Skip to main content

Overview

This challenge set contains 17 practical tasks designed to test your Kubernetes administration skills. Each task reflects real-world scenarios you’ll encounter in the CKA exam.
Work through these challenges in a practice cluster. Time yourself to simulate exam conditions.

Task 1: RBAC - Extracting Information

Objectives:
  1. Extract all kubeconfig context names to /tmp/contexts, one per line
  2. Write the current context name to /tmp/current-context
  3. Base64-decode the client certificate of user account-0027 and save it to /tmp/cert
Skills Tested:
  • kubeconfig manipulation
  • Context management
  • Base64 encoding/decoding
  • File operations
Use kubectl config view to inspect kubeconfig structure. Combine with grep, awk, or jsonpath for extraction.

Task 2: Helm - Installing Application

Objectives:
1

Create namespace

Create the minio namespace
2

Install Helm chart

Install the minio/operator Helm chart into the minio namespace as release minio-operator
3

Edit tenant configuration

Edit /opt/course/2/minio-tenant.yaml to enable SFTP:
features:
  enableSFTP: true
4

Apply tenant resource

Apply the updated Tenant resource
Skills Tested:
  • Helm chart installation
  • Namespace management
  • YAML editing
  • Custom resource application

Task 3: Pod Management

Objective:In the project-h800 namespace, scale the two o3db-* Pods down to one replica to conserve resources.Skills Tested:
  • Resource identification
  • Scaling operations
  • Namespace-scoped commands
Use kubectl get to identify the workload type (Deployment, StatefulSet, etc.) before scaling.

Task 4: Pod Management & QoS

Objective:Identify the Pods in project-c13 that are likely to be terminated first under resource pressure. Write their names to /tmp/pods-terminated-first.txt.Skills Tested:
  • Quality of Service (QoS) classes
  • Pod eviction behavior
  • Resource limits and requests
  • File output operations
QoS Classes (eviction order):
  1. BestEffort (terminated first)
  2. Burstable
  3. Guaranteed (terminated last)
Pods without resource requests or limits are classified as BestEffort and will be evicted first.

Task 5: HPA Setup

Objective:Replace the existing autoscaler with a HorizontalPodAutoscaler for the api-gateway.
1

Remove ConfigMap

Remove the horizontal-scaling-config ConfigMap
2

Create HPA for staging

Create HPA named api-gateway:
  • Min replicas: 2
  • Max replicas: 4
  • Target CPU utilization: 50%
3

Create HPA for production

Same configuration but max replicas: 6
4

Apply with kustomize

kubectl kustomize /opt/course/5/api-gateway/staging | kubectl apply -f -
kubectl kustomize /opt/course/5/api-gateway/prod | kubectl apply -f -
Skills Tested:
  • HorizontalPodAutoscaler configuration
  • Kustomize usage
  • Multi-environment management

Task 6: Persistent Volumes

Objective:Create a complete storage solution with PV, PVC, and Deployment.PersistentVolume:
  • Name: safari-pv
  • Capacity: 2Gi
  • AccessMode: ReadWriteOnce
  • Path: /Volumes/Data
PersistentVolumeClaim (in project-t230):
  • Name: safari-pvc
  • Storage: 2Gi
Deployment:
  • Name: safari
  • Namespace: project-t230
  • Mount path: /tmp/safari-data
  • Image: httpd:2-alpine
Skills Tested:
  • PersistentVolume configuration
  • PersistentVolumeClaim creation
  • Volume mounting in deployments
  • Storage binding

Task 7: Monitoring Resource Consumption

Objective:Write two bash scripts using kubectl to gather resource metrics.Skills Tested:
  • kubectl top commands
  • Metrics server usage
  • Bash scripting
  • Resource monitoring
Use kubectl top nodes and kubectl top pods as starting points. Consider sorting and filtering options.

Task 8: Upgrade & Join Worker

Objective:
1

Upgrade node

Upgrade cka3962-node1 to match the control plane Kubernetes version
2

Join cluster

Join it to the cluster using kubeadm
Skills Tested:
  • kubeadm upgrade workflow
  • Node joining process
  • Version compatibility
  • Cluster operations
Drain the node before upgrading and uncordon after completion. Always upgrade the control plane before worker nodes.

Task 9: Service Account

Objective:Create a Pod that queries the Kubernetes API using a ServiceAccount.
1

Create pod

Create Pod api-contact in project-swan namespace
2

Use ServiceAccount

Use the secret-reader ServiceAccount
3

Query API

Use curl inside the Pod to query all Secrets from the Kubernetes API
4

Save result

Save the result to /opt/course/9/result.json
Skills Tested:
  • ServiceAccount assignment
  • Kubernetes API access from pods
  • curl and API authentication
  • Token mounting
ServiceAccount tokens are automatically mounted at /var/run/secrets/kubernetes.io/serviceaccount/token

Task 10: RBAC

Objective:In namespace project-hamster, create RBAC resources to grant limited permissions.Create:
  • ServiceAccount: processor
  • Role: processor
  • RoleBinding: processor
Permissions: Grant permission to create only:
  • Secrets
  • ConfigMaps
Skills Tested:
  • ServiceAccount creation
  • Role definition
  • RoleBinding configuration
  • Permission scoping

Task 11: Taints and Tolerations

Objective:In namespace project-tiger, create a DaemonSet that runs on all nodes including control planes.DaemonSet: ds-important
  • Image: httpd:2-alpine
  • Labels: id=ds-important, uuid=18426a0b-5f59-4e10-923f-c0e078e82462
  • Resource requests: 10m CPU, 10Mi Memory
  • Must run on all nodes (including control planes)
Skills Tested:
  • DaemonSet configuration
  • Tolerations for control plane taints
  • Resource requests
  • Label management
Control plane nodes typically have the taint node-role.kubernetes.io/control-plane:NoSchedule. Add matching toleration.

Task 12: Deployment

Objective:In namespace project-tiger, create a Deployment with pod anti-affinity.Deployment: deploy-important
  • Replicas: 3
  • Labels: id=very-important
Containers:
  • container1: nginx:1-alpine
  • container2: google/pause
Anti-Affinity:
  • Use topologyKey: kubernetes.io/hostname
  • Ensure 1 Pod per node
Skills Tested:
  • Multi-container pods
  • Pod anti-affinity
  • Topology spread
  • Deployment configuration

Task 13: Gateway API

Objective:In namespace project-r500, migrate from Ingress to Gateway API.
1

Review existing Ingress

Examine /opt/course/13/ingress.yaml
2

Create HTTPRoute

Create HTTPRoute named traffic-director:
  • Replicate existing routes from Ingress
3

Add conditional routing

Add /auto path logic:
  • If User-Agent: mobile → redirect to /mobile
  • Otherwise → redirect to /desktop
4

Test routes

curl r500.gateway:30080/desktop
curl r500.gateway:30080/mobile
curl r500.gateway:30080/auto -H "User-Agent: mobile"
curl r500.gateway:30080/auto
Skills Tested:
  • Gateway API understanding
  • HTTPRoute configuration
  • Header-based routing
  • Ingress migration

Task 14: Cluster Certificates

Objective:Inspect and document cluster certificate expiration.
1

Check with openssl

Check kube-apiserver certificate expiration using openssl or cfssl
2

Save expiration date

Save the date to /opt/course/14/expiration
3

Verify with kubeadm

Use kubeadm to confirm the expiration
4

Document renewal command

Save the kubeadm renew command to /opt/course/14/kubeadm-renew-certs.sh
Skills Tested:
  • Certificate inspection
  • kubeadm certificate management
  • OpenSSL usage
  • Cluster security
Use kubeadm certs check-expiration to quickly view all certificate expiration dates.

Task 15: Network Policy

Objective:In namespace project-snake, create NetworkPolicy named np-backend.Requirements:Allow backend-* Pods to:
  • Connect to db1-* Pods on port 1111
  • Connect to db2-* Pods on port 2222
Skills Tested:
  • NetworkPolicy configuration
  • Egress rules
  • Pod selector matching
  • Port-based filtering
Remember to specify both pod selectors and port numbers. Network policies are namespace-scoped.

Task 16: CoreDNS Custom Domain

Objective:Configure CoreDNS to support a custom domain in addition to the default cluster.local.
1

Backup configuration

Backup current CoreDNS config to /tmp/coredns_backup.yaml
2

Update CoreDNS

Update CoreDNS ConfigMap to support:
  • SERVICE.NAMESPACE.svc.cluster.local (default)
  • SERVICE.NAMESPACE.svc.custom-domain (new)
3

Test resolution

nslookup kubernetes.default.svc.cluster.local
nslookup kubernetes.default.svc.custom-domain
Skills Tested:
  • CoreDNS configuration
  • ConfigMap editing
  • DNS testing
  • Service discovery

Task 17: Container Debugging

Objective:Use crictl to debug a container at the node level.
1

Create pod

In namespace project-tiger, create Pod tigers-reunite:
  • Labels: pod=container, container=pod
  • Image: httpd:2-alpine
2

SSH to node

SSH into the node where the pod is scheduled
3

Use crictl

Use crictl to:
  • Find the container ID
  • Save container ID and info.runtimeType to /tmp/pod-container.txt
  • Save container logs to /tmp/pod-container.log
Skills Tested:
  • crictl commands
  • Container runtime interaction
  • Node-level debugging
  • SSH access
Use crictl ps to list containers and crictl inspect to get detailed information.

Practice Tips

  • Time yourself: Allocate 6-8 minutes per task
  • Verify each solution before moving on
  • Practice switching contexts and namespaces quickly
  • Keep kubernetes.io documentation handy
  • Review mistakes and understand why solutions work

Build docs developers (and LLMs) love

Get started for freeTalk to us