215+ Free CKA Practice Questions

Pass your Certified Kubernetes Administrator (CKA) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~60-65% Pass Rate

215+ Questions

100% Free

1 / 215

Question 1

Score: 0/0

A Kubernetes administrator needs to grant a user read-only access to pods in the "production" namespace. Which RBAC resource should be created first?

RoleBinding

ClusterRole

Role

ServiceAccount

to track

2026 Statistics

Key Facts: CKA Exam

~60-65%

Est. Pass Rate

Industry estimate

66%

Passing Score

CNCF

80-120 hrs

Study Time

Recommended

15-20

Tasks

Performance-based

$395

Exam Fee

CNCF (includes 1 retake)

2 years

Valid For

CNCF

The Certified Kubernetes Administrator (CKA) is a hands-on, performance-based exam with an estimated 60-65% first-attempt pass rate. Candidates must score 66% or higher to pass. The exam consists of 15-20 performance-based tasks to be completed in 2 hours. Troubleshooting (30%) is the largest domain. The CKA is widely recognized as the gold standard for Kubernetes administration skills and is a prerequisite for the CKS (Kubernetes Security Specialist) certification.

Sample CKA Practice Questions

Try these sample questions to test your CKA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 215+ question experience with AI tutoring.

1A Kubernetes administrator needs to grant a user read-only access to pods in the "production" namespace. Which RBAC resource should be created first?

A.RoleBinding

B.ClusterRole

C.Role

D.ServiceAccount

Explanation: A Role defines the permissions (rules) within a specific namespace. To grant read-only access to pods, you first create a Role with the appropriate permissions (get, list, watch on pods), then bind it to the user with a RoleBinding. A RoleBinding alone does not define permissions—it only binds existing permissions to subjects. ClusterRole is for cluster-wide or cross-namespace permissions, and ServiceAccount is for pod authentication, not user permissions.

2Which kubectl command creates a ClusterRole named "pod-reader" that allows get, list, and watch operations on pods across all namespaces?

A.kubectl create role pod-reader --verb=get,list,watch --resource=pods

B.kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods

C.kubectl auth can-i get pods --as=pod-reader

D.kubectl create serviceaccount pod-reader --clusterrole=pod-reader

Explanation: The command "kubectl create clusterrole" creates a ClusterRole, which applies across all namespaces. The --verb flag specifies allowed operations, and --resource specifies the resource type. The "create role" command creates a namespaced Role, "auth can-i" tests permissions, and "create serviceaccount" creates a service account, not a role.

3A developer needs to impersonate a service account named "app-sa" in the "staging" namespace to test permissions. Which kubectl command should be used?

A.kubectl auth can-i --list --as=system:serviceaccount:staging:app-sa

B.kubectl get serviceaccount app-sa -n staging

C.kubectl create rolebinding --serviceaccount=staging:app-sa

D.kubectl config set-context --current --user=app-sa

Explanation: The "kubectl auth can-i --list" command lists all permissions for a specified user or service account. To impersonate a service account, use the --as flag with the format "system:serviceaccount:namespace:serviceaccount-name". The other commands do not test permissions: "get serviceaccount" retrieves the SA definition, "create rolebinding" creates a binding, and "config set-context" changes the kubectl context.

4Which command initializes a Kubernetes control plane using kubeadm with a specific pod network CIDR of 10.244.0.0/16?

A.kubeadm join --pod-network-cidr=10.244.0.0/16

B.kubeadm init --pod-network-cidr=10.244.0.0/16

C.kubeadm reset --pod-network-cidr=10.244.0.0/16

D.kubeadm upgrade --pod-network-cidr=10.244.0.0/16

Explanation: "kubeadm init" initializes a Kubernetes control plane on the current node. The --pod-network-cidr flag specifies the pod IP address range, which is required for certain CNI plugins like Flannel. "kubeadm join" adds worker nodes, "kubeadm reset" removes cluster configuration, and "kubeadm upgrade" upgrades the cluster version.

5After running "kubeadm init", where is the kubeconfig file for cluster administration placed by default?

A./root/.kube/config

B./etc/kubernetes/kubeconfig

C./var/lib/kubelet/kubeconfig

D./etc/kubernetes/admin.conf

Explanation: By default, kubeadm init creates the admin kubeconfig at /etc/kubernetes/admin.conf. The output of kubeadm init instructs you to copy this file to ~/.kube/config for the current user or set the KUBECONFIG environment variable. The other paths are either incorrect or used for different purposes.

6A worker node needs to join an existing cluster. Which information from the control plane is required for the kubeadm join command?

A.Only the API server IP address

B.The API server address and a valid bootstrap token

C.The etcd backup file path

D.The kubeconfig file for the cluster

Explanation: The "kubeadm join" command requires the API server address and a valid bootstrap token. The token can be generated with "kubeadm token create" on the control plane. The token authenticates the joining node and provides necessary cluster information. The API server IP alone is insufficient, etcd backups are for recovery, and the admin kubeconfig is not used for node joining.

7In a highly available Kubernetes cluster with stacked etcd topology, how many control plane nodes are required to maintain quorum during a failure?

A.1 control plane node

B.2 control plane nodes

C.3 control plane nodes with 1 failure

D.5 control plane nodes with 2 failures

Explanation: In a stacked etcd topology, etcd runs on the control plane nodes. With 3 control plane nodes, etcd has 3 members. Quorum requires (n/2)+1 members, so with 3 nodes, quorum is 2. If 1 node fails, 2 remain and quorum is maintained. With only 2 nodes, quorum would be 2, so any failure would break quorum.

8Which component is responsible for distributing API server traffic across multiple control plane nodes in a highly available cluster?

A.kube-scheduler

B.kube-controller-manager

C.External load balancer

D.etcd cluster

Explanation: An external load balancer (such as HAProxy, nginx, or cloud provider LB) distributes API server traffic across multiple control plane nodes. The kube-scheduler schedules pods, kube-controller-manager runs controllers, and etcd stores cluster state—none of these distribute API traffic.

9When upgrading a Kubernetes cluster using kubeadm from version 1.29 to 1.30, what is the correct upgrade sequence?

A.Upgrade control plane first, then worker nodes

B.Upgrade worker nodes first, then control plane

C.Upgrade all nodes simultaneously

D.Upgrade etcd first, then control plane, then workers

Explanation: The recommended upgrade sequence is: 1) Upgrade control plane nodes first (master/control plane), 2) Then upgrade worker nodes. The control plane must be at the same version or newer than worker nodes. Worker nodes can be at most 2 minor versions behind the control plane, but upgrading control plane first ensures compatibility.

10Which command upgrades kubeadm itself to a specific version (e.g., 1.30.0-1.1) on a Debian/Ubuntu system?

A.kubeadm upgrade apply v1.30.0

B.apt-mark hold kubeadm && apt-get update

C.apt-get update && apt-get install -y kubeadm=1.30.0-1.1

D.kubeadm upgrade node --kubelet-version=1.30.0

Explanation: On Debian/Ubuntu, use apt-get to upgrade the kubeadm package: "apt-get install -y kubeadm=1.30.0-1.1". After upgrading kubeadm, you run "kubeadm upgrade apply" to upgrade the cluster. The apt-mark hold command prevents upgrades, and "kubeadm upgrade node" upgrades a worker node after kubeadm is updated.

About the CKA Exam

The CKA is a performance-based certification that validates skills in Kubernetes cluster administration. The exam tests hands-on ability to deploy, configure, manage, and troubleshoot Kubernetes clusters in real-world scenarios using the command line.

Questions

17 scored questions

Time Limit

2 hours

Passing Score

66%

Exam Fee

$395 (Cloud Native Computing Foundation (CNCF) / Linux Foundation)

CKA Exam Content Outline

25%

Cluster Architecture, Installation & Configuration

Manage RBAC, install clusters with kubeadm, manage HA clusters, perform upgrades, backup/restore etcd

15%

Workloads & Scheduling

Deployments, rolling updates, ConfigMaps, Secrets, scaling, resource limits, pod scheduling, DaemonSets

20%

Services & Networking

Services (ClusterIP, NodePort, LoadBalancer), NetworkPolicies, Ingress, CoreDNS, CNI plugins

10%

Storage

PersistentVolumes, PersistentVolumeClaims, StorageClasses, volume modes, access modes, dynamic provisioning

30%

Troubleshooting

Cluster troubleshooting, application failures, network issues, logging, monitoring, node problems

How to Pass the CKA Exam

What You Need to Know

Passing score: 66%
Exam length: 17 questions
Time limit: 2 hours
Exam fee: $395

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CKA Study Tips from Top Performers

1Master kubectl imperative commands — they save time during the exam: kubectl run, kubectl create, kubectl expose, kubectl scale

2Focus on Troubleshooting (30%) — practice systematic debugging: check pod status, describe resources, view logs, exec into containers

3Study Cluster Architecture (25%) — understand kubeadm, RBAC, etcd backup/restore, and cluster upgrades

4Practice etcd backup and restore — this is a high-value task that appears frequently

5Learn NetworkPolicies — understand default-deny patterns and selective allow rules

6Complete 200+ hands-on practice tasks under time pressure — speed is critical

7Use the official Kubernetes documentation effectively — bookmark key pages before the exam

Frequently Asked Questions

What is the CKA pass rate?

CNCF does not officially publish CKA pass rates. Industry estimates suggest a 60-65% first-attempt pass rate. The exam is challenging because it is entirely hands-on—candidates must solve real Kubernetes problems in a live cluster environment. The passing score is 66%, and candidates who prepare thoroughly with hands-on practice typically pass on their first or second attempt.

How many questions are on the CKA exam?

The CKA exam contains 15-20 performance-based tasks (the exact number varies). Unlike multiple-choice exams, each task requires you to perform actions in a real Kubernetes cluster using the command line. Tasks have different weightings (percentages) displayed during the exam. The exam is 2 hours long.

What is the CKA exam format?

The CKA is a performance-based, hands-on exam conducted in a browser-based terminal environment. You are given access to multiple Kubernetes clusters and must complete tasks using kubectl and by writing YAML manifests. The exam is proctored remotely. You are allowed to use the official Kubernetes documentation (kubernetes.io/docs) during the exam.

How long should I study for CKA?

Plan for 80-120 hours of hands-on study over 4-8 weeks. The CKA requires practical experience—you cannot pass by memorizing theory. Key preparation: 1) Set up a practice cluster (minikube, kind, or cloud), 2) Complete all tasks in the CKA curriculum multiple times, 3) Practice with kubectl imperative commands for speed, 4) Take timed practice exams, 5) Master troubleshooting workflows. Focus on Troubleshooting (30%) and Cluster Architecture (25%)—together they are 55% of the exam.

What changed in the CKA 2025/2026 exam?

The CKA exam was updated to Kubernetes v1.34 (as of early 2026). Key changes include: Updated for newer Kubernetes features, Gateway API added to the Services & Networking domain, improved exam environment with better terminal and IDE-like editor. Always check the official CNCF CKA curriculum for the most current information.

Is CKA worth it in 2026?

Yes — CKA remains the gold standard for Kubernetes administration. Kubernetes is the dominant container orchestration platform, and CKA-certified professionals are in high demand. Cloud-native roles (DevOps, Platform Engineering, SRE) often require or prefer CKA. According to industry data, CKA-certified professionals earn 15-25% more than non-certified peers in similar roles. The certification is valid for 2 years and requires recertification.