This guide is part of our blog How to Pass Certified Kubernetes Application Developer (CKAD) 2024 .
If you are using this repo for guidance, please hit the star. Thanks A lot !
The Certified Kubernetes Application Developer (CKAD) certification exam certifies that candidates can design, build and deploy cloud-native applications for Kubernetes.
CKAD Exam Details | Information |
---|---|
Exam Type | Performance based ( NO MCQ ) |
Exam Duration | 2 hours |
Pass Percentage | 66% |
CKAD Exam Kubernetes Version | Kubernetes v1.31 |
CKAD Validity | 2 Years |
Exam Cost | $395 USD (GET 30% OFF CKA Exam Coupon) π₯INCREASE PRICE: $434 in January 2025 |
Important
USE Coupon code TECK30 at checkout to GET 30% OFF before January 2025.
Kubernetes CKAD VOUCHER ($395 β> $276): teckbootcamps-30%off/ckaD
Topic | Concepts | Weightage |
---|---|---|
Application Design and Build - 20% | 1. Define, build, and modify container images 2. Understand Jobs and CronJobs 3. Understand multi-container Pod design patterns (e.g., sidecar, init, others) 4. Utilize persistent and ephemeral volumes |
20% |
Application Environment, Configuration, and Security - 25% | 1. Discover and use resources that extend Kubernetes (CRD) 2. Understand authentication, authorization, and admission control 3. Understand and define resource requirements, limits, and quotas 4. Understand ConfigMaps 5. Create & consume Secrets 6. Understand ServiceAccounts 7. Understand SecurityContexts |
25% |
Services & Networking - 20% | 1. Understand API deprecations 2. Implement probes and health checks 3. Use provided tools to monitor Kubernetes applications 4. Utilize container logs 5. Debugging in Kubernetes |
20% |
Application Deployment - 20% | 1. Use Kubernetes primitives to implement common deployment strategies (e.g., blue/green or canary) 2. Understand Deployments and perform rolling updates 3. Use Helm package manager to deploy existing packages |
20% |
Application Observability and Maintenance - 15% | 1. Understand API deprecations 2. Implement probes and health checks 3. Use provided tools to monitor Kubernetes applications 4. Utilize container logs 5. Debugging in Kubernetes |
15% |
The first domain in the CKAD exam is Application Design and Build, comprising 20% of the exam. Below are the key topics explained with kubectl
examples:
Building and customizing container images is essential for deploying applications in Kubernetes.
Create a Dockerfile:
FROM nginx:alpine
COPY index.html /usr/share/nginx/html/index.html
Build and push the image:
docker build -t <your-dockerhub-username>/custom-nginx:latest .
docker push <your-dockerhub-username>/custom-nginx:latest
Deploy the image in Kubernetes:
apiVersion: apps/v1
kind: Deployment
metadata:
name: custom-nginx
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: <your-dockerhub-username>/custom-nginx:latest
kubectl apply -f deployment.yaml
Kubernetes provides various workload resources like Deployment, DaemonSet, and CronJob for different use cases.
Deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-app
spec:
replicas: 3
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
containers:
- name: web-container
image: nginx
kubectl apply -f deployment.yaml
CronJob:
apiVersion: batch/v1
kind: CronJob
metadata:
name: backup-job
spec:
schedule: "0 2 * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: backup
image: busybox
args:
- "/bin/sh"
- "-c"
- "echo Backup complete"
restartPolicy: OnFailure
kubectl apply -f cronjob.yaml
Multi-container Pods enable closely related containers to work together, using patterns like sidecar, init container, etc.
Sidecar Container Pattern:
apiVersion: v1
kind: Pod
metadata:
name: sidecar-example
spec:
containers:
- name: main-app
image: busybox
command: ["sh", "-c", "echo Hello World; sleep 3600"]
- name: sidecar
image: busybox
command: ["sh", "-c", "tail -f /var/log/app.log"]
volumeMounts:
- name: log-volume
mountPath: /var/log
volumes:
- name: log-volume
emptyDir: {}
kubectl apply -f pod.yaml
Persistent volumes retain data across Pod restarts, while ephemeral volumes are temporary.
Persistent Volume:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc-example
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
apiVersion: v1
kind: Pod
metadata:
name: pod-with-pvc
spec:
containers:
- name: app-container
image: nginx
volumeMounts:
- mountPath: /usr/share/nginx/html
name: storage
volumes:
- name: storage
persistentVolumeClaim:
claimName: pvc-example
kubectl apply -f pvc.yaml
kubectl apply -f pod.yaml
Ephemeral Volume:
apiVersion: v1
kind: Pod
metadata:
name: pod-with-ephemeral
spec:
containers:
- name: app-container
image: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir: {}
kubectl apply -f pod-ephemeral.yaml
This domain constitutes 25% of the CKAD Exam. Below are the key topics explained with kubectl
examples:
Custom Resource Definitions (CRDs) and Operators extend Kubernetes functionality by defining and managing custom resources.
Create a CRD:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: widgets.example.com
spec:
group: example.com
names:
kind: Widget
listKind: WidgetList
plural: widgets
singular: widget
scope: Namespaced
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
size:
type: string
kubectl apply -f crd.yaml
Authentication identifies users, authorization controls access, and admission control manages resource configurations.
View authentication configuration:
kubectl describe configmap -n kube-system extension-apiserver-authentication
Create a Role and RoleBinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
kubectl apply -f role.yaml
kubectl apply -f rolebinding.yaml
Requests and limits define resource usage for containers, while quotas control resource usage at the namespace level.
Set resource requests and limits for a Pod:
apiVersion: v1
kind: Pod
metadata:
name: resource-demo
spec:
containers:
- name: busybox
image: busybox
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
kubectl apply -f pod.yaml
Set a Resource Quota:
apiVersion: v1
kind: ResourceQuota
metadata:
name: compute-quota
namespace: default
spec:
hard:
pods: "10"
requests.cpu: "4"
requests.memory: "2Gi"
limits.cpu: "8"
limits.memory: "4Gi"
kubectl apply -f resource-quota.yaml
ConfigMaps store configuration data for applications.
Create a ConfigMap:
kubectl create configmap app-config --from-literal=APP_ENV=production --from-literal=APP_DEBUG=false
Consume ConfigMap in a Pod:
apiVersion: v1
kind: Pod
metadata:
name: configmap-demo
spec:
containers:
- name: app-container
image: busybox
env:
- name: APP_ENV
valueFrom:
configMapKeyRef:
name: app-config
key: APP_ENV
- name: APP_DEBUG
valueFrom:
configMapKeyRef:
name: app-config
key: APP_DEBUG
kubectl apply -f pod.yaml
Setting resource requests and limits ensures efficient resource usage.
- Refer to Section 3: Requests and Limits for examples.
Secrets store sensitive data like passwords, tokens, and keys.
Create a Secret:
kubectl create secret generic db-credentials --from-literal=username=admin --from-literal=password=secret123
Consume Secret in a Pod:
apiVersion: v1
kind: Pod
metadata:
name: secret-demo
spec:
containers:
- name: app-container
image: busybox
env:
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: db-credentials
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-credentials
key: password
kubectl apply -f pod.yaml
ServiceAccounts provide identity for processes running in Pods.
Create a ServiceAccount:
kubectl create serviceaccount my-serviceaccount
Use a ServiceAccount in a Pod:
apiVersion: v1
kind: Pod
metadata:
name: sa-demo
spec:
serviceAccountName: my-serviceaccount
containers:
- name: app-container
image: busybox
kubectl apply -f pod.yaml
SecurityContexts define security settings for Pods and containers.
Set SecurityContext for a Pod:
apiVersion: v1
kind: Pod
metadata:
name: security-demo
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
containers:
- name: app-container
image: busybox
command: [ "sh", "-c", "echo Hello Kubernetes! && sleep 3600" ]
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
kubectl apply -f securitycontext.yaml
This domain constitutes 20% of the CKAD Exam. Below are the key topics explained with kubectl
examples:
NetworkPolicies are used to control the communication between Pods and network endpoints.
Create a NetworkPolicy to Allow Traffic from a Specific Pod:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-specific-pod
namespace: default
spec:
podSelector:
matchLabels:
app: web
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 80
kubectl apply -f networkpolicy.yaml
Verify NetworkPolicy:
kubectl describe networkpolicy allow-specific-pod
Services enable access to applications running in Pods.
Create a ClusterIP Service:
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
selector:
app: web
ports:
- protocol: TCP
port: 80
targetPort: 8080
kubectl apply -f service.yaml
Test Service Access:
kubectl get svc my-service
kubectl exec -it <pod-name> -- curl http://my-service
Troubleshoot Service:
kubectl describe svc my-service
kubectl get endpoints my-service
Ingress exposes HTTP and HTTPS routes to services within the cluster.
Create an Ingress Resource:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
spec:
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-service
port:
number: 80
kubectl apply -f ingress.yaml
Verify Ingress:
kubectl get ingress example-ingress
Test Ingress Access:
curl -H "Host: example.com" <ingress-ip>
This domain constitutes 20% of the CKAD Exam. Below are the key topics explained with kubectl
examples and tools like Helm and Kustomize.
Kubernetes provides mechanisms to implement deployment strategies such as blue/green and canary deployments.
Create two Deployments (blue and green) and switch traffic using a Service:
apiVersion: apps/v1
kind: Deployment
metadata:
name: blue-deployment
spec:
replicas: 3
selector:
matchLabels:
app: my-app
version: blue
template:
metadata:
labels:
app: my-app
version: blue
spec:
containers:
- name: app
image: my-app:blue
apiVersion: apps/v1
kind: Deployment
metadata:
name: green-deployment
spec:
replicas: 3
selector:
matchLabels:
app: my-app
version: green
template:
metadata:
labels:
app: my-app
version: green
spec:
containers:
- name: app
image: my-app:green
Switch the Service to point to the green Deployment:
apiVersion: v1
kind: Service
metadata:
name: my-app-service
spec:
selector:
app: my-app
version: green
ports:
- protocol: TCP
port: 80
targetPort: 8080
kubectl apply -f blue-deployment.yaml
kubectl apply -f green-deployment.yaml
kubectl apply -f service.yaml
Gradually shift traffic to a new version:
apiVersion: apps/v1
kind: Deployment
metadata:
name: canary-deployment
spec:
replicas: 1
selector:
matchLabels:
app: my-app
version: canary
template:
metadata:
labels:
app: my-app
version: canary
spec:
containers:
- name: app
image: my-app:canary
kubectl apply -f canary-deployment.yaml
kubectl scale deployment canary-deployment --replicas=3
Deployments manage updates to applications while ensuring zero downtime.
Create a Deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: rolling-update-demo
spec:
replicas: 3
selector:
matchLabels:
app: demo
template:
metadata:
labels:
app: demo
spec:
containers:
- name: app
image: my-app:v1
kubectl apply -f deployment.yaml
Update the Deployment with a New Image:
kubectl set image deployment/rolling-update-demo app=my-app:v2
Monitor the Update:
kubectl rollout status deployment/rolling-update-demo
Rollback if Necessary:
kubectl rollout undo deployment/rolling-update-demo
Helm simplifies application management by using reusable charts.
Install Helm and Deploy a Package:
helm repo add bitnami https://charts.bitnami.com/bitnami
helm install my-release bitnami/nginx
Upgrade a Release:
helm upgrade my-release bitnami/nginx --set image.tag=latest
Uninstall a Release:
helm uninstall my-release
Kustomize allows you to customize Kubernetes manifests without modifying the original files.
Create a Base Deployment:
# base/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: kustomize-demo
spec:
replicas: 2
selector:
matchLabels:
app: demo
template:
metadata:
labels:
app: demo
spec:
containers:
- name: app
image: my-app:v1
Create an Overlay to Patch the Base:
# overlays/production/patch.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: kustomize-demo
spec:
replicas: 5
Apply Kustomize:
kubectl apply -k overlays/production/
This domain constitutes 15% of the CKAD Exam. Below are the key topics explained with kubectl
examples to enhance your understanding of observability and maintenance.
Kubernetes APIs evolve over time. It's essential to understand deprecated APIs and their replacements.
Check for Deprecated APIs in Manifests:
kubectl convert -f deployment-v1beta1.yaml --output-version=apps/v1
Verify Deprecated API Usage in the Cluster:
kubectl get events --all-namespaces | grep -i deprecated
Probes ensure application health by checking the status of Pods.
Add Liveness and Readiness Probes:
apiVersion: apps/v1
kind: Deployment
metadata:
name: probe-demo
spec:
replicas: 2
selector:
matchLabels:
app: demo
template:
metadata:
labels:
app: demo
spec:
containers:
- name: app
image: my-app:latest
livenessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /readyz
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
kubectl apply -f probe-demo.yaml
Check Probe Status:
kubectl describe pod <pod-name>
Kubernetes offers various tools for monitoring application performance and health.
View Resource Utilization:
kubectl top nodes
kubectl top pods
Describe Resources:
kubectl describe pod <pod-name>
kubectl describe node <node-name>
Get Cluster Events:
kubectl get events --all-namespaces
Logs are critical for diagnosing application issues.
View Logs for a Specific Pod:
kubectl logs <pod-name>
Stream Logs:
kubectl logs -f <pod-name>
View Logs for a Specific Container in a Pod:
kubectl logs <pod-name> -c <container-name>
Debugging involves identifying and resolving issues in Pods, Deployments, or the cluster.
Get Pod Details:
kubectl get pod <pod-name> -o yaml
Exec into a Pod for Debugging:
kubectl exec -it <pod-name> -- /bin/bash
Debug a Node:
kubectl debug node/<node-name> --image=busybox
The best way to prepare is to practice a lot! The setups below will provide you with a Kubernetes cluster where you can perform all the required practice. The CKAD exam expects you to solve problems on a live cluster.
Note: CKAD does not include any multiple-choice questions (MCQs). Hands-on practice is essential!
- Killercoda: An online interactive platform to practice Kubernetes and other DevOps tools in a realistic environment.
- Minikube: A tool that lets you run a Kubernetes cluster locally, ideal for individual practice on your local machine.
- π Guide to Kubernetes Application Development](https://teckbootcamps.com/ckad-exam-study-guide/)Blog
- π¬ Kubernetes Slack Channel #certificationsSlack
- ποΈ Udemy: CKAD Certified Kubernetes Application Developer Crash CourseBlog
If this repo has helped you in any way, feel free to share and star !