CKAD Exam Training Guide
Table of Contents
Section titled “Table of Contents”- Overview
- Current Exam Facts
- Target Skill Level
- Recommended Training Resources
- Training Environment
- Schedule
- Four-Week Study Plan
- Command Speed Drills
- Domain Checklist
- Practice Labs
- Practice Questions from CKAD Exercises
- Documentation Strategy
- CKAD Reference Guide During the Exam
- Exam-Day Workflow
- Final Readiness Checklist
- References
CKAD Exam Training Guide
Section titled “CKAD Exam Training Guide”Overview
Section titled “Overview”The Certified Kubernetes Application Developer exam is a hands-on Kubernetes exam. The useful way to train is not passive video watching; it is repeated work in a real cluster until creating, editing, debugging, and validating resources becomes automatic.
Training objective:
- Build Kubernetes application resources quickly.
- Debug failing workloads without guessing.
- Use official docs efficiently.
- Finish practical tasks under time pressure.
Current Exam Facts
Section titled “Current Exam Facts”Verify these details on the Linux Foundation CKAD page before scheduling because exam versions and prices change. As of July 1, 2026:
- Format: online, proctored, performance-based exam.
- Duration: 2 hours.
- Current Kubernetes version: v1.35.
- Attempts included: two exam attempts.
- Simulator: two Killer.sh simulation attempts are included after enrollment.
- Exam purchase window: 12 months to schedule and take the exam.
- Prerequisites: none, though working knowledge of containers and microservice architecture is assumed.
The official domain weights are:
- Application Design and Build: 20%.
- Application Deployment: 20%.
- Application Observability and Maintenance: 15%.
- Application Environment, Configuration and Security: 25%.
- Services and Networking: 20%.
Target Skill Level
Section titled “Target Skill Level”You are ready when you can do the following without searching broad tutorials:
- Create a
Deployment,Service,Ingress,Job,CronJob,ConfigMap,Secret,PersistentVolumeClaim, andNetworkPolicy. - Patch or edit YAML safely under time pressure.
- Debug
ImagePullBackOff,CrashLoopBackOff, failed probes, missing service endpoints, bad labels, and blocked network traffic. - Use
kubectl explain,kubectl create --dry-run=client -o yaml, and official docs instead of memorizing full manifests. - Validate your work with
kubectl get,kubectl describe,kubectl logs,kubectl exec, and test pods.
Recommended Training Resources
Section titled “Recommended Training Resources”Primary course:
- Sander van Vugt CKAD course on O’Reilly - use this as the structured video track, then spend most study time reproducing the tasks in a local cluster.
Supporting resources:
- Official Kubernetes documentation for exact manifest patterns.
- Killer.sh simulator attempts included with CKAD enrollment.
- Current CKAD curriculum overview for the official topic checklist.
- Local Kind cluster drills for repetition and speed.
Training Environment
Section titled “Training Environment”Use a local cluster so practice is cheap and repeatable. Kind is enough for most CKAD drills.
kind create cluster --name ckadkubectl config use-context kind-ckadkubectl get nodesSet up speed helpers. Do not depend on aliases that are unavailable in the exam unless you can recreate them quickly.
alias k=kubectlexport do="--dry-run=client -o yaml"export now="--force --grace-period=0"
kubectl completion bash > /tmp/kubectl_completionsource /tmp/kubectl_completioncomplete -o default -F __start_kubectl kCreate disposable namespaces for drills.
kubectl create namespace ckad-akubectl create namespace ckad-bkubectl config set-context --current --namespace=ckad-aReset between drills.
kubectl delete all --allkubectl delete configmap --allkubectl delete secret --allkubectl delete pvc --allSchedule
Section titled “Schedule”The time frames are estimates and may vary according to how the class is progressing.
Segment 1: Creating Custom Container Images
Section titled “Segment 1: Creating Custom Container Images”Estimated time: 10 minutes.
Topics:
- Use
Containerfileto create custom images. - Manage container images.
Segment 2: Managing Pod Properties
Section titled “Segment 2: Managing Pod Properties”Estimated time: 50 minutes.
Topics:
- Use pods in specific namespaces.
- Manage multi-container pods.
- Configure resource requirements, limits, and quotas.
- Use
JobandCronJobresources.
Q&A: 5 minutes.
Break: 10 minutes.
Segment 3: Running Applications
Section titled “Segment 3: Running Applications”Estimated time: 50 minutes.
Topics:
- Install and manage applications using the Helm package manager.
- Run applications using
Deploymentresources. - Perform zero-downtime application updates.
Segment 4: Managing Application Access
Section titled “Segment 4: Managing Application Access”Estimated time: 50 minutes.
Topics:
- Manage application access using
ServiceandIngressresources.
Q&A: 5 minutes.
Break: 10 minutes.
Segment 5: Managing Network Access
Section titled “Segment 5: Managing Network Access”Estimated time: 45 minutes.
Topics:
- Use
NetworkPolicyto secure application access.
Q&A and next steps: 5 minutes.
Segment 6: Application Observability and Maintenance
Section titled “Segment 6: Application Observability and Maintenance”Estimated time: 25 minutes.
Topics:
- Use probes and health checks.
Segment 7: Manage Custom Resources
Section titled “Segment 7: Manage Custom Resources”Estimated time: 25 minutes.
Topics:
- Understand API extensions.
- Create custom resources.
Segment 8: Managing Storage
Section titled “Segment 8: Managing Storage”Estimated time: 40 minutes.
Topics:
- Configure pod storage using volumes, persistent volumes, and persistent volume claims.
Q&A: 5 minutes.
Break: 10 minutes.
Segment 9: Managing ConfigMaps and Secrets
Section titled “Segment 9: Managing ConfigMaps and Secrets”Estimated time: 30 minutes.
Topics:
- Implement decoupling using
ConfigMapandSecretresources on Kubernetes.
Segment 10: Using DevOps Technologies
Section titled “Segment 10: Using DevOps Technologies”Estimated time: 30 minutes.
Topics:
- Use canary deployments.
- Use blue/green deployments.
Q&A: 5 minutes.
Break: 10 minutes.
Segment 11: Managing Application Security
Section titled “Segment 11: Managing Application Security”Estimated time: 50 minutes.
Topics:
- Understand RBAC.
- Use service accounts.
- Apply
SecurityContext.
Q&A: 10 minutes.
Four-Week Study Plan
Section titled “Four-Week Study Plan”Week 1: Core Objects and kubectl
Section titled “Week 1: Core Objects and kubectl”Goal: become fast with resource creation and inspection.
Daily drills:
- Create pods and deployments from the CLI.
- Generate YAML with
--dry-run=client -o yaml. - Edit manifests by hand.
- Use labels and selectors correctly.
- Inspect objects with
get,describe,logs, andevents.
Minimum commands to master:
kubectl run web --image=nginxkubectl create deployment web --image=nginx --replicas=3kubectl expose deployment web --port=80 --target-port=80kubectl get pods -o wide --show-labelskubectl describe pod <pod>kubectl logs <pod>kubectl get events --sort-by=.lastTimestampWeek 2: Configuration, Security, and Storage
Section titled “Week 2: Configuration, Security, and Storage”Goal: make workloads configurable and constrained.
Topics:
ConfigMapandSecretconsumption by environment variables and mounted files.- Resource requests and limits.
- Security contexts.
- Service accounts.
- Persistent and ephemeral volumes.
- Init containers and sidecars.
Practice until you can create a pod that:
- Reads a config value from a
ConfigMap. - Reads a password from a
Secret. - Mounts a volume.
- Runs as a non-root user.
- Uses an init container to prepare files for the main container.
Week 3: Deployment, Networking, and Packaging
Section titled “Week 3: Deployment, Networking, and Packaging”Goal: expose applications and update them safely.
Topics:
- Rolling updates and rollbacks.
- Blue/green and canary patterns with labels and services.
Servicetypes and selectors.Ingress.NetworkPolicy.- Helm basics.
- Kustomize basics.
Practice:
kubectl set image deployment/web nginx=nginx:1.27kubectl rollout status deployment/webkubectl rollout history deployment/webkubectl rollout undo deployment/webkubectl get endpoints webWeek 4: Timed Practice and Weak-Spot Closure
Section titled “Week 4: Timed Practice and Weak-Spot Closure”Goal: convert knowledge into exam performance.
Schedule:
- Day 1: full mixed lab, untimed, with notes.
- Day 2: 60-minute timed lab.
- Day 3: review misses and rebuild every failed resource from scratch.
- Day 4: Killer.sh attempt 1.
- Day 5: review Killer.sh results and write a one-page personal cheat sheet.
- Day 6: Killer.sh attempt 2 or another full mock.
- Day 7: light review, environment check, no heavy new material.
Command Speed Drills
Section titled “Command Speed Drills”Run these until the command sequence is mechanical.
Generate and Edit YAML
Section titled “Generate and Edit YAML”kubectl create deployment api --image=nginx --replicas=2 $do > api.yamlkubectl create configmap app-config --from-literal=MODE=prod $do > cm.yamlkubectl create secret generic app-secret --from-literal=password=s3cr3t $do > secret.yamlPod Debugging
Section titled “Pod Debugging”kubectl get podskubectl describe pod <pod>kubectl logs <pod>kubectl logs <pod> -c <container>kubectl exec -it <pod> -- shkubectl get events --sort-by=.lastTimestampService Debugging
Section titled “Service Debugging”kubectl get svc,endpointskubectl get pod --show-labelskubectl describe svc <service>kubectl run curl --image=curlimages/curl:latest -it --rm --restart=Never -- shRollout Debugging
Section titled “Rollout Debugging”kubectl rollout status deployment/<name>kubectl rollout history deployment/<name>kubectl rollout undo deployment/<name>kubectl describe deployment <name>kubectl get rsDomain Checklist
Section titled “Domain Checklist”Application Design and Build
Section titled “Application Design and Build”Know how to:
- Choose
Pod,Deployment,DaemonSet,Job, orCronJob. - Build and modify container image configuration in workload specs.
- Configure init containers and sidecar containers.
- Use persistent and ephemeral volumes.
Must-practice tasks:
- Add a sidecar that writes logs to a shared volume.
- Add an init container that blocks until a service is reachable.
- Convert a one-off command into a
Job. - Schedule a
CronJob.
Application Deployment
Section titled “Application Deployment”Know how to:
- Perform rolling updates.
- Roll back a failed deployment.
- Implement simple canary or blue/green routing with labels.
- Use Helm to install or inspect a chart.
- Use Kustomize overlays.
Must-practice tasks:
- Route service traffic only to pods with
version: stable. - Add a
version: canarydeployment and switch a percentage manually by replica count. - Generate rendered manifests from Kustomize.
- Inspect Helm values and installed resources.
Application Observability and Maintenance
Section titled “Application Observability and Maintenance”Know how to:
- Configure liveness, readiness, and startup probes.
- Read logs from single-container and multi-container pods.
- Use CLI tools to inspect resource state.
- Understand API deprecation signals.
- Debug failing Kubernetes applications.
Must-practice tasks:
- Fix a bad readiness probe.
- Find why a service has no endpoints.
- Identify a container command that exits immediately.
- Update an old API version in a manifest.
Application Environment, Configuration and Security
Section titled “Application Environment, Configuration and Security”Know how to:
- Create and consume
ConfigMapandSecretresources. - Set resource requests and limits.
- Use service accounts.
- Configure security contexts and capabilities.
- Understand basic authn, authz, and admission concepts.
- Recognize CRDs and operators.
Must-practice tasks:
- Mount a
Secretas a file. - Pass a
ConfigMapkey as an environment variable. - Force a container to run as non-root.
- Attach a workload to a named service account.
- Add CPU and memory requests and limits.
Services and Networking
Section titled “Services and Networking”Know how to:
- Create and troubleshoot services.
- Expose applications with ingress rules.
- Understand and apply basic
NetworkPolicy. - Test connectivity from inside the cluster.
Must-practice tasks:
- Fix a service selector mismatch.
- Create a
ClusterIPservice for a deployment. - Write an ingress rule for host and path routing.
- Deny all ingress to a namespace, then allow traffic from one labeled pod.
Practice Labs
Section titled “Practice Labs”Lab 1: Broken Web Deployment
Section titled “Lab 1: Broken Web Deployment”Create a deployment with intentional mistakes, then fix it.
Requirements:
- Deployment named
web. - Image should be
nginx:1.27. - Three replicas.
- Service named
webon port80. - Readiness probe on
/.
Failure cases to practice:
- Wrong image tag.
- Service selector mismatch.
- Readiness probe points to the wrong port.
- Container port missing or incorrect.
Validation:
kubectl get deploy,pod,svc,endpointskubectl describe pod -l app=webkubectl run curl --image=curlimages/curl:latest -it --rm --restart=Never -- curl webLab 2: Configured API Pod
Section titled “Lab 2: Configured API Pod”Requirements:
- Create a
ConfigMapwithAPP_MODE=training. - Create a
SecretwithAPI_KEY=local-key. - Create a pod that consumes both values as environment variables.
- Add CPU and memory requests.
- Add a non-root security context.
Validation:
kubectl exec <pod> -- env | grep -E 'APP_MODE|API_KEY'kubectl describe pod <pod>Lab 3: Blue/Green Service Switch
Section titled “Lab 3: Blue/Green Service Switch”Requirements:
- Create two deployments:
web-blueandweb-green. - Label blue pods
version=blue. - Label green pods
version=green. - Create one service named
webthat initially points to blue. - Patch the service selector to point to green.
Validation:
kubectl get endpoints webkubectl describe svc webLab 4: NetworkPolicy Isolation
Section titled “Lab 4: NetworkPolicy Isolation”Requirements:
- Create namespace
secure. - Run an
apipod and aclientpod. - Apply default deny ingress.
- Allow ingress to
apionly from pods labeledrole=client.
Validation:
kubectl exec -n secure client -- wget -qO- http://apikubectl run -n secure blocked --image=busybox:1.36 -it --rm --restart=Never -- wget -qO- http://apiPractice Questions from CKAD Exercises
Section titled “Practice Questions from CKAD Exercises”These questions are adapted from the MIT-licensed dgkanatsios/CKAD-exercises repository. Use the repo for the full exercise bank and worked solutions. Use this section as a timed exam-style prompt list.
Rules for practice:
- Solve each task in a fresh namespace.
- Write the command or manifest yourself before checking a solution.
- Validate every answer with
kubectl get,kubectl describe,kubectl logs,kubectl exec, or an in-cluster test pod. - Time-box simple tasks to 3 minutes and multi-object tasks to 8 minutes.
Core Concepts
Section titled “Core Concepts”- Create a namespace named
mynamespace, then create annginxpod namednginxinside it. - Generate YAML for the same
nginxpod without creating it, save it topod.yaml, then create the pod from the file. - Run a temporary
busyboxpod that executesenv, prints the environment, and is removed after completion. - Generate YAML for a namespace named
mynswithout creating the namespace. - Generate YAML for a
ResourceQuotanamedmyrqwith hard limits ofcpu=1,memory=1G, andpods=2. - List pods across all namespaces.
- Create an
nginxpod that exposes container port80. - Change an existing
nginxpod image tonginx:1.24.0and confirm the container restarts. - Get the pod IP for
nginx, then start a temporarybusyboxpod and request/from thenginxpod. - Retrieve the full YAML for an existing pod.
- Inspect a pod for scheduling, image, probe, or runtime errors.
- Retrieve logs from a running pod and previous logs from a restarted container.
- Open an interactive shell inside an
nginxpod. - Create a pod that echoes
hello worldand exits. - Create an
nginxpod with environment variablevar1=val1, then verify the value from inside the container.
Configuration and Secrets
Section titled “Configuration and Secrets”- Create a
ConfigMapnamedconfigwith keysfoo=lalaandfoo2=lolo. - Display the
ConfigMapcontents as YAML. - Create a
ConfigMapfrom a file and inspect the resulting key. - Create a
ConfigMapfrom an env file containing multiple key/value pairs. - Create a
ConfigMapwhere the file is stored under a custom key namedspecial. - Create a
ConfigMapnamedoptionswithvar5=val5, then expose that key as an environment variable namedoptionin annginxpod. - Load all values from a
ConfigMapinto a pod usingenvFrom. - Mount a
ConfigMapas a volume at/etc/lalaand verify the mounted files. - Generate YAML for an
nginxpod that runs as user ID101. - Generate YAML for an
nginxpod whose container addsNET_ADMINandSYS_TIMEcapabilities. - Create an
nginxpod with CPU request100m, memory request256Mi, CPU limit200m, and memory limit512Mi. - Create a namespace with a
LimitRangethat sets pod memory minimum100Miand maximum500Mi. - Create a
ResourceQuotain namespaceonethat limits CPU and memory requests and limits. - Attempt to create a pod that exceeds the quota and explain the failure.
- Create a pod whose requests and limits fit inside the quota and confirm quota usage.
- Create a
Secretnamedmysecretwith literal valuepassword=mypass. - Create a
Secretfrom a file containing a username. - Decode and print a value from a
Secret. - Mount a
Secretas a volume at/etc/foo. - Expose a
Secretkey as environment variableUSERNAMEin annginxpod.
Workloads and Pod Design
Section titled “Workloads and Pod Design”- Create a
Deploymentrunningnginxwith three replicas. - Scale a deployment up and down, then verify replica counts.
- Update a deployment image and watch rollout status.
- Roll back a deployment to the previous revision.
- Create a
Jobthat runs a short command and completes successfully. - Create a
CronJobthat runs on a schedule and verify that jobs are created. - Create a multi-container pod with a main container and a sidecar sharing an
emptyDirvolume. - Create a pod with an init container that prepares a file in a shared volume before the app container starts.
- Add labels to pods and select them using
kubectl get pod -l. - Change labels so a service switches from one pod group to another.
Observability and Maintenance
Section titled “Observability and Maintenance”- Add a readiness probe to an
nginxpod and verify readiness status. - Add a liveness probe that fails, then inspect events to explain the restart behavior.
- Debug a pod stuck in
ImagePullBackOff. - Debug a pod stuck in
CrashLoopBackOff. - Retrieve logs from a specific container in a multi-container pod.
- Use
kubectl execto verify a mounted config file exists. - Use
kubectl describeand sorted events to identify why a workload is unhealthy. - Use
kubectl topif metrics are available; otherwise, state what dependency is missing.
Services and Networking
Section titled “Services and Networking”- Expose a deployment with a
ClusterIPservice. - Verify service endpoints and fix a selector mismatch.
- Create a test pod and connect to a service DNS name from inside the cluster.
- Port-forward a pod or service and test it locally.
- Create an ingress rule for a host/path that routes to a service.
- Create a default deny ingress
NetworkPolicy. - Allow traffic to one pod only from pods with a specific label.
- Confirm blocked and allowed network paths using temporary test pods.
Storage and State
Section titled “Storage and State”- Create a pod that uses an
emptyDirvolume. - Create a
PersistentVolumeClaimand mount it into a pod. - Verify that a file written to the mounted path survives container restart where the storage type supports it.
- Compare when to use
emptyDir,ConfigMap,Secret, andPersistentVolumeClaimvolumes.
Helm and Custom Resources
Section titled “Helm and Custom Resources”- Add a Helm repository and update repo metadata.
- Install a simple Helm chart into a namespace.
- List Helm releases and inspect rendered manifests.
- Upgrade a Helm release by changing a value.
- Uninstall a Helm release and confirm Kubernetes resources are removed.
- Identify whether a custom resource definition exists in the cluster.
- Create a custom resource from a provided CRD example and inspect its status.
Documentation Strategy
Section titled “Documentation Strategy”The exam is not about memorizing every field. It is about knowing where to find the correct pattern quickly.
Bookmark or practice navigating to:
- Kubernetes tasks for configuring pods and containers.
- Kubernetes tasks for services, ingress, and networking.
- Kubernetes concepts for workloads.
- Kubernetes concepts for configuration.
- Kubernetes reference pages for
kubectl.
Use kubectl explain when field placement is unclear.
kubectl explain deployment.spec.template.spec.containers.resourceskubectl explain pod.spec.securityContextkubectl explain networkpolicy.spec.ingressPractical rule:
- Use docs for exact YAML shape.
- Use
kubectlgenerators for object skeletons. - Use
describe, events, and logs for debugging.
CKAD Reference Guide During the Exam
Section titled “CKAD Reference Guide During the Exam”The CKAD exam includes task-specific instructions and may provide links in a quick reference box. Treat that as a pointer to the relevant documentation, not as a replacement for knowing the workflow.
Allowed CKAD references currently include:
- Kubernetes documentation: https://kubernetes.io/docs/
- Kubernetes blog: https://kubernetes.io/blog/
- Helm documentation: https://helm.sh/docs/
- Task-specific documentation provided in the exam quick reference box.
- Documentation installed in the exam environment, such as man pages and files under
/usr/share.
Important constraints:
- Use the browser inside the exam VM for allowed docs.
- Kubernetes docs site search is allowed, but external search results are not.
- O’Reilly, personal notes, ChatGPT, GitHub examples, Stack Overflow, and random web searches are not exam references.
- The reference guide saves time only if you already know what object and field you are looking for.
Train by opening the docs for these patterns until the navigation is automatic:
Deploymentrolling updates and rollbacks.- Probes and container lifecycle.
ConfigMapandSecretusage.Service,Ingress, andNetworkPolicy.Job,CronJob, volumes, and security contexts.
Exam-Day Workflow
Section titled “Exam-Day Workflow”Start each question the same way:
- Read the task once for the object names, namespace, and required outcome.
- Switch to the correct namespace or pass
-n <namespace>explicitly. - Generate the fastest safe manifest.
- Apply it.
- Validate the exact required behavior.
- Move on if validation passes.
Time management:
- First pass: solve easy and medium tasks immediately.
- Mark hard tasks and return later.
- Do not spend 15 minutes fighting one manifest when several easier points remain.
- Leave final time to verify namespaces, object names, selectors, and rollout status.
Common mistakes to avoid:
- Creating resources in the wrong namespace.
- Using labels that do not match service selectors.
- Forgetting to save edited YAML.
- Deleting and recreating resources when a patch or edit is safer.
- Trusting
Runningstatus without checking readiness and endpoints.
Final Readiness Checklist
Section titled “Final Readiness Checklist”You are ready to schedule when:
- You can complete a mixed 2-hour mock exam without relying on non-official tutorials.
- You finish Killer.sh or equivalent practice with enough time to review.
- You know your personal slow areas and have repeated those labs.
- You can recover from broken pods, services, probes, and rollouts.
- You can navigate official docs quickly.
- Your local command habits match what you can recreate in the exam environment.
Do not schedule yet if:
- You still copy complete manifests blindly.
- You cannot debug a service with no endpoints.
- You do not know how to validate each answer.
- You need long notes for basic workload, config, and service objects.
References
Section titled “References”Official references to verify close to exam day: