CKA Cheat Sheet 2026: kubectl Commands, Domains & Troubleshooting

15-20Hands-on tasks

2 hoursDuration

66%Pass score

$445Exam fee (USD)

2 yrsValidity

PerformanceFormat

CKA Certified Kubernetes Administrator cheat sheet

01 Domain weights

The CKA has five domains. Troubleshooting and Cluster Architecture together are more than half the exam — if your time is short, that is where it should go.

Troubleshooting30%

Cluster Architecture, Installation & Configuration25%

Services & Networking20%

Workloads & Scheduling15%

Storage10%

Read this first: the CKA is 100% hands-on in a real terminal — there are no multiple-choice questions. Troubleshooting (30%) and Cluster Architecture (25%) dominate, and every task is timed, so speed with kubectl is everything.

02 Exam-environment setup (speed tips)

The first 60 seconds in the terminal pay off all day. Configure your shell, then never type the long words again.

Alias kubectl so every command is two letters: alias k=kubectl — then run k get pods everywhere.
Export a dry-run flag to generate YAML fast: export do="--dry-run=client -o yaml" — then k run nginx --image=nginx $do.
Export a force-delete flag for instant teardown: export now="--force --grace-period=0" — then k delete pod nginx $now.
Turn on autocomplete so resource names fill themselves: source <(kubectl completion bash) and complete -o default -F __start_kubectl k.
Use the built-in schema browser instead of guessing fields: k explain pod.spec.containers.
Bookmark kubernetes.io docs — the exam is open-book against the official docs, so know where the Pod, Deployment, and NetworkPolicy YAML examples live.
Switch context for every task that names a cluster: kubectl config use-context <name> — read the task header first, then set it.

Muscle memory wins: generate a manifest with $do, redirect it to a file, edit, then k apply -f. Hand-writing YAML from scratch wastes minutes you do not have.

03 Essential kubectl commands

The handful of commands you will reach for in almost every task. Know them cold.

Create / run

k run · k create deploy

Spin up a single Pod with k run nginx --image=nginx, or a Deployment with k create deploy web --image=nginx --replicas=3.

Inspect

k get · k describe

k get pods -o wide shows node and IP; k describe pod web reveals events, probes, and the real failure reason.

Edit / scale

k edit · k scale · k set image

k scale deploy web --replicas=5, k set image deploy/web nginx=nginx:1.27, or live-edit with k edit deploy web.

Logs / exec

k logs · k exec -it

k logs web -f tails output; k exec -it web -- sh drops you into the container to test connectivity.

Delete

k delete

k delete pod web, or wipe instantly under time pressure with k delete pod web $now.

Apply (declarative)

k apply -f

k apply -f app.yaml creates or updates from a manifest — the right verb when a task says "the resource must match this spec".

Generate YAML

k create deploy ... $do

Scaffold then tweak: k create deploy nginx --image=nginx $do > deploy.yaml, edit the file, then k apply -f deploy.yaml.

Sort / select

k get -A · -l · --sort-by

k get pods -A across all namespaces; k get pods -l app=web by label; add --sort-by=.metadata.name to order results.

04 Core objects quick reference

Object	What it is for
Pod	Smallest deployable unit; one or more containers sharing network and storage.
ReplicaSet	Keeps a stable number of identical Pods running; usually managed by a Deployment.
Deployment	Declarative rolling updates and rollbacks for stateless apps via ReplicaSets.
DaemonSet	Runs exactly one Pod on every (or selected) node — logging, monitoring, CNI agents.
StatefulSet	Stable network identity and ordered, persistent storage for stateful apps (databases).
Job / CronJob	Run-to-completion tasks; CronJob schedules Jobs on a cron expression.
Service	Stable virtual IP and DNS name load-balancing across a set of Pods.
Ingress	HTTP/HTTPS routing into the cluster by host and path via an ingress controller.
ConfigMap	Non-sensitive key-value config injected as env vars or mounted files.
Secret	Base64-encoded sensitive data (tokens, passwords) injected like a ConfigMap.
Namespace	Virtual cluster partition for scoping names, quotas, and access.

05 Scheduling

How Pods land on nodes — a frequent source of tasks. Know how to both attract and repel.

nodeSelector

Simplest placement: schedule only on nodes whose labels match a key/value, e.g. disktype=ssd.

Node affinity

Richer rules with operators — required (hard) vs preferred (soft) — plus pod affinity/anti-affinity for co-locating or spreading Pods.

Taints & tolerations

Taint a node to repel Pods: kubectl taint nodes node1 key=value:NoSchedule. Only Pods with a matching toleration may land there.

Requests & limits

Resource requests drive scheduling decisions; limits cap usage. Pods can stay Pending when no node satisfies the requests.

Static pods

Managed directly by the kubelet from manifests in /etc/kubernetes/manifests — not the scheduler. Control-plane components run this way.

PriorityClass

Higher-priority Pods can preempt (evict) lower-priority ones when the cluster is short on resources.

Classic task: taint a node, then add a matching toleration to a Pod so it schedules there anyway. Practise the exact kubectl taint syntax and the tolerations block until it is automatic.

06 Services & networking

Concept	What to know
ClusterIP	Default Service type; internal-only virtual IP reachable from inside the cluster.
NodePort	Exposes the Service on a static port (30000-32767) on every node's IP.
LoadBalancer	Provisions an external cloud load balancer in front of a NodePort/ClusterIP.
ExternalName	Maps a Service to an external DNS name via a CNAME — no proxying.
Ingress	Layer-7 host/path routing into Services; needs an ingress controller installed.
NetworkPolicy	Firewall for Pods. Apply a default-deny, then explicit allow rules by pod/namespace label.
CoreDNS	In-cluster DNS. A Service resolves as `svc.namespace.svc.cluster.local`.
CNI	The network plugin (Calico, Flannel, etc.) wires Pod-to-Pod networking; required for nodes to go Ready.

NetworkPolicy rule: policies are additive and start permissive. Apply a default-deny policy first, then layer explicit allow rules — otherwise an empty-selector policy locks nothing down.

07 Storage & troubleshooting

Storage

PV / PVC / StorageClass: a PersistentVolume is the storage, a PersistentVolumeClaim requests it, and a StorageClass dynamically provisions PVs on demand.
Access modes: RWO (ReadWriteOnce, one node), ROX (ReadOnlyMany), RWX (ReadWriteMany, many nodes).
Reclaim policies: Retain keeps data after the PVC is deleted; Delete removes the underlying volume.

Troubleshooting flow

Start at the cluster level: k get nodes — a NotReady node points at the kubelet or CNI.
Drill into a node: k describe node node1 for conditions, pressure, and taints.
Check the kubelet on the node: systemctl status kubelet and journalctl -u kubelet.
Inspect static control-plane pods in /etc/kubernetes/manifests when the API server or scheduler is down.
Read recent cluster activity: k get events --sort-by=.metadata.creationTimestamp.
Go below Kubernetes to the container runtime: crictl ps and crictl logs.
Check node logs under /var/log for kubelet and system errors.
etcd backup/restore: etcdctl snapshot save snapshot.db then etcdctl snapshot restore snapshot.db — pass the right --cacert, --cert, and --key and the exact path the task asks for.

08 Common traps

Wrong namespace / context: every task can target a different cluster and namespace. Run kubectl config use-context first and add -n <ns> — resources created in the default namespace score zero.

Imperative vs declarative: kubectl create fails if the object exists, while kubectl apply creates or updates. Use the verb the task actually demands.

etcd backup path: saving the snapshot to the wrong filename or directory loses the marks even if the command runs. Copy the exact path from the task.

Editing live Pods vs templates: changing a running Pod does not persist a rollout. Edit the Deployment's .spec.template so the change survives and propagates.

09 FAQ

Is the CKA exam hard?

The CKA is challenging because it is 100% performance-based: you solve roughly 15-20 hands-on tasks in a live cluster from a real terminal in 2 hours. It is less about memorisation and more about speed and accuracy with kubectl, so candidates with regular hands-on practice usually find it very passable.

Can I use the Kubernetes docs during the CKA exam?

Yes. The CKA is open-book against the official kubernetes.io documentation (including the API reference and the GitHub-hosted docs sites permitted by the exam). You cannot use other sites, so practise navigating and copying YAML from kubernetes.io quickly before exam day.

What is the CKA passing score?

You need 66% to pass the CKA. Tasks are weighted, so partial credit matters — do the high-value tasks you are confident on first and never leave a task completely blank if you can score part of it.

How long should I study for CKA?

Most candidates need about 4-8 weeks with consistent hands-on practice. If you already work with Kubernetes daily you may need less; the key is repetition in a real cluster solving timed tasks rather than passive reading.

ExamCert TeamCertified cloud & security pros helping you pass faster.