Skip to content

CKAD Exam Training Guide

The Certified Kubernetes Application Developer exam is a hands-on Kubernetes exam. The useful way to train is not passive video watching; it is repeated work in a real cluster until creating, editing, debugging, and validating resources becomes automatic.

Training objective:

  1. Build Kubernetes application resources quickly.
  2. Debug failing workloads without guessing.
  3. Use official docs efficiently.
  4. Finish practical tasks under time pressure.

Verify these details on the Linux Foundation CKAD page before scheduling because exam versions and prices change. As of July 1, 2026:

  1. Format: online, proctored, performance-based exam.
  2. Duration: 2 hours.
  3. Current Kubernetes version: v1.35.
  4. Attempts included: two exam attempts.
  5. Simulator: two Killer.sh simulation attempts are included after enrollment.
  6. Exam purchase window: 12 months to schedule and take the exam.
  7. Prerequisites: none, though working knowledge of containers and microservice architecture is assumed.

The official domain weights are:

  1. Application Design and Build: 20%.
  2. Application Deployment: 20%.
  3. Application Observability and Maintenance: 15%.
  4. Application Environment, Configuration and Security: 25%.
  5. Services and Networking: 20%.

You are ready when you can do the following without searching broad tutorials:

  1. Create a Deployment, Service, Ingress, Job, CronJob, ConfigMap, Secret, PersistentVolumeClaim, and NetworkPolicy.
  2. Patch or edit YAML safely under time pressure.
  3. Debug ImagePullBackOff, CrashLoopBackOff, failed probes, missing service endpoints, bad labels, and blocked network traffic.
  4. Use kubectl explain, kubectl create --dry-run=client -o yaml, and official docs instead of memorizing full manifests.
  5. Validate your work with kubectl get, kubectl describe, kubectl logs, kubectl exec, and test pods.

Primary course:

  1. Sander van Vugt CKAD course on O’Reilly - use this as the structured video track, then spend most study time reproducing the tasks in a local cluster.

Supporting resources:

  1. Official Kubernetes documentation for exact manifest patterns.
  2. Killer.sh simulator attempts included with CKAD enrollment.
  3. Current CKAD curriculum overview for the official topic checklist.
  4. Local Kind cluster drills for repetition and speed.

Use a local cluster so practice is cheap and repeatable. Kind is enough for most CKAD drills.

Terminal window
kind create cluster --name ckad
kubectl config use-context kind-ckad
kubectl get nodes

Set up speed helpers. Do not depend on aliases that are unavailable in the exam unless you can recreate them quickly.

Terminal window
alias k=kubectl
export do="--dry-run=client -o yaml"
export now="--force --grace-period=0"
kubectl completion bash > /tmp/kubectl_completion
source /tmp/kubectl_completion
complete -o default -F __start_kubectl k

Create disposable namespaces for drills.

Terminal window
kubectl create namespace ckad-a
kubectl create namespace ckad-b
kubectl config set-context --current --namespace=ckad-a

Reset between drills.

Terminal window
kubectl delete all --all
kubectl delete configmap --all
kubectl delete secret --all
kubectl delete pvc --all

The time frames are estimates and may vary according to how the class is progressing.

Segment 1: Creating Custom Container Images

Section titled “Segment 1: Creating Custom Container Images”

Estimated time: 10 minutes.

Topics:

  1. Use Containerfile to create custom images.
  2. Manage container images.

Estimated time: 50 minutes.

Topics:

  1. Use pods in specific namespaces.
  2. Manage multi-container pods.
  3. Configure resource requirements, limits, and quotas.
  4. Use Job and CronJob resources.

Q&A: 5 minutes.

Break: 10 minutes.

Estimated time: 50 minutes.

Topics:

  1. Install and manage applications using the Helm package manager.
  2. Run applications using Deployment resources.
  3. Perform zero-downtime application updates.

Estimated time: 50 minutes.

Topics:

  1. Manage application access using Service and Ingress resources.

Q&A: 5 minutes.

Break: 10 minutes.

Estimated time: 45 minutes.

Topics:

  1. Use NetworkPolicy to secure application access.

Q&A and next steps: 5 minutes.

Segment 6: Application Observability and Maintenance

Section titled “Segment 6: Application Observability and Maintenance”

Estimated time: 25 minutes.

Topics:

  1. Use probes and health checks.

Estimated time: 25 minutes.

Topics:

  1. Understand API extensions.
  2. Create custom resources.

Estimated time: 40 minutes.

Topics:

  1. Configure pod storage using volumes, persistent volumes, and persistent volume claims.

Q&A: 5 minutes.

Break: 10 minutes.

Segment 9: Managing ConfigMaps and Secrets

Section titled “Segment 9: Managing ConfigMaps and Secrets”

Estimated time: 30 minutes.

Topics:

  1. Implement decoupling using ConfigMap and Secret resources on Kubernetes.

Estimated time: 30 minutes.

Topics:

  1. Use canary deployments.
  2. Use blue/green deployments.

Q&A: 5 minutes.

Break: 10 minutes.

Estimated time: 50 minutes.

Topics:

  1. Understand RBAC.
  2. Use service accounts.
  3. Apply SecurityContext.

Q&A: 10 minutes.

Goal: become fast with resource creation and inspection.

Daily drills:

  1. Create pods and deployments from the CLI.
  2. Generate YAML with --dry-run=client -o yaml.
  3. Edit manifests by hand.
  4. Use labels and selectors correctly.
  5. Inspect objects with get, describe, logs, and events.

Minimum commands to master:

Terminal window
kubectl run web --image=nginx
kubectl create deployment web --image=nginx --replicas=3
kubectl expose deployment web --port=80 --target-port=80
kubectl get pods -o wide --show-labels
kubectl describe pod <pod>
kubectl logs <pod>
kubectl get events --sort-by=.lastTimestamp

Week 2: Configuration, Security, and Storage

Section titled “Week 2: Configuration, Security, and Storage”

Goal: make workloads configurable and constrained.

Topics:

  1. ConfigMap and Secret consumption by environment variables and mounted files.
  2. Resource requests and limits.
  3. Security contexts.
  4. Service accounts.
  5. Persistent and ephemeral volumes.
  6. Init containers and sidecars.

Practice until you can create a pod that:

  1. Reads a config value from a ConfigMap.
  2. Reads a password from a Secret.
  3. Mounts a volume.
  4. Runs as a non-root user.
  5. Uses an init container to prepare files for the main container.

Week 3: Deployment, Networking, and Packaging

Section titled “Week 3: Deployment, Networking, and Packaging”

Goal: expose applications and update them safely.

Topics:

  1. Rolling updates and rollbacks.
  2. Blue/green and canary patterns with labels and services.
  3. Service types and selectors.
  4. Ingress.
  5. NetworkPolicy.
  6. Helm basics.
  7. Kustomize basics.

Practice:

Terminal window
kubectl set image deployment/web nginx=nginx:1.27
kubectl rollout status deployment/web
kubectl rollout history deployment/web
kubectl rollout undo deployment/web
kubectl get endpoints web

Week 4: Timed Practice and Weak-Spot Closure

Section titled “Week 4: Timed Practice and Weak-Spot Closure”

Goal: convert knowledge into exam performance.

Schedule:

  1. Day 1: full mixed lab, untimed, with notes.
  2. Day 2: 60-minute timed lab.
  3. Day 3: review misses and rebuild every failed resource from scratch.
  4. Day 4: Killer.sh attempt 1.
  5. Day 5: review Killer.sh results and write a one-page personal cheat sheet.
  6. Day 6: Killer.sh attempt 2 or another full mock.
  7. Day 7: light review, environment check, no heavy new material.

Run these until the command sequence is mechanical.

Terminal window
kubectl create deployment api --image=nginx --replicas=2 $do > api.yaml
kubectl create configmap app-config --from-literal=MODE=prod $do > cm.yaml
kubectl create secret generic app-secret --from-literal=password=s3cr3t $do > secret.yaml
Terminal window
kubectl get pods
kubectl describe pod <pod>
kubectl logs <pod>
kubectl logs <pod> -c <container>
kubectl exec -it <pod> -- sh
kubectl get events --sort-by=.lastTimestamp
Terminal window
kubectl get svc,endpoints
kubectl get pod --show-labels
kubectl describe svc <service>
kubectl run curl --image=curlimages/curl:latest -it --rm --restart=Never -- sh
Terminal window
kubectl rollout status deployment/<name>
kubectl rollout history deployment/<name>
kubectl rollout undo deployment/<name>
kubectl describe deployment <name>
kubectl get rs

Know how to:

  1. Choose Pod, Deployment, DaemonSet, Job, or CronJob.
  2. Build and modify container image configuration in workload specs.
  3. Configure init containers and sidecar containers.
  4. Use persistent and ephemeral volumes.

Must-practice tasks:

  1. Add a sidecar that writes logs to a shared volume.
  2. Add an init container that blocks until a service is reachable.
  3. Convert a one-off command into a Job.
  4. Schedule a CronJob.

Know how to:

  1. Perform rolling updates.
  2. Roll back a failed deployment.
  3. Implement simple canary or blue/green routing with labels.
  4. Use Helm to install or inspect a chart.
  5. Use Kustomize overlays.

Must-practice tasks:

  1. Route service traffic only to pods with version: stable.
  2. Add a version: canary deployment and switch a percentage manually by replica count.
  3. Generate rendered manifests from Kustomize.
  4. Inspect Helm values and installed resources.

Know how to:

  1. Configure liveness, readiness, and startup probes.
  2. Read logs from single-container and multi-container pods.
  3. Use CLI tools to inspect resource state.
  4. Understand API deprecation signals.
  5. Debug failing Kubernetes applications.

Must-practice tasks:

  1. Fix a bad readiness probe.
  2. Find why a service has no endpoints.
  3. Identify a container command that exits immediately.
  4. Update an old API version in a manifest.

Application Environment, Configuration and Security

Section titled “Application Environment, Configuration and Security”

Know how to:

  1. Create and consume ConfigMap and Secret resources.
  2. Set resource requests and limits.
  3. Use service accounts.
  4. Configure security contexts and capabilities.
  5. Understand basic authn, authz, and admission concepts.
  6. Recognize CRDs and operators.

Must-practice tasks:

  1. Mount a Secret as a file.
  2. Pass a ConfigMap key as an environment variable.
  3. Force a container to run as non-root.
  4. Attach a workload to a named service account.
  5. Add CPU and memory requests and limits.

Know how to:

  1. Create and troubleshoot services.
  2. Expose applications with ingress rules.
  3. Understand and apply basic NetworkPolicy.
  4. Test connectivity from inside the cluster.

Must-practice tasks:

  1. Fix a service selector mismatch.
  2. Create a ClusterIP service for a deployment.
  3. Write an ingress rule for host and path routing.
  4. Deny all ingress to a namespace, then allow traffic from one labeled pod.

Create a deployment with intentional mistakes, then fix it.

Requirements:

  1. Deployment named web.
  2. Image should be nginx:1.27.
  3. Three replicas.
  4. Service named web on port 80.
  5. Readiness probe on /.

Failure cases to practice:

  1. Wrong image tag.
  2. Service selector mismatch.
  3. Readiness probe points to the wrong port.
  4. Container port missing or incorrect.

Validation:

Terminal window
kubectl get deploy,pod,svc,endpoints
kubectl describe pod -l app=web
kubectl run curl --image=curlimages/curl:latest -it --rm --restart=Never -- curl web

Requirements:

  1. Create a ConfigMap with APP_MODE=training.
  2. Create a Secret with API_KEY=local-key.
  3. Create a pod that consumes both values as environment variables.
  4. Add CPU and memory requests.
  5. Add a non-root security context.

Validation:

Terminal window
kubectl exec <pod> -- env | grep -E 'APP_MODE|API_KEY'
kubectl describe pod <pod>

Requirements:

  1. Create two deployments: web-blue and web-green.
  2. Label blue pods version=blue.
  3. Label green pods version=green.
  4. Create one service named web that initially points to blue.
  5. Patch the service selector to point to green.

Validation:

Terminal window
kubectl get endpoints web
kubectl describe svc web

Requirements:

  1. Create namespace secure.
  2. Run an api pod and a client pod.
  3. Apply default deny ingress.
  4. Allow ingress to api only from pods labeled role=client.

Validation:

Terminal window
kubectl exec -n secure client -- wget -qO- http://api
kubectl run -n secure blocked --image=busybox:1.36 -it --rm --restart=Never -- wget -qO- http://api

These questions are adapted from the MIT-licensed dgkanatsios/CKAD-exercises repository. Use the repo for the full exercise bank and worked solutions. Use this section as a timed exam-style prompt list.

Rules for practice:

  1. Solve each task in a fresh namespace.
  2. Write the command or manifest yourself before checking a solution.
  3. Validate every answer with kubectl get, kubectl describe, kubectl logs, kubectl exec, or an in-cluster test pod.
  4. Time-box simple tasks to 3 minutes and multi-object tasks to 8 minutes.
  1. Create a namespace named mynamespace, then create an nginx pod named nginx inside it.
  2. Generate YAML for the same nginx pod without creating it, save it to pod.yaml, then create the pod from the file.
  3. Run a temporary busybox pod that executes env, prints the environment, and is removed after completion.
  4. Generate YAML for a namespace named myns without creating the namespace.
  5. Generate YAML for a ResourceQuota named myrq with hard limits of cpu=1, memory=1G, and pods=2.
  6. List pods across all namespaces.
  7. Create an nginx pod that exposes container port 80.
  8. Change an existing nginx pod image to nginx:1.24.0 and confirm the container restarts.
  9. Get the pod IP for nginx, then start a temporary busybox pod and request / from the nginx pod.
  10. Retrieve the full YAML for an existing pod.
  11. Inspect a pod for scheduling, image, probe, or runtime errors.
  12. Retrieve logs from a running pod and previous logs from a restarted container.
  13. Open an interactive shell inside an nginx pod.
  14. Create a pod that echoes hello world and exits.
  15. Create an nginx pod with environment variable var1=val1, then verify the value from inside the container.
  1. Create a ConfigMap named config with keys foo=lala and foo2=lolo.
  2. Display the ConfigMap contents as YAML.
  3. Create a ConfigMap from a file and inspect the resulting key.
  4. Create a ConfigMap from an env file containing multiple key/value pairs.
  5. Create a ConfigMap where the file is stored under a custom key named special.
  6. Create a ConfigMap named options with var5=val5, then expose that key as an environment variable named option in an nginx pod.
  7. Load all values from a ConfigMap into a pod using envFrom.
  8. Mount a ConfigMap as a volume at /etc/lala and verify the mounted files.
  9. Generate YAML for an nginx pod that runs as user ID 101.
  10. Generate YAML for an nginx pod whose container adds NET_ADMIN and SYS_TIME capabilities.
  11. Create an nginx pod with CPU request 100m, memory request 256Mi, CPU limit 200m, and memory limit 512Mi.
  12. Create a namespace with a LimitRange that sets pod memory minimum 100Mi and maximum 500Mi.
  13. Create a ResourceQuota in namespace one that limits CPU and memory requests and limits.
  14. Attempt to create a pod that exceeds the quota and explain the failure.
  15. Create a pod whose requests and limits fit inside the quota and confirm quota usage.
  16. Create a Secret named mysecret with literal value password=mypass.
  17. Create a Secret from a file containing a username.
  18. Decode and print a value from a Secret.
  19. Mount a Secret as a volume at /etc/foo.
  20. Expose a Secret key as environment variable USERNAME in an nginx pod.
  1. Create a Deployment running nginx with three replicas.
  2. Scale a deployment up and down, then verify replica counts.
  3. Update a deployment image and watch rollout status.
  4. Roll back a deployment to the previous revision.
  5. Create a Job that runs a short command and completes successfully.
  6. Create a CronJob that runs on a schedule and verify that jobs are created.
  7. Create a multi-container pod with a main container and a sidecar sharing an emptyDir volume.
  8. Create a pod with an init container that prepares a file in a shared volume before the app container starts.
  9. Add labels to pods and select them using kubectl get pod -l.
  10. Change labels so a service switches from one pod group to another.
  1. Add a readiness probe to an nginx pod and verify readiness status.
  2. Add a liveness probe that fails, then inspect events to explain the restart behavior.
  3. Debug a pod stuck in ImagePullBackOff.
  4. Debug a pod stuck in CrashLoopBackOff.
  5. Retrieve logs from a specific container in a multi-container pod.
  6. Use kubectl exec to verify a mounted config file exists.
  7. Use kubectl describe and sorted events to identify why a workload is unhealthy.
  8. Use kubectl top if metrics are available; otherwise, state what dependency is missing.
  1. Expose a deployment with a ClusterIP service.
  2. Verify service endpoints and fix a selector mismatch.
  3. Create a test pod and connect to a service DNS name from inside the cluster.
  4. Port-forward a pod or service and test it locally.
  5. Create an ingress rule for a host/path that routes to a service.
  6. Create a default deny ingress NetworkPolicy.
  7. Allow traffic to one pod only from pods with a specific label.
  8. Confirm blocked and allowed network paths using temporary test pods.
  1. Create a pod that uses an emptyDir volume.
  2. Create a PersistentVolumeClaim and mount it into a pod.
  3. Verify that a file written to the mounted path survives container restart where the storage type supports it.
  4. Compare when to use emptyDir, ConfigMap, Secret, and PersistentVolumeClaim volumes.
  1. Add a Helm repository and update repo metadata.
  2. Install a simple Helm chart into a namespace.
  3. List Helm releases and inspect rendered manifests.
  4. Upgrade a Helm release by changing a value.
  5. Uninstall a Helm release and confirm Kubernetes resources are removed.
  6. Identify whether a custom resource definition exists in the cluster.
  7. Create a custom resource from a provided CRD example and inspect its status.

The exam is not about memorizing every field. It is about knowing where to find the correct pattern quickly.

Bookmark or practice navigating to:

  1. Kubernetes tasks for configuring pods and containers.
  2. Kubernetes tasks for services, ingress, and networking.
  3. Kubernetes concepts for workloads.
  4. Kubernetes concepts for configuration.
  5. Kubernetes reference pages for kubectl.

Use kubectl explain when field placement is unclear.

Terminal window
kubectl explain deployment.spec.template.spec.containers.resources
kubectl explain pod.spec.securityContext
kubectl explain networkpolicy.spec.ingress

Practical rule:

  1. Use docs for exact YAML shape.
  2. Use kubectl generators for object skeletons.
  3. Use describe, events, and logs for debugging.

The CKAD exam includes task-specific instructions and may provide links in a quick reference box. Treat that as a pointer to the relevant documentation, not as a replacement for knowing the workflow.

Allowed CKAD references currently include:

  1. Kubernetes documentation: https://kubernetes.io/docs/
  2. Kubernetes blog: https://kubernetes.io/blog/
  3. Helm documentation: https://helm.sh/docs/
  4. Task-specific documentation provided in the exam quick reference box.
  5. Documentation installed in the exam environment, such as man pages and files under /usr/share.

Important constraints:

  1. Use the browser inside the exam VM for allowed docs.
  2. Kubernetes docs site search is allowed, but external search results are not.
  3. O’Reilly, personal notes, ChatGPT, GitHub examples, Stack Overflow, and random web searches are not exam references.
  4. The reference guide saves time only if you already know what object and field you are looking for.

Train by opening the docs for these patterns until the navigation is automatic:

  1. Deployment rolling updates and rollbacks.
  2. Probes and container lifecycle.
  3. ConfigMap and Secret usage.
  4. Service, Ingress, and NetworkPolicy.
  5. Job, CronJob, volumes, and security contexts.

Start each question the same way:

  1. Read the task once for the object names, namespace, and required outcome.
  2. Switch to the correct namespace or pass -n <namespace> explicitly.
  3. Generate the fastest safe manifest.
  4. Apply it.
  5. Validate the exact required behavior.
  6. Move on if validation passes.

Time management:

  1. First pass: solve easy and medium tasks immediately.
  2. Mark hard tasks and return later.
  3. Do not spend 15 minutes fighting one manifest when several easier points remain.
  4. Leave final time to verify namespaces, object names, selectors, and rollout status.

Common mistakes to avoid:

  1. Creating resources in the wrong namespace.
  2. Using labels that do not match service selectors.
  3. Forgetting to save edited YAML.
  4. Deleting and recreating resources when a patch or edit is safer.
  5. Trusting Running status without checking readiness and endpoints.

You are ready to schedule when:

  1. You can complete a mixed 2-hour mock exam without relying on non-official tutorials.
  2. You finish Killer.sh or equivalent practice with enough time to review.
  3. You know your personal slow areas and have repeated those labs.
  4. You can recover from broken pods, services, probes, and rollouts.
  5. You can navigate official docs quickly.
  6. Your local command habits match what you can recreate in the exam environment.

Do not schedule yet if:

  1. You still copy complete manifests blindly.
  2. You cannot debug a service with no endpoints.
  3. You do not know how to validate each answer.
  4. You need long notes for basic workload, config, and service objects.

Official references to verify close to exam day:

  1. Linux Foundation CKAD certification page
  2. Linux Foundation exam preparation checklist
  3. Linux Foundation resources allowed for CKA and CKAD
  4. CNCF CKAD curriculum overview
  5. Sander van Vugt CKAD course on O’Reilly
  6. Kubernetes documentation
  7. Kubernetes kubectl reference
  8. Helm documentation