I have wanted to take a cloud native & k8s related certificate for a long time. The sooner the better. I have been postponing it until this year due to work reasons. I have seen its price increase twice (it hurts a little bit to say this).

Recently, I finally had time to spare a week to prepare for the exam. Since I have been using kubernetes in my work production environment, my own plan this time is to absorb more test points and do more test questions before the exam;

Below is a summary of my CKA exam experience in the past week, I hope it will be helpful to you.

Comprehensive understanding of CKA

1. What is CKA?

CKA full name: Certified Kubernetes Administrator is the first kubernetes-based certification launched by CNCF. The entire exam is all practical questions, and the proctoring is extremely strict, so CKA is recognized worldwide as one of the most valuable Kubernetes certificates.

2. How long is the CKA certificate valid for?

The validity period of the CKA certificate is 3 years, but from April 1, 2024, the validity period of the newly certified CKA certificate will be changed to 2 years. For students who pass the exam and obtain the certificate before April 1, 2024, their certificates will remain valid for 3 years.

After the certificate expires, you need to retake the exam and meet the exam requirements. The exam is in the form of an online exam, the exam time is 2 hours, the exam questions are 17, the full score is 100, and 66 points are passed.

3. What is the use of CKA?

For enterprises, Kubernetes Certified Service Providers (KCSP) generally need to have 3 CKAs. For individuals, obtaining CKA certification is an important indicator to test their learning results. First, you can learn knowledge systematically, and second, you can prove your technical strength to the company through the certificate.

4. Comparative analysis of CKA, CKAD, and CKS

In fact, the CNCF Foundation’s certifications for k8s are mainly these three, and the three certificates have different focuses. You can choose according to your actual situation.

  • CKA: Certified Kubernetes Administrator, focuses on kubernetes system management, such as basic installation and the ability to configure and manage production-level clusters, involving key concepts such as Kubernetes networking, storage, security, maintenance, logging and monitoring, application lifecycle, troubleshooting, API object primitives, etc.
  • CKAD: Certified Kubernetes Application Developer, focuses on Kubernetes design, building and deploying cloud-native applications, such as using Kubernetes core primitives to create/migrate, configure, expose and observe scalable applications.
  • CKS: Certified Kubernetes Security, focuses on Kubernetes security, such as building, deploying and protecting container-based applications and Kubernetes platform security at runtime.

Through the preparation of the three certificate test points and questions, the knowledge points of CKA are more comprehensive and relatively difficult. If you pass the CKA and then take the CKAD or CKS, you will easily pass the exam, and 60-80% of the knowledge points are related.

5. What are the main knowledge points of CKA?

Part I: Cluster Architecture, Installation, and Configuration (25%):

  • Manage Role-Based Access Control (RBAC)
  • Install a basic cluster using Kubeadm
  • Manage a high-availability Kubernetes cluster
  • Set up infrastructure to deploy a Kubernetes cluster
  • Perform version upgrades on a Kubernetes cluster using Kubeadm
  • Implement etcd backup and restore

Part II: Workloads and Scheduling (15%):

  • Understand deployments and how to perform rolling updates and rollbacks
  • Configure applications using ConfigMaps and Secrets
  • Understand how to scale applications
  • Understand primitives for creating robust, self-healing application deployments
  • Understand how resource limits affect Pod scheduling
  • Understand manifest management and common template tools

Part III: Services and Networking (20%):

  • Understand host network configuration on cluster nodes
  • Understand connectivity between Pods
  • Understand ClusterIP, NodePort, LoadBalancer service types and endpoints
  • Understand how to use Ingress Controllers and Ingress Resources
  • Understand how to configure and use CoreDNS
  • Select the appropriate container network interface plugin

Part IV: Storage (10%):

  • Understand storage classes, persistent volumes
  • Understand volume modes, access modes, and volume reclaim policies
  • Understand persistent capacity claim primitives
  • Understand how to configure applications with persistent storage

Part V: Troubleshooting (30%):

  • Evaluate cluster and node logs
  • Understand how to monitor applications
  • Manage container standard output and standard error logs
  • Resolve application failures
  • Troubleshoot cluster component failures
  • Troubleshoot network failures

CKA exam preparation

Registration and payment

Registration address: https://training.linuxfoundation.cn/certificates/1

The price is more expensive than before. It is recommended to wait for Black Friday to place an order, which is about 50% off.

In addition, you can choose Chinese or English proctoring. It is recommended to choose Chinese. Of course, there is not much difference between the two. Even if the test questions are in English, you can roughly understand them.

After successfully placing an order, log in to the backend and check the order. There will be an exam voucher. Record it and you will use it later.

Activate the exam code

The entire exam process can be referred to here: https://training.linuxfoundation.cn/news/308

The first step is to register a Linux Foundation ID (LFID). Pay attention to your name. It must be consistent with your ID card and passport. It is also recommended to be consistent with the real-name authentication, otherwise you will not be able to pass the scheduled exam later.

Registration and appointment address: https://trainingportal.linuxfoundation.org/

Step 2: Get the previous exam voucher and register for the exam. Under normal circumstances, if you do not register for the exam, the exam voucher is only valid for one month. After registering for the exam voucher, you only need to take the exam within one year.

Step 3: Exam appointment

  • Appointment exam time: The entire exam time is 2 hours. It is recommended to choose Shanghai time, 1:00-2:00 am for the exam, because the exam servers are all overseas, and this time point will not be very stuck.

  • Appointment exam language: Exam language and invigilator language, just choose Chinese here.

  • Computer environment detection: Before the exam, you need to detect the exam system environment. It is recommended to use chrome as the browser. It is not recommended to install PSI in advance. PSI can be installed half an hour before the exam. The day before the exam, it is recommended to disable or uninstall Sunflower, Todesk, Vmware, lemon, etc. on the computer. This time I was delayed for more than ten minutes because of this.

After the appointment is successful, you can prepare for the exam with peace of mind.

Notes on the exam environment

Before the exam, it is recommended to prepare a VPN, but it is not recommended to use it during the exam, unless your network is particularly slow and you have to exit the exam system. At this time, you can choose to use VPN.

From before the exam to the actual exam time, you need to prepare in the following five steps:

  • Step 1: PSI environment detection. You can only take the exam after the check is successful. You must arrive half an hour in advance. This will take 20 minutes;

  • Step 2: Face recognition, you need to take a photo with a computer camera;

  • Step 3: Identity authentication information, you need to take a photo with your ID card and passport to the camera, and the examiner will check this

  • Step 4: The examiner will ask you to show the surrounding environment with a laptop camera. There should be nothing on or under the exam table, and there should be nothing within 1 meter around. No one can talk around you. It is recommended to put the mobile phone more than 1 meter away so that the examiner can see it best.

  • Step 5: The examiner will ask you to raise your hand to check whether there is anything in your hand, whether there are earplugs on both sides of your ears, etc.

If all the above are OK, the examiner will confirm whether you can take the exam. You can answer OK. The exam time will be counted from this time.

Exam time & exam questions & exam results

Why do we need to single out the exam time? It’s because the exam time is only 2 hours, with 17 questions, which is long and short.

The exam system server is in the United States, and there are often lags, so it may take a long time to do a question.

For students who have very little time to prepare for the exam, it is recommended to place a clock opposite the computer desk or bring a watch with you, because the time in the exam system is American time, which is easy to pass.

In addition, regarding the exam questions, it is recommended to choose simple ones at the beginning, because 60-70% can be solved through the command line;

For each question, remember to execute kubectl config context xxxxk8s to select the cluster specified by the exam question;

For PV/PVC, Netpol, etc., which require handwritten YAML, it is recommended to do it later, and cluster upgrade can be done at the end.

Generally, after the exam, the results will be released 24 hours later, and the passing score is 66 points. If you cannot enter the exam due to the exam environment, it is recommended to contact the invigilator as soon as possible. If the exam results are not ideal, there is still one more chance to take the exam, and you can directly reschedule the exam later.

Exam Question Analysis

The following are eight exam questions collected from the Internet. From my personal point of view, I think these exam questions are slightly difficult. These exam questions are basically similar to the actual exam question types. You may wish to experiment and experience them yourself. Therefore, if you can write the k8s resource object yaml file by hand, write it by hand, so that you can save more time.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

1. Create a new ClusterRole named deployment-clusterrole that only allows the creation of the following resource types: Deployment, StatefulSet, DaemonSet;
Create a new ServiceAccount named cicd-token in the existing namespace app-team1, limited to namespace app-team1, and bind the new ClusterRole deployment-clusterrole to the new ServiceAccount

2. Find the pods that occupy a lot of CPU at runtime through pod label name=cpu-loader, and write the name of the pod that occupies the highest CPU to the file /opt/KUTR000401/KUTR00401.txt (already exists).

3. Create a new NetworkPolicy named allow-port-from-namespace in the existing namespace my-app; ensure that the new NetworkPolicy allows Pods in namespace echo to connect to port 9000 of Pods in namespace
my-app; further ensure that the new NetworkPolicy: does not allow access to Pods that are not listening on port 9000, and does not allow access to Pods not from namespace echo.

4. Please reconfigure the existing deployment front-end and add a port specification named http to expose port 80/tcp of the existing container nginx; create a new service named front-end-svc to expose the container port http; configure this service to expose them through the NodePort on the node where each Pod is located.

5. Create a new nginx Ingress resource as follows: Name: ping, Namespace: ing-internal, expose service hello on path /hello using service port 5678, you can check the availability of service hello using the following command, which should return hello: curl -kL <INTERNAL_IP>/hello

6. Create a new PersistentVolumeClaim, Name: pv-volume, Class: csi-hostpath-sc, Capacity: 10Mi; Create a new Pod to mount the PersistentVolumeClaim as a volume: Name: web-server, Image: nginx:1.16, Mount Path: /usr/share/nginx/html, Configure the new Pod to have ReadWriteOnce permissions on the volume. Finally, use kubectl edit or kubectl patch to expand the capacity of the PersistentVolumeClaim to 70Mi
, and record this change.

7. Use busybox Image to add a sidecar container named sidecar to the existing Pod 11-factor-app; the new sidecar container must run the following command: /bin/sh -c tail -n+1 -f /var/log/11-factor-app.log; use the volume mounted at /var/log to make the log file 11-factor-app.log available to the sidecar container; do not change the specifications of the existing container except for adding the required volume mount

8. The existing Kubernetes cluster is running version 1.30. Upgrade all Kubernetes control plane and node components on the master node to version 1.31 only. Make sure to drain the master node before upgrading and uncordon the master node after upgrading.
You can connect to the master node via ssh using the following command: ssh master01
You can use the following command to obtain higher permissions on the master node:
sudo -i
Also, upgrade kubelet and kubectl on the master node. Please do not upgrade worker nodes, etcd, container manager, CNI plugin, DNS service or any other plugin.

CKA Exam Summary

Finally, here is a CKA certificate:

CKA

Through this CKA certification exam, the overall difficulty is moderate. I think it is still very important to practice Kubernetes, especially for DevOps engineers;

In fact, there is no shortcut to pass with a high score. Just absorb more knowledge points listed above, practice more, and practice more.

Finally, I want to say that the exam is just a form. The purpose is to prove that you are proficient in k8s skills and finally apply these skills to actual work.