Certified Kubernetes Administrator (CKA) Online Training & Certification Prep
Build the hands-on Kubernetes administration skills demanded by the CKA — a fully performance-based, open-book exam. Live Labs place you inside real multi-node Kubernetes clusters so you graduate ready to operate clusters in production, not just answer theory questions.
Course Overview
The Certified Kubernetes Administrator (CKA) is a performance-based exam administered by the Linux Foundation. Unlike multiple-choice certifications, CKA candidates must complete hands-on tasks inside a live Kubernetes environment under time pressure — which means rote memorization is not enough. This course is built around that reality: every concept is taught through doing, not watching.
The course opens with cluster architecture: understanding the control plane components (kube-apiserver, etcd, kube-scheduler, kube-controller-manager) and worker node components (kubelet, kube-proxy, container runtime), then moves to bootstrapping a production-grade cluster using kubeadm. You will perform etcd backups and restores — a task that appears in the exam and is critical in real-world disaster recovery.
Workload management covers Deployments, StatefulSets, DaemonSets, Jobs, and CronJobs with a focus on the declarative approach. You will configure resource requests and limits, implement horizontal pod autoscaling, use liveness and readiness probes, and manage rolling updates and rollbacks from the command line. ConfigMaps and Secrets are covered in depth, including immutable variants and projection into volumes.
The networking section addresses how Kubernetes networking actually works: the CNI plugin model, Pod CIDR allocation, ClusterIP/NodePort/LoadBalancer Services, Ingress controllers, DNS resolution with CoreDNS, and NetworkPolicy enforcement. You will write and verify NetworkPolicy rules that restrict east-west traffic — a common exam task.
Storage covers PersistentVolumes, PersistentVolumeClaims, StorageClasses, and dynamic provisioning. Security covers RBAC from first principles: ServiceAccounts, Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings, plus Pod security contexts and Admission Controllers.
Boost Live Labs run on real multi-node Kubernetes clusters — not browser-based simulators. You work with kubectl exactly as you will during the exam, building the muscle memory that performance-based testing demands. The course includes our Pass Guarantee, and instructors are Certified Partner practitioners with production Kubernetes experience.
What You'll Learn
- Bootstrap a multi-node Kubernetes cluster from scratch using kubeadm
- Back up and restore etcd to recover from control-plane failures
- Deploy and manage workloads using Deployments, StatefulSets, DaemonSets, Jobs, and CronJobs
- Configure resource requests, limits, and horizontal pod autoscaling
- Implement Services (ClusterIP, NodePort, LoadBalancer) and Ingress rules with TLS
- Write and enforce NetworkPolicy rules to control Pod-to-Pod and Pod-to-Service traffic
- Provision PersistentVolumes and PersistentVolumeClaims with dynamic StorageClasses
- Design and apply RBAC policies using Roles, ClusterRoles, and bindings
- Configure Pod security contexts, seccomp profiles, and Admission Controllers
- Upgrade a kubeadm-managed cluster with zero workload downtime
- Troubleshoot failing nodes, Pods, and cluster-level components systematically
- Use kubectl efficiently under time pressure including imperative commands and --dry-run
Who This Course Is For
- DevOps and platform engineers responsible for Kubernetes cluster lifecycle management
- Site reliability engineers operating containerized workloads in production
- Systems administrators transitioning into cloud-native infrastructure roles
- Cloud architects designing Kubernetes-based platforms
- Software engineers moving into infrastructure ownership roles
Course Outline
- Control plane: kube-apiserver, etcd, kube-scheduler, controller-manager
- Worker node: kubelet, kube-proxy, container runtime interface (CRI)
- API groups, resource versions, and the declarative object model
- kubectl configuration, contexts, and namespace scoping
- Lab: explore a running cluster with kubectl and decode API server audit logs
- kubeadm init and join workflow: phases, certificates, and kubeconfig generation
- CNI plugin installation (Calico/Flannel) post-bootstrap
- Cluster configuration via kubeadm ConfigMap
- etcd backup with etcdctl snapshot save and point-in-time restore
- Upgrading control-plane and worker nodes with kubeadm upgrade
- Lab: bootstrap a three-node cluster, install a CNI plugin, and perform an etcd backup-restore cycle
- Deployments: spec anatomy, replica sets, rolling update strategy
- StatefulSets: stable network identities, ordered pod management, volumeClaimTemplates
- DaemonSets, Jobs, and CronJobs
- Horizontal Pod Autoscaler and metrics-server integration
- Liveness, readiness, and startup probes
- Init containers and sidecar patterns
- Lab: deploy a stateful application, simulate a pod failure, and validate self-healing behavior
- ConfigMaps: creating from literals, files, and directories
- Secrets: Opaque, TLS, and dockerconfigjson types
- Injecting ConfigMaps and Secrets as environment variables and volume projections
- Immutable ConfigMaps and Secrets
- Lab: rotate a database password using a Secret volume mount without pod restart
- Kubernetes networking model and CNI plugin architecture
- Pod IP allocation and inter-node routing
- ClusterIP, NodePort, and LoadBalancer Services
- Headless Services for StatefulSet DNS
- Ingress resources, Ingress controllers, and TLS termination
- CoreDNS: service discovery and custom stub zones
- NetworkPolicy: ingress/egress rules, namespace selectors, pod selectors
- Lab: implement NetworkPolicy to isolate a payment service namespace and verify with live traffic tests
- PersistentVolumes and PersistentVolumeClaims: lifecycle and binding
- StorageClasses and dynamic provisioning
- Access modes: ReadWriteOnce, ReadOnlyMany, ReadWriteMany
- Volume expansion and reclaim policies
- Lab: provision dynamic storage for a database StatefulSet and expand the volume online
- Authentication: certificates, service account tokens, and OIDC
- RBAC: Roles, ClusterRoles, RoleBindings, ClusterRoleBindings
- ServiceAccount token projection and automounting
- Pod security contexts: runAsUser, runAsNonRoot, fsGroup, capabilities
- Admission controllers: NodeRestriction, LimitRanger, ResourceQuota
- Lab: create a scoped ServiceAccount and RBAC policy for a CI/CD pipeline, verify least privilege
- Systematic node troubleshooting: kubelet status, certificate validity, container runtime
- Pod-level debugging: kubectl describe, logs, exec, debug ephemeral containers
- Control-plane component failure diagnosis
- Using kubectl imperative commands and --dry-run=client for speed
- Exam environment: two terminal sessions, kubectl aliases, bookmarking Kubernetes docs
- Timed full-cluster practice scenarios
About the Certification Exam
- Exam code
- CKA
- Length
- 2 hours
- Questions
- 15u201320 performance-based tasks in a live Kubernetes environment
- Passing score
- 66%
- Exam cost
- ~$445 USD (includes one free retake)
- Where
- Online proctored via PSI u2014 candidates work in a remote browser-based terminal connected to live Kubernetes clusters
The certification exam fee is paid separately to the testing provider and is not included in the course price unless stated otherwise.
Live Labs Included
Hands-on practice on real environments
This course includes Live Labs — direct access to real hardware and cloud environments so you build the skills the exam actually tests.
- Cluster bootstrap lab: use kubeadm to initialize a control-plane node and join two worker nodes, install Calico CNI, and validate all system pods reach Running state
- etcd disaster recovery lab: snapshot a live etcd cluster, deliberately corrupt the datastore, and restore the cluster from the snapshot to recover deleted namespace resources
- Networking and NetworkPolicy lab: deploy a three-tier application (frontend, backend, database), write NetworkPolicy manifests to enforce tier isolation, and validate with live curl tests inside containers
- RBAC and least-privilege lab: create a ServiceAccount, a Role limited to pod logs and exec in a single namespace, bind it, and verify it cannot access cluster-wide resources
- Rolling upgrade lab: upgrade a kubeadm cluster's control plane and worker nodes one node at a time using drain/uncordon, verifying workloads remain available throughout
- Troubleshooting gauntlet: a pre-broken cluster with intentional faults across kubelet configuration, NetworkPolicy rules, and misconfigured Ingress — diagnose and fix all issues against the clock
Pass Guarantee Included
Complete this course and if you don't pass the certification exam on your first attempt, we'll refund your course fee or give you a free retake — your choice.
