CKA Certification 2026: What's New and How to Prepare in 30 Days

Quick summary: The CKA exam refreshed in late 2025 brought it in line with Kubernetes 1.30+. Gateway API is in, ingress emphasis is reduced. Network policy, RBAC, and storage remain heavily weighted. The exam is still 2 hours, hands-on, with proctored remote delivery. A focused 30-day study plan covering the seven domains, paired with a personal lab environment that mirrors the exam interface, gets most candidates from "comfortable Kubernetes user" to "passing CKA candidate." This guide walks through the updated domain weights, the study resources worth your time in 2026, the lab setup, and the exam-day patterns that prevent the most common failures.

What Changed in the 2025 Refresh

The CFP-CNCF (the joint certifications body) refreshes the CKA every 18-24 months to reflect what production Kubernetes practitioners actually need. The late-2025 refresh:

• Gateway API added. Replaces some of the previous Ingress emphasis. You should know how to define HTTPRoute, GatewayClass, and Gateway resources.
• Structured logging emphasis. Understanding how to interpret structured kubelet/kube-apiserver logs.
• Pod Security Standards. Replaces Pod Security Policies (which were removed in 1.25). You should know the three profiles (privileged, baseline, restricted) and how to enforce them via labels.
• Reduced PSP/legacy material. PSP, dockershim, in-tree volume providers — all removed from the exam domain.
• Helm v3. Some questions assume Helm familiarity for installation/upgrade tasks.
• Slight reweighting of domains. Storage went up, scheduling went down, troubleshooting stayed at 30%.

Current domain weights (2026)

Troubleshooting remains the largest single domain — and unsurprisingly is where most candidates lose points.

Prerequisites: Are You Ready to Study?

The CKA assumes you already have hands-on Kubernetes experience. Before starting a 30-day prep, you should be comfortable with:

• Running kubectl commands without looking at the help output for basic operations.
• Reading and writing YAML manifests for the core resource types (Pod, Deployment, Service, ConfigMap, Secret, PVC).
• Understanding the basic Kubernetes architecture (control plane vs nodes, what each component does).
• Linux command-line fluency (you will be doing a lot of grepping logs and editing files).

If any of these are shaky, budget 2-4 weeks of foundational study before the 30-day prep starts. Trying to learn Kubernetes basics during CKA prep is too much in too little time.

The 30-Day Study Plan

Week 1: Architecture and core resources

Goals: comfortable with cluster architecture, kubectl muscle memory, core resource types.

• Days 1-2: Cluster architecture. Read the official Kubernetes docs on components (kube-apiserver, etcd, kube-scheduler, kube-controller-manager, kubelet, kube-proxy, container runtime). Understand the request flow for "kubectl apply".
• Days 3-4: kubectl mastery. Practice the imperative commands (kubectl run, kubectl create, kubectl expose, kubectl scale) and the YAML-generating tricks (--dry-run=client -o yaml).
• Days 5-7: Workload resources. Create and manipulate Pods, Deployments, ReplicaSets, DaemonSets, StatefulSets, Jobs, CronJobs from both YAML and imperative commands. Understand scheduling basics — node selectors, taints/tolerations, affinity rules.

End of week 1: you should be able to spin up workloads quickly, debug pod scheduling failures, and understand what each cluster component does.

Week 2: Networking and security

• Days 8-9: Services. ClusterIP, NodePort, LoadBalancer, ExternalName. Understand kube-proxy modes (iptables, ipvs). Practice exposing workloads.
• Days 10-11: Ingress and Gateway API. Build a working ingress for HTTP/HTTPS, then build the Gateway API equivalent. Know when to use which.
• Days 12-13: NetworkPolicy. Allow/deny rules, namespace selectors, ingress vs egress. Practice writing policies that segment traffic between namespaces.
• Day 14: RBAC and security. ServiceAccounts, Roles, RoleBindings, ClusterRoles, ClusterRoleBindings. Pod Security Standards. Practice creating a service account with minimal RBAC.

Week 3: Storage and configuration

• Days 15-16: Storage. PersistentVolume, PersistentVolumeClaim, StorageClass. Understand reclaim policies, access modes. Practice provisioning storage and binding to pods.
• Days 17-18: ConfigMap and Secret. Multiple ways to consume (env vars, mounted files), updating, immutable configs. Subtleties of mounted volume updates vs env var caching.
• Days 19-20: Resource management. Requests, limits, LimitRange, ResourceQuota. Understand QoS classes (Guaranteed, Burstable, BestEffort).
• Day 21: Helm basics. Install, upgrade, rollback charts. Understand values overrides.

Week 4: Troubleshooting and exam prep

• Days 22-24: Cluster-level troubleshooting. Failing nodes, control plane debugging (etcd, kube-apiserver), kubelet log analysis. The kubectl get componentstatus command, the journalctl -u kubelet pattern.
• Days 25-26: Workload troubleshooting. Crashlooping pods, ImagePullBackOff, Pending pods, networking failures, RBAC denials. Build a mental decision tree for "what do I check first when X fails."
• Days 27-28: Practice exams. Use one of the simulators (Killer Coda, KodeKloud, A Cloud Guru). Time yourself; aim to finish with 15-20 minutes of buffer.
• Day 29: Weak-area review. Whatever you fumbled on practice exams, drill it.
• Day 30: Light day. Review notes, set up your exam environment, get a good night's sleep.

Lab Environment Setup

Match the exam environment as closely as you can during practice.

Option 1: kind (recommended for laptops)

# Multi-node cluster
kind create cluster --config - <<EOF
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
- role: worker
- role: worker
EOF

Free, fast, runs on any laptop. Lacks some real-cluster features but is fine for 95% of CKA practice.

Option 2: kubeadm on cloud VMs

Spin up 3-4 VMs on a cloud provider (DigitalOcean, Hetzner, AWS Lightsail). Install Kubernetes via kubeadm. Closest match to the actual exam, especially for the cluster-installation domain.

Option 3: K3s on Raspberry Pi

If you have hardware sitting around. Excellent for getting comfortable with real-cluster operations on a budget.

Critical: configure kubectl autocompletion and aliases

# In your shell rc file
source <(kubectl completion bash)
alias k=kubectl
complete -F __start_kubectl k
export do='--dry-run=client -o yaml'
export now='--force --grace-period=0'

The exam allows aliases. Set them up the same way in your practice environment so they are muscle memory.

Exam-Day Strategy

The night before

Skim your notes. Don't try to learn anything new. Sleep well. Verify your testing environment (PSI Bridge or whatever the current proctoring platform is) works correctly.

The exam itself

• Read every question carefully. The question wording specifies what context (kubectl context, namespace) to use. Misreading costs more time than reading carefully.
• Use kubectl explain. Field names you don't quite remember are one kubectl explain pod.spec.containers away.
• Generate YAML imperatively, then edit. kubectl create deployment nginx --image=nginx $do > deployment.yaml gives you a starting YAML you can edit, much faster than writing from scratch.
• Skip and return. If a question is taking too long, mark it for review and move on. The exam allows revisiting questions.
• Always switch context first. Each question may require a different cluster context. kubectl config use-context as the first action prevents catastrophic "wrong cluster" errors.
• Verify your work. After completing a task, verify it actually worked. kubectl get, kubectl describe, or actually exec into the resulting pod.

Time management

17 questions in 120 minutes = ~7 minutes per question average. Some are 2-3 minute questions; some are 12-15 minute questions. The 30% troubleshooting domain typically has the longest individual questions. Aim to finish the easier questions first to build score buffer for the harder ones.

Resources Worth Using

• Kubernetes official docs. The exam allows you to use kubernetes.io/docs during the exam. Get fluent with the docs structure now.
• Killer Coda CKA simulator. Two attempts come with the exam registration. Use them. The questions and time pressure closely match the real exam.
• KodeKloud CKA course. The most popular paid course; well-structured, includes labs.
• "Kubernetes Up & Running" (3rd edition). Solid book reference; fills in gaps where docs are too terse.
• kubectl cheat sheet. The official one is excellent; print it out.

Common Failure Patterns to Avoid

1. Wrong cluster context

Doing all the work for question 5 in the cluster from question 4. Always switch context first.

2. Wrong namespace

The question specifies a namespace; you forget the -n flag. Set kubectl config set-context --current --namespace=foo immediately after switching context.

3. Spending too long on one question

The exam is pass/fail at 66%. Better to skip one hard question and answer five easy ones than the reverse.

4. Not testing your work

You created the resource; you assume it works. The exam grades the actual cluster state, not your YAML files. Always verify.

5. Not using imperative commands

Writing YAML from scratch when you could generate it. The exam is timed; speed matters.

6. Underestimating troubleshooting

30% of the score. If you're rusty on debugging crashlooping pods, fix that before the exam.

Domain-Specific Study Tips

Cluster Architecture, Installation & Configuration (25%)

Practice kubeadm init and kubeadm join from scratch at least three times until you can do it without referencing the docs. Know the exact files involved: /etc/kubernetes/manifests/, /etc/kubernetes/admin.conf, /var/lib/etcd, /var/lib/kubelet/. Practice cluster upgrades — the exam often includes a "upgrade this cluster from version A to version B" task. Know how to back up and restore etcd; this is a recurring exam staple.

Workloads & Scheduling (15%)

Get fluent with the imperative shortcuts: kubectl create deployment, kubectl set image, kubectl rollout, kubectl scale. Know how to taint nodes and add tolerations. Know how nodeAffinity differs from podAffinity. The CronJob and Job resources show up; understand their lifecycle.

Services & Networking (20%)

Know all four Service types and when to use each. Practice writing NetworkPolicy from scratch — most candidates have read about NetworkPolicy but never written one. Gateway API is new on the exam; spend at least a few hours building HTTPRoutes and Gateways.

Storage (10%)

Smallest domain by weight, but the questions tend to be straightforward. Know the relationship between StorageClass, PVC, and PV. Understand reclaim policies (Retain vs Delete) and access modes (ReadWriteOnce, ReadWriteMany, ReadOnlyMany).

Troubleshooting (30%)

The largest domain. Build a checklist for each failure mode: pod won't start, pod crashes, pod can't reach service, pod can't pull image, node not ready, kubelet broken, control plane component down. Practice using kubectl describe, kubectl logs --previous, journalctl -u kubelet, and crictl ps until they are reflexive.

Frequently Asked Questions

Is the CKA still worth getting in 2026?

For Kubernetes-focused roles, yes. It is widely recognized in hiring, signals real hands-on competence (it is performance-based, not multiple choice), and remains the most respected Kubernetes credential.

How does CKA differ from CKAD and CKS?

CKA is administrator-focused (cluster operations). CKAD is developer-focused (workload deployment). CKS is security-focused (assumes you have CKA already). For platform engineers, CKA + CKS is the common pair.

What's the cost?

$395 in 2026, with frequent discount codes. Includes one retake.

How long is the certification valid?

Three years. Renewal options include retaking the current exam or completing PSI's continuing-education option.

Should I do CKAD first if I'm new?

If you primarily deploy workloads to clusters someone else operates, yes — CKAD is more focused. If you want full Kubernetes operational competence, go straight to CKA.

How important is speed?

Very. Most candidates who fail run out of time, not knowledge. Practice with a timer.

Can I use copilot or AI tools during the exam?

No — the exam environment is locked down. You have access to kubernetes.io docs and the standard CLI tools, nothing else.

One Real Candidate's Story

A platform engineer we mentored prepped for the refreshed CKA in early 2026. Background: 3 years of Kubernetes experience as a workload deployer, but had never actually installed or deeply administered a cluster. Took the 30-day plan above seriously, including the lab setup. Practice exam scores: 60% on first attempt (week 3), 78% on second attempt (week 4). Real exam: passed with 84%, finished with 18 minutes to spare. Key things she said helped most: the kubectl alias setup, religious context-switching habit, and brutally honest practice-exam debriefs (figuring out exactly why she missed each question rather than glossing over it). Total study time: roughly 75 hours over 30 days, mostly evenings and weekends. Net assessment: passed comfortably; would recommend the same plan to others.

Further Reading from the Dargslan Library

• DevOps & Cloud category — Kubernetes administration, cluster operations, and cloud-native architecture.
• Security & Hardening category — Kubernetes RBAC, network policy, and Pod Security Standards.
• Free cheat sheet library — printable kubectl, YAML resource templates, and CKA exam quick references.
• Dargslan eBook library — comprehensive Kubernetes administration courses and CKA-focused study material.

The Bottom Line

The CKA in 2026 is a fair, performance-based test of real Kubernetes administration competence. The 30-day plan above is realistic for someone who already has Kubernetes user-level experience and can dedicate 2-3 hours per evening plus longer weekend sessions. Set up the lab early, practice with a timer, master the imperative kubectl patterns, and treat troubleshooting as the highest-priority domain. Most candidates who follow a structured plan pass on first attempt; those who try to wing it on existing experience usually need a retake.