How to pass the Certified Kubernetes Administrator (CKA) exam on the first attempt
I have recently had the opportunity to take the CKA Exam a few weeks ago and managed to clear it on my first attempt. I’ve complied few tips on how to clear CKA exam on your first attempt too.
1. Kubectl commands: Be very familiar with basic kubectl API and how to create Kubernetes services with kubectl. Take a look at kubectl cheat sheet and be familiar with the commands also don’t go very deep remembering all those commands as during the exam you are allowed to have one window of Kubernetes.io webpage. Also, it’s worth practicing all the kubectl commands and get hands on before the exam.
2. Basic Concepts: Get Familiar with Kubernetes basic concepts and the architecture workflow with kube-apiserver, kube-controller, kube-scheduler, kube-proxy and kubelet. Get good knowledge over these components and its connections; you will never get any multiple choice questions on these concepts. It’s good to know about these basic concepts as it’s going to help in debugging the cluster. Take a look at below attached links:
Note: The CKA exam is all about how we work with the cluster with the command prompt, debug and fix the cluster with kubectl API. There are not generic multiple-choice questions.
3. Core Concepts: Get familiarity with Kubernetes API primitives, cluster architecture and Kubernetes networking components. Understanding these core components should be easy and very helpful with cluster creation from scratch. Otherwise it would be hard to create cluster from scratch without having enough knowledge on these core concepts. Be very familiar with the cluster architecture and Kubernetes networking system before jumping on to create a cluster from scratch.
Note: Before attempting CKA exam, it’s worth creating a Kubernetes cluster from scratch by the hard way, which would help in understanding and getting hands on with k8s core concepts.
4. Kubernetes Services: Practice creating Kubernetes services like deployment, Pv, Pvc, etc. Get hands on with k8s rolling update feature, check the rolling update status, version history, and switch to a particular version. Once deployed, get cluster-info, cluster components status, and logs to gain a mastery on cluster debugging.
kubectl run nginx image=nginx --port=80 --record
kubectl rollout history deployment nginx
kubectl rollout status deployment nginx
kubectl rollout undo deployment nginx --to-revision=2
Note: Practice creating these services with kubectl API rather than creating and deploying with yaml files as this would save lot of time during exam.
5. K8s Certificates: Get familiar with TLS bootstrapping with kubelet and other related certs, working with Kubernetes the Hard Way by Kelsey Hightower is good exercise for this part.
6. Cluster Roles: Practice creating a user and give him enough permissions using cluster role and role binding concepts to access the clusters k8s services. Practice creating a user from scratch, which should also include creating enough certs for the user. Below are the steps to add user by creating certs and allowing him/her to access k8s cluster services based on roles. This document demonstrates to add user to an already existing Kubernetes cluster, practicing below steps would be a good exercise for CKA exam.
1) Initially lets start by creating a directory users, "mkdir -p ~/.kube/users", now generate a private key for each users and store them in a directory that was just created (~/.kube/users), using these private keys generate csr (the csr cert contains user names and groups),for ex user is "prudhvi", now this user will be added to the cluster by the following steps.
#Generate a private key --prudhvi.key
openssl genrsa -out prudhvi.key 2048
#Generate a csr file for prudhvi as user --prudhvi.csr
openssl req -new -key prudhvi.key -out prudhvi.csr -subj "/CN=prudhvi/O=ops/O=example.org"
2) Now copy the clusters ca.key and ca.pem files to users folder that was just created from previous step and sign them to users, copy ca.key and ca.pem from /etc/kubernetes/pki to ~/.kube/users.
#Input as csr file, output is .crt
openssl x509 -req -CA ca.pem -CAkey ca-key.pem -CAcreateserial -days 730 -in prudhvi.csr -out prudhvi.crt
3) Setting up cluster configuration for the user "prudhvi" in a particular namespace, the namespace is optional and should be used if required for the user to use a particular namespace, by default the "default" namespace is used.
kubectl config set-credentials prudhvi --client-certificate=/absolute/path/to/prudhvi.crt --client-key=/absolute/path/to/prudhvi.key
#For below step use "user-nameofthecluster" that we just created "prudhvi-prod"
kubectl config set-context user-nameofthecluster --cluster=prod --user=prudhvi --namespace=<>
kubectl config get-contexts ---->switch the context kubectl config use-context prudhvi-prod
#Another example for the above step is kubectl config set-context yono-dev --namepsaces=development
kubectl config use-context prudhvi-prod
4) After we switch the cluster context to prudhvi-prod, the user (prudhvi) will still not be having access to use "kubectl get pods", for accessing the cluster services lets start to create Role&RoleBinding.
#if required specify a particular namespace.
#below are rules for all the resources inside a required namespace.
- apiGroups: ["*"]
#below resources objects examples are services, deployments, pv, pvc ..
#below we shall provide read only access
#Map to the user by creating rolebinding:
#bind it to either groups or service accounts
- kind: Group
5)Clusterrolebinding is for all namespaces inside the cluster.
#Example is "user-role" that we just created above.
- kind: Group
7. ETCD Cluster: Get to know about basic ETCD concepts, like backups and restore, how to restore a corrupted K8s cluster from ETCD backup and finally how to configure ETCD for Kubernetes.
8. Practice: I can’t stress enough, practice a lot with kubectl API using katacoda, this would save a lot of time during exam, use kubectl own API to get export of yml files to create any Kubernetes’ own service.
Certified Kubernetes Administrator cheat sheet
Finally, below I am attaching few support links for practice. At three hours, the exam is a little longer than other certifications, but don’t panic: you should have plenty of time to fix the cluster issues. Even if you don’t pass on the first try, every purchase includes a second attempt.
Hope you liked this article and found it helpful!