know where static pod manifests are located, as well as certificates. For example:
/etc/kubernetes/manifests/
/etc/kubernetes/pki/Understanding KubeADM 🤓
It is important to know how K8s services run either in a KubeADM deployed environment, and one that is installed baremetal on the hosts (the hard way).
It is also important to know how to access the logs of the services depending how they have been deployed.
For example:
k logs etcd-k8scontrol -n kube-system | lessjournalctl -u kubelet.service -lAs well as knowing how to check a service running bare metal is running, and how to restart it.
systemctl start my-serviceNote that you can list all running services by simply running systemctl.
Modify VIM 🔧
The default settings of VIM can be unhelpful when writing or updating YAML. I update the .vimrc file with the following.
vim ~/.vimrcset tabstop=2
set shiftwidth-2
set expandtabSave then reload.
source ~/.vimrcUpgrade your VIM skills
I watched a few YouTube videos on VIM to help me:
- Moving around VIM faster e.g.
- shift + [ to skip paragraphs
- W to move forward by word
- Selected lines of text to delete and copy/paste (v in command mode, d cut, p paste)
- Find and replace (sed like commands)
I found upgrading these skills made me more effective and faster when I had to update or create a YAML file.
It is also useful to look into the ‘sed’ command as it is also very useful.
ETCD Backup and Restore
These are two of the most time consuming tasks so it is well worth practicing these as much as possible. I can practically recite all the commands off by heart now.
These are mainly time consuming as you need to grab the certificate locations for the ETCD pod which are listed either by running.
There are a couple ways to do it, either via kubectl:
k get pods etc-k8scontroller -o yaml | grep -i .crt
k get pods etc-k8scontroller -o yaml | grep -i .keyOr by doing a cat on the manifest file:
sudo cat /etc/kubernetes/manifests/etcd.yaml| grep -i .crt
sudo cat /etc/kubernetes/manifests/etcd.yaml | grep -i .keyIf you can memorize the locations, great, but I found it tough, plus there’s not guarentee they are in the usual location (pki).
I found that ETCD restores are more tricky. This is mainly because it is hard to try out without breaking your cluster. One trick I found useful was to do a standard VM level backup (with Veeam of course), and then simply restore if you mess it up. Note that you cannot use a Kind based multi-cluster to test as bringing down the api server will mean you lose access to the Kind cluster (as I found out).
The restore documentation can be found here, but I found it a little sparse on details.
From the other resources I’ve read, though it only recommends moving the api-server manifest from the manifests location. Moving everything is actually better as you need to restart all the system pods anyway.
mv /etc/kubernetes/manifests/*.yaml .Here we are moving the files to the current directory, this will shutdown all the system pods.
Next run the ECTD restore as per the documentation.
It states in the documentation that you need to update the ETCD address, but in all the times I’ve done this it hasn’t been a requirement.
What isn’t stated is that if you have restored the backup to a different location like /var/lib/etcd_restore then the ETCD manifest file also needs to be updated.
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-dataThen move all the manifest files back to the manifests directory.
mv *.yaml /etc/kubernetes/manifests/Obviously be careful with this command in case you have any other yaml files in the same directory.
Delete or not to delete 🤔
When you need to update a Deployment or StatefulSet you have to first dump out the YAML as most fields don’t allow inplace editing.
k get deploy my_deploy -o yaml > my_deploy.yamlThe problem with this is that it dumps out a lot of additional information that is added like “creationTimestamp” and a whole lot under “annotations”.
I have found that this additional information doesn’t cause any issues when redeploying a Deployment or StatefulSet. So I don’t recommend spending time cleaning them up.
Switching Namespaces Context
Constantly having to type the -n flag can get tiresome so you can change the namespace context the one you are working on via:
k config set-context --current --namespace=some-namespaceWARNING: remember to switch the namespace context back to “default” before moving on or you may deploy something in the wrong place!
Pick Your Targets 🎯
In the CKA you are free to move back and forward through the questions, each have a different weight. I recommend having a look through them all before jumping in, and selecting the higher value questions first. That way if you do run out of time, it is more likely going to be the easier, lower value questions.
Note, make sure that there aren’t any prerequesit steps from a previous question.
It’s pure K8s 😇
Most of the exam is pure K8s without any 3rd party integration, this means that things like Storage Classes can only relate to hostpath or local variants.
It also applies to CNI providers and Ingress Controllers, so knowing how to install one or another I don’t believe is a requirement (might want to check this one!)
I think this is due to the fact that these aren’t directly controlled by K8s and they don’t provide installation instructions on the K8s website. But you do need to know how to work with them.
Other areas
Other areas that you could study:
- Sidecar containers with communication via emptyDir
- Basic shell scripting in relation to the CMD directive in the container spec
- Use the impreative command to add these quickly
- Remember to add the –command flag so they are added under command, and not args
k run test --image=busybox --command -- sleep 1000- Exec into a specific container in a multi-container pod (-c)
- Running a specific command in a temporary container do so something
k run rest --image=busybox --rm -it -restart=Never -- nslookup some-service- Study up on security contexts, remember that capabilities only work at the container level
- Practice, practice, practice Network Policies
- Have a look over the .kube/config file, and get familiar with “kubectl config” options
cat ~/.kube/config- Using openssl to decode .crt files
openssl x509 -in something.crt -text -noout- Get familiar with the ports that each of the management componets use.
That’s all for now, thanks for reading!